CVE-2026-33688

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the password recovery endpoint at `objects/userRecoverPass.php` performs user existence and account status checks before validating the captcha. This allows an unauthenticated attacker to enumerate valid usernames and determine whether accounts are active, inactive, or banned — at scale and without solving any captcha — by observing three distinct JSON error responses. Commit e42f54123b460fd1b2ee01f2ce3d4a386e88d157 contains a patch.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/WWBN/AVideo/commit/e42f54123b460fd1b2ee01f2ce3d4a386e88d157	Patch
https://github.com/WWBN/AVideo/security/advisories/GHSA-m99f-mmvg-3xmx	Exploit Vendor Advisory
https://github.com/WWBN/AVideo/security/advisories/GHSA-m99f-mmvg-3xmx	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-23 19:16

Updated : 2026-03-25 18:05

NVD link : CVE-2026-33688

Mitre link : CVE-2026-33688

CVE.ORG link : CVE-2026-33688

JSON object : View

Products Affected

wwbn

avideo

CWE

CWE-204

Observable Response Discrepancy

{"id": "CVE-2026-33688", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2026-03-23T19:16:42.017", "references": [{"url": "https://github.com/WWBN/AVideo/commit/e42f54123b460fd1b2ee01f2ce3d4a386e88d157", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-m99f-mmvg-3xmx", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-m99f-mmvg-3xmx", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-204"}]}], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the password recovery endpoint at `objects/userRecoverPass.php` performs user existence and account status checks before validating the captcha. This allows an unauthenticated attacker to enumerate valid usernames and determine whether accounts are active, inactive, or banned \u2014 at scale and without solving any captcha \u2014 by observing three distinct JSON error responses. Commit e42f54123b460fd1b2ee01f2ce3d4a386e88d157 contains a patch."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de v\u00eddeo de c\u00f3digo abierto. En versiones hasta la 26.0 inclusive, el endpoint de recuperaci\u00f3n de contrase\u00f1a en 'objects/userRecoverPass.php' realiza comprobaciones de existencia de usuario y estado de cuenta antes de validar el captcha. Esto permite a un atacante no autenticado enumerar nombres de usuario v\u00e1lidos y determinar si las cuentas est\u00e1n activas, inactivas o baneadas \u2014 a escala y sin resolver ning\u00fan captcha \u2014 al observar tres respuestas de error JSON distintas. El commit e42f54123b460fd1b2ee01f2ce3d4a386e88d157 contiene un parche."}], "lastModified": "2026-03-25T18:05:21.360", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588", "versionEndIncluding": "26.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}