CVE-2026-33685: AVideo Allows Unauthenticated Access to AD_Server reports.json.php that Exposes Ad Campaign Analytics and User Data

March 25, 2026

The plugin/AD_Server/reports.json.php endpoint performs no authentication or authorization checks, allowing any unauthenticated attacker to extract ad campaign analytics data including video titles, user channel names, user IDs, ad campaign names, and impression/click counts. The HTML counterpart (reports.php) and CSV export (getCSV.php) both correctly enforce User::isAdmin(), but the JSON API was left unprotected.

References

github.com/WWBN/AVideo
github.com/WWBN/AVideo/commit/daca4ffb1ce19643eecaa044362c41ac2ce45dde
github.com/WWBN/AVideo/security/advisories/GHSA-j36m-74g2-7m95
github.com/advisories/GHSA-j36m-74g2-7m95
nvd.nist.gov/vuln/detail/CVE-2026-33685

Code Behaviors & Features

Detect and mitigate CVE-2026-33685 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →