CVE-2026-33761: AVideo: Unauthenticated Access to Scheduler Plugin Endpoints Leaks Scheduled Tasks, Email Content, and User Mappings

March 26, 2026 (updated March 27, 2026)

Three list.json.php endpoints in the Scheduler plugin lack any authentication check, while every other endpoint in the same plugin directories (add.json.php, delete.json.php, index.php) requires User::isAdmin(). An unauthenticated attacker can retrieve all scheduled tasks (including internal callback URLs and parameters), admin-composed email messages, and user-to-email targeting mappings by sending simple GET requests.

References

github.com/WWBN/AVideo
github.com/WWBN/AVideo/commit/83390ab1fa8dca2de3f8fa76116a126428405431
github.com/WWBN/AVideo/security/advisories/GHSA-j724-5c6c-68g5
github.com/advisories/GHSA-j724-5c6c-68g5
nvd.nist.gov/vuln/detail/CVE-2026-33761

Code Behaviors & Features

Detect and mitigate CVE-2026-33761 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →