CVE-2026-33763

MEDIUM NVD

CVSS Score 5.3

Severity MEDIUM

Published Mar 27, 2026

Vendor unknown

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_video_password_is_correct` API endpoint allows any unauthenticated user to verify whether a given password is correct for any password-protected video. The endpoint returns a boolean `passwordIsCorrect` field with no rate limiting, CAPTCHA, or authentication requirement, enabling efficient offline-speed brute-force attacks against video passwords. Commit 01a0614fedcdaee47832c0d913a0fb86d8c28135 contains a patch.

References

https://github.com/WWBN/AVideo/commit/01a0614fedcdaee47832c0d913a0fb86d8c28135
https://github.com/WWBN/AVideo/security/advisories/GHSA-8prq-2jr2-cm92