WWBN AVideo is an open-source video platform that includes a Scheduler plugin to manage scheduled tasks and email communications. In versions up to and including 26.0, three specific endpoints named list.json.php within this plugin do not enforce any authentication or authorization checks, unlike other endpoints in the same plugin directory which require administrative privileges validated via User::isAdmin(). This security oversight (CWE-862: Missing Authorization) allows unauthenticated attackers to send simple HTTP GET requests to these endpoints and retrieve sensitive information. The exposed data includes all scheduled tasks, which contain internal callback URLs and parameters, as well as email messages composed by administrators and mappings of users to email targets. This constitutes an information disclosure vulnerability (CWE-200) that could aid attackers in reconnaissance or social engineering attacks. The vulnerability has a CVSS 3.1 base score of 5.3, reflecting a medium severity level due to its ease of exploitation (no authentication or user interaction required) but limited impact to confidentiality only, with no integrity or availability impact. The vendor has addressed this issue in a patch committed under revision 83390ab1fa8dca2de3f8fa76116a126428405431. No public exploits have been reported to date.

The primary impact of CVE-2026-33761 is unauthorized information disclosure. Attackers can gain insight into scheduled tasks, internal callback URLs, and email communications without any authentication, which could facilitate further attacks such as targeted phishing, social engineering, or exploitation of internal APIs. While the vulnerability does not allow modification or deletion of data, the exposure of internal operational details and user-email mappings can compromise privacy and operational security. Organizations relying on WWBN AVideo for video content management and scheduling may face reputational damage and increased risk of follow-on attacks. The scope is limited to affected versions (<= 26.0) and specifically the Scheduler plugin endpoints. Since no known exploits are in the wild, immediate risk is moderate but could escalate if attackers develop automated tools to harvest this information.

Organizations should promptly update WWBN AVideo to a version that includes the patch for CVE-2026-33761. If immediate upgrading is not feasible, administrators should restrict network access to the Scheduler plugin endpoints, especially list.json.php, by implementing firewall rules or web application firewall (WAF) policies to block unauthenticated requests. Additionally, review and minimize the exposure of sensitive information in scheduled tasks and email templates. Conduct regular audits of plugin configurations and access controls to ensure no other endpoints lack proper authorization checks. Monitoring web server logs for unusual GET requests to these endpoints can help detect potential reconnaissance attempts. Finally, maintain an incident response plan to address any data exposure incidents swiftly.