CVE-2026-33867

CRITICAL EPSS 4.8%
Published Mar 27, 20263mo ago · Modified Jun 17, 20261w ago
9.1 CVSS 4.0
Critical
Find Similar
Published Mar 27, 2026 3mo ago
Last Modified Jun 17, 2026 1w ago

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, AVideo allows content owners to password-protect individual videos. The video password is stored in the database in plaintext — no hashing, salting, or encryption is applied. If an attacker gains read access to the database (via SQL injection, a database backup, or misconfigured access controls), they obtain all video passwords in cleartext. Commit f2d68d2adbf73588ea61be2b781d93120a819e36 contains a patch.

CVSS Details

Base Score
9.1
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
4.8% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-312

Affected Products 1

VendorProductVersionRange
wwbnavideo* ≤26.0

References 2

  • github.com https://github.com/WWBN/AVideo/commit/f2d68d2adbf73588ea61be2b781d93120a819e36
    Patch
  • github.com https://github.com/WWBN/AVideo/security/advisories/GHSA-363v-5rh8-23wg
    ExploitVendor Advisory

Remediation

  • github.com https://github.com/WWBN/AVideo/commit/f2d68d2adbf73588ea61be2b781d93120a819e36
    Patch