CVE-2026-33759

Name of the Vulnerable Software and Affected Versions AVideo versions up to and including 26.0

Description The objects/playlistsVideos.json.php endpoint does not enforce authentication or authorization checks, allowing access to the full video contents of any playlist by its ID. While private playlists are hidden from listing endpoints like playlistsFromUser.json.php, their contents are directly accessible through the objects/playlistsVideos.json.php endpoint by providing the playlists id parameter. This bypass allows an unauthenticated attacker to enumerate all users' watch history, favorites, and access unlisted or private custom playlists, leading to a privacy violation. The playlists id parameter is a sequential integer, simplifying enumeration. The endpoint at /objects/playlistsVideos.json.php accepts the playlists id parameter and calls the PlayList::getVideosFromPlaylist() function without validation. The getVideosFromPlaylist() function performs a SQL query joining playlists has videos, videos, and users tables without any authorization filter.

Recommendations Add authorization checks to objects/playlistsVideos.json.php before returning playlist contents. Specifically, verify user ownership or administrative privileges before accessing private, unlisted, watch later, or favorite playlists.