Platform
php
Component
wwbn/avideo
Fixed in
26.0.1
26.0.1
CVE-2026-33719 is a high-severity vulnerability affecting the wwbn/avideo CDN plugin, specifically versions up to 26.0. The vulnerability allows unauthenticated attackers to modify the entire CDN configuration through mass assignment. This is due to a bypass in the key validation check when the plugin is enabled but the authentication key is not configured, which defaults to an empty string. A fix is available in a patched version of the plugin.
An attacker exploiting CVE-2026-33719 can gain complete control over the CDN configuration. This includes modifying CDN URLs, storage credentials, and even the authentication key itself. Successful exploitation allows an attacker to redirect traffic, potentially serving malicious content or stealing sensitive data stored by the CDN. The impact extends beyond the immediate plugin, as the CDN configuration often controls access to critical assets. This vulnerability is particularly concerning because it requires no authentication, making it easily exploitable by a wide range of attackers.
Public details of CVE-2026-33719 were disclosed on 2026-03-25. The vulnerability's ease of exploitation, combined with the potential impact, suggests a medium probability of exploitation. No known public proof-of-concept (POC) code has been released as of this writing, but the vulnerability's simplicity makes it likely that one will emerge. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.12% (32% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33719 is to upgrade to a patched version of the wwbn/avideo CDN plugin. If upgrading immediately is not possible, temporarily disabling the CDN plugin is a viable workaround. As a further precaution, implement strict input validation on all parameters passed to the plugin/CDN/status.json.php and plugin/CDN/disable.json.php endpoints. Monitor access logs for unusual activity targeting these endpoints. After upgrading, confirm the fix by attempting to modify the CDN configuration without providing a valid authentication key; the request should be rejected.
Update AVideo to a version later than 26.0. If updating is not possible, disable the CDN plugin or configure a secure authentication key for the CDN plugin.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33719 is a high-severity vulnerability in the wwbn/avideo CDN plugin that allows unauthenticated attackers to modify CDN configurations due to a bypassed key validation check.
You are affected if you are using wwbn/avideo CDN plugin versions 26.0 and below, especially if the authentication key is not configured.
Upgrade to a patched version of the wwbn/avideo CDN plugin. If immediate upgrade is not possible, disable the plugin temporarily.
While no public exploits are currently known, the vulnerability's simplicity suggests a potential for exploitation.
Refer to the wwbn/avideo project's official website or repository for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.