CVE-2026-33688

Medium CVSS: 5.3

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the password recovery endpoint at `objects/userRecoverPass.php` performs user existence and account status checks before validating the captcha. This allows an unauthenticated attacker to enumerate valid usernames and determine whether accounts are active, inactive, or banned — at scale and without solving any captcha — by observing three distinct JSON error responses. Commit e42f54123b460fd1b2ee01f2ce3d4a386e88d157 contains a patch.

Vendor

Wwbn

Product

Avideo

CWE

CWE-204

Yayın Tarihi

2026-03-23 19:16:42

Güncelleme

2026-03-25 18:05:21

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-204 Avideo MEDIUM Wwbn 2026

Referanslar

https://github.com/WWBN/AVideo/commit/e42f54123b460fd1b2ee01f2ce3d4a386e88d157 https://github.com/WWBN/AVideo/security/advisories/GHSA-m99f-mmvg-3xmx https://github.com/WWBN/AVideo/security/advisories/GHSA-m99f-mmvg-3xmx

Benzer Kayıtlar

Medium

CVE-2026-34733

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo installation script install/deleteS…

Medium

CVE-2026-34737

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the StripeYPT plugin includes a test.php debug…

Medium

CVE-2026-34738

WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's video processing pipeline accepts an…

Medium

CVE-2026-34739

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the User_Location plugin's testIP.php page ref…

Medium

CVE-2026-34740

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the EPG (Electronic Program Guide) link featur…

Medium

CVE-2026-34611

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/emailAllUsers.json…