CVE-2026-33041

MEDIUM EPSS 24.5%
Published Mar 20, 20263mo ago · Modified Mar 23, 20263mo ago
5.3 CVSS 3.1
Medium
Find Similar
Published Mar 20, 2026 3mo ago
Last Modified Mar 23, 2026 3mo ago

Description

WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/encryptPass.json.php exposes the application's password hashing algorithm to any unauthenticated user. An attacker can submit arbitrary passwords and receive their hashed equivalents, enabling offline password cracking against leaked database hashes. If an attacker obtains password hashes from the database (via SQL injection, backup exposure, etc.), they can instantly crack them by comparing against pre-computed hashes from this endpoint. This endpoint eliminates the need for an attacker to reverse-engineer the hashing algorithm. Combined with the weak hash chain (md5+whirlpool+sha1, no salt by default), an attacker with access to database hashes can crack passwords extremely quickly. This issue was fixed in version 26.0.

CVSS Details

Base Score
5.3
Exploitability
3.9
Impact
1.4
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity None
Availability None

Threat Intelligence

EPSS Exploit Probability
24.5% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Information Exposure

Affected Products 1

VendorProductVersionRange
wwbnavideo* <26.0

References 2

  • github.com https://github.com/WWBN/AVideo/commit/ea2efd04464560cca93c9ab48b445dbb944a4e46
    Patch
  • github.com https://github.com/WWBN/AVideo/security/advisories/GHSA-px7x-gq96-rmp5
    ExploitVendor Advisory

Remediation

  • github.com https://github.com/WWBN/AVideo/commit/ea2efd04464560cca93c9ab48b445dbb944a4e46
    Patch