CVE-2026-33038
HIGH EPSS 38.4%
Published Mar 20, 20263mo ago · Modified Mar 23, 20263mo ago
8.1 CVSS 3.1
Published Mar 20, 2026 3mo ago
Last Modified Mar 23, 2026 3mo ago
Description
WWBN AVideo is an open source video platform. Versions 25.0 and below are vulnerable to unauthenticated application takeover through the install/checkConfiguration.php endpoint. install/checkConfiguration.php performs full application initialization: database setup, admin account creation, and configuration file write, all from an unauthenticated POST input. The only guard is checking whether videos/configuration.php already exists. On uninitialized deployments, any remote attacker can complete the installation with attacker-controlled credentials and an attacker-controlled database, gaining full administrative access. This issue has been fixed in version 26.0.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High
Threat Intelligence
EPSS Exploit Probability
38.4% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 1
CWE-306 Missing Authentication for Critical Function Authentication
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| wwbn | avideo | * | <26.0 |
References 2
- github.com https://github.com/WWBN/AVideo/commit/b3fa7869dcb935c8ab5c001a88dc29d2f92cf8e1
- github.com https://github.com/WWBN/AVideo/security/advisories/GHSA-2f9h-23f7-8gcx
Remediation
- github.com https://github.com/WWBN/AVideo/commit/b3fa7869dcb935c8ab5c001a88dc29d2f92cf8e1