CVE-2026-33761

Name of the Vulnerable Software and Affected Versions AVideo versions up to and including 26.0

Description The Scheduler plugin in AVideo lacks authentication checks on three list.json.php endpoints: plugin/Scheduler/View/Scheduler commands/list.json.php, plugin/Scheduler/View/Emails messages/list.json.php, and plugin/Scheduler/View/Email to user/list.json.php. This allows an unauthenticated attacker to retrieve sensitive information, including all scheduled tasks (with internal callback URLs and parameters), admin-composed email messages, and user-to-email targeting mappings, by sending simple GET requests to these API Endpoints. The Scheduler commands table stores callbackURL and parameters which may reveal internal API endpoints and user IDs. The Emails messages table contains subject and message fields with full HTML email bodies. The Email to user table maps users id to emails messages id, exposing user targeting information. Exploitation involves sending GET requests to the vulnerable endpoints. The getAll() function is called without authentication, returning the entire table contents.

Recommendations Add User::isAdmin() checks to the following files: