CVE-2026-33038
published 2026-03-20CVE-2026-33038: WWBN AVideo is an open source video platform. Versions 25.0 and below are vulnerable to unauthenticated application takeover through the…
PriorityP353high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
0.49%
38.4th percentile
WWBN AVideo is an open source video platform. Versions 25.0 and below are vulnerable to unauthenticated application takeover through the install/checkConfiguration.php endpoint. install/checkConfiguration.php performs full application initialization: database setup, admin account creation, and configuration file write, all from an unauthenticated POST input. The only guard is checking whether videos/configuration.php already exists. On uninitialized deployments, any remote attacker can complete the installation with attacker-controlled credentials and an attacker-controlled database, gaining full administrative access. This issue has been fixed in version 26.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wwbn | avideo | < 26.0 | 26.0 |
| wwbn | avideo | 0 – 25.0 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
AVideo affected by unauthenticated application takeover via exposed web installer on uninitialized deployments
ghsa·2026-03-17
CVE-2026-33038 [HIGH] CWE-306 AVideo affected by unauthenticated application takeover via exposed web installer on uninitialized deployments
AVideo affected by unauthenticated application takeover via exposed web installer on uninitialized deployments
## Summary
The `install/checkConfiguration.php` endpoint performs full application initialization — database setup, admin account creation, and configuration file write — from unauthenticated POST input. The only guard is checking whether `videos/configuration.php` already exists. On uninitialized deployments, any remote attacker can complete the installation with attacker-controlled credentials and an attacker-controlled database, gaining full administrative access.
## Affected Component
- `install/checkConfiguration.php` — entire file (lines 1-273)
## Description
### No authentication or access restriction on installer endpoint
The `checkConfiguration.php` file performs the
OSV
AVideo affected by unauthenticated application takeover via exposed web installer on uninitialized deployments
osv·2026-03-17
CVE-2026-33038 [HIGH] AVideo affected by unauthenticated application takeover via exposed web installer on uninitialized deployments
AVideo affected by unauthenticated application takeover via exposed web installer on uninitialized deployments
## Summary
The `install/checkConfiguration.php` endpoint performs full application initialization — database setup, admin account creation, and configuration file write — from unauthenticated POST input. The only guard is checking whether `videos/configuration.php` already exists. On uninitialized deployments, any remote attacker can complete the installation with attacker-controlled credentials and an attacker-controlled database, gaining full administrative access.
## Affected Component
- `install/checkConfiguration.php` — entire file (lines 1-273)
## Description
### No authentication or access restriction on installer endpoint
The `checkConfiguration.php` file performs the
No detection rules found.
No public exploits indexed.
Greynoiseio
NoiseLetter March 2026
blogs_greynoiseio
NoiseLetter March 2026
Events, events… and yes, even more events. 🌍 GreyNoise has been on the move. March kept us busy with stops at eCrimes in London and SecIT in Hanover—but we’re just getting started. Over the next few months, we’ll be hitting the road for CrowdStrike CrowdTours across eight cities, heading to Glasgow to speak and sponsor CyberUK, and making our way to Tampa for H-ISAC. If you’ll be at any of these (or nearby), we’d love to connect.
And while we’ve been racking up miles, we haven’t slowed down on the research front. We’ve just released some exciting new findings—with even more coming in the next few weeks—so keep an eye out.
Thanks, as always, for being part of the GreyNoise community.
Featured
About this new report
Every enterprise firewall processes traffic from residential IP space. T
Wiz
CVE-2026-33038 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-33038 [HIGH] CVE-2026-33038 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33038 :
PHP vulnerability analysis and mitigation
WWBN AVideo is an open source video platform. Versions 25.0 and below are vulnerable to unauthenticated application takeover through the install/checkConfiguration.php endpoint. install/checkConfiguration.php performs full application initialization: database setup, admin account creation, and configuration file write, all from an unauthenticated POST input. The only guard is checking whether videos/configuration.php already exists. On uninitialized deployments, any remote attacker can complete the installation with attacker-controlled credentials and an attacker-controlled database, gaining full administrative access. This issue has been fixed in version 26.0.
Source : NVD
## 8.1
Score
Published March 20, 2026
Severity
2026-03-20
Published