CVE-2026-33038

HIGH EPSS 38.4%
Published Mar 20, 20263mo ago · Modified Mar 23, 20263mo ago
8.1 CVSS 3.1
High
Find Similar
Published Mar 20, 2026 3mo ago
Last Modified Mar 23, 2026 3mo ago

Description

WWBN AVideo is an open source video platform. Versions 25.0 and below are vulnerable to unauthenticated application takeover through the install/checkConfiguration.php endpoint. install/checkConfiguration.php performs full application initialization: database setup, admin account creation, and configuration file write, all from an unauthenticated POST input. The only guard is checking whether videos/configuration.php already exists. On uninitialized deployments, any remote attacker can complete the installation with attacker-controlled credentials and an attacker-controlled database, gaining full administrative access. This issue has been fixed in version 26.0.

CVSS Details

Base Score
8.1
Exploitability
2.2
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
38.4% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-306 Missing Authentication for Critical Function Authentication

Affected Products 1

VendorProductVersionRange
wwbnavideo* <26.0

References 2

  • github.com https://github.com/WWBN/AVideo/commit/b3fa7869dcb935c8ab5c001a88dc29d2f92cf8e1
    Patch
  • github.com https://github.com/WWBN/AVideo/security/advisories/GHSA-2f9h-23f7-8gcx
    ExploitVendor Advisory

Remediation

  • github.com https://github.com/WWBN/AVideo/commit/b3fa7869dcb935c8ab5c001a88dc29d2f92cf8e1
    Patch