EUVD-2026-14488
GHSA-8x77-f38v-4m5j
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Lifecycle Timeline
3Tags
Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, a user with the "Videos Moderator" permission can escalate privileges to perform full video management operations - including ownership transfer and deletion of any video - despite the permission being documented as only allowing video publicity changes (Active, Inactive, Unlisted). The root cause is that `Permissions::canModerateVideos()` is used as an authorization gate for full video editing in `videoAddNew.json.php`, while `videoDelete.json.php` only checks ownership, creating an asymmetric authorization boundary exploitable via a two-step ownership-transfer-then-delete chain. Commit 838e16818c793779406ecbf34ebaeba9830e33f8 contains a patch.
Analysis
Privilege escalation in WWBN AVideo up to version 26.0 allows users with "Videos Moderator" permissions to gain full video management capabilities, including transferring ownership and deleting any video, by exploiting inconsistent authorization checks between the video editing and deletion endpoints. An authenticated attacker can chain an ownership transfer with deletion operations to compromise videos outside their legitimate scope. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all AVideo instances running version 26.0 or earlier and restrict 'Videos Moderator' role assignments to highly trusted personnel only; audit current moderator accounts for suspicious activity. Within 7 days: Contact WWBN for patch availability status and subscribe to security advisories; implement network segmentation to limit moderator account access if patch remains unavailable. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today