CVE-2026-33688

MEDIUM NVD

CVSS Score 5.3

Severity MEDIUM

Published Mar 23, 2026

Vendor unknown

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the password recovery endpoint at `objects/userRecoverPass.php` performs user existence and account status checks before validating the captcha. This allows an unauthenticated attacker to enumerate valid usernames and determine whether accounts are active, inactive, or banned — at scale and without solving any captcha — by observing three distinct JSON error responses. Commit e42f54123b460fd1b2ee01f2ce3d4a386e88d157 contains a patch.

References

https://github.com/WWBN/AVideo/commit/e42f54123b460fd1b2ee01f2ce3d4a386e88d157
https://github.com/WWBN/AVideo/security/advisories/GHSA-m99f-mmvg-3xmx
https://github.com/WWBN/AVideo/security/advisories/GHSA-m99f-mmvg-3xmx