CVE-2026-33041Sensitive Information Exposure in Avideo

CWE-200Sensitive Information Exposure4 documents4 sources
Severity
5.3MEDIUMNVD
EPSS
0.1%
top 81.33%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Wwbn Avideo
Timeline
Latest updateMar 17
PublishedMar 20

Description

WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/encryptPass.json.php exposes the application's password hashing algorithm to any unauthenticated user. An attacker can submit arbitrary passwords and receive their hashed equivalents, enabling offline password cracking against leaked database hashes. If an attacker obtains password hashes from the database (via SQL injection, backup exposure, etc.), they can instantly crack them by comparing against pre-computed h

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

NVDwwbn/avideo< 26.0
Packagistwwbn/avideo25.0

Patches

Patch: github.com

🔴Vulnerability Details

2
GHSA
AVideo has an Unauthenticated Password Hash Oracle via encryptPass.json.php2026-03-17
OSV
AVideo has an Unauthenticated Password Hash Oracle via encryptPass.json.php2026-03-17

🕵️Threat Intelligence

1
Wiz
CVE-2026-33041 Impact, Exploitability, and Mitigation Steps | Wiz