cbcvebase.
CVE-2026-33038
published 2026-03-20

CVE-2026-33038: WWBN AVideo is an open source video platform. Versions 25.0 and below are vulnerable to unauthenticated application takeover through the…

PriorityP353high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
0.49%
38.4th percentile
WWBN AVideo is an open source video platform. Versions 25.0 and below are vulnerable to unauthenticated application takeover through the install/checkConfiguration.php endpoint. install/checkConfiguration.php performs full application initialization: database setup, admin account creation, and configuration file write, all from an unauthenticated POST input. The only guard is checking whether videos/configuration.php already exists. On uninitialized deployments, any remote attacker can complete the installation with attacker-controlled credentials and an attacker-controlled database, gaining full administrative access. This issue has been fixed in version 26.0.

Affected

2 ranges
VendorProductVersion rangeFixed in
wwbnavideo< 26.026.0
wwbnavideo0 – 25.0
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.