CVE-2026-33764
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the AI plugin's save.json.php endpoint loads AI response objects using an attacker-controlled $REQUEST'id' parameter without validating that the AI response belongs to the specified video. An authenticated user wi...