Description
WWBN AVideo is an open source video platform. Versions 25.0 and below are vulnerable to unauthenticated application takeover through the install/checkConfiguration.php endpoint. install/checkConfiguration.php performs full application initialization: database setup, admin account creation, and configuration file write, all from an unauthenticated POST input. The only guard is checking whether videos/configuration.php already exists. On uninitialized deployments, any remote attacker can complete the installation with attacker-controlled credentials and an attacker-controlled database, gaining full administrative access. This issue has been fixed in version 26.0.
Published: 2026-03-20
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated application takeover enabling full administrative control
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows an attacker to trigger the application’s full initialization sequence via the install/checkConfiguration.php endpoint, which is accessible without authentication. By submitting a crafted POST request, the attacker can set the database connection, create a user account, and write configuration files, effectively installing the application under attacker-controlled credentials. Once installed, the attacker gains complete administrative privileges over the video platform, with the ability to manage users, content, and underlying configurations. This reflects a breach of confidentiality, integrity, and availability of all platform data.

Affected Systems

Vulnerable versions include WWBN AVideo 25.0 and earlier. The issue applies to all installations that have not yet completed the initial setup, as the sole protection is the existence of videos/configuration.php. The problem has been resolved in version 26.0, which removes this unchecked initialization pathway.

Risk and Exploitability

The CVSS score of 8.1 categorizes this flaw as high severity, and the EPSS score of less than 1% indicates that exploitation is currently unlikely but the potential impact is severe. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers can exploit it remotely by sending an unauthenticated POST request to install/checkConfiguration.php on an uninitialized server, which the platform exposes publicly in default deployments. This access path does not require any authentication or user interaction beyond making the HTTP request, making it a straightforward risk for sites that expose the installer in production.

Generated by OpenCVE AI on March 23, 2026 at 17:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the AVideo installation to version 26.0 or later
  • If a patch cannot be applied immediately, block external access to the install/checkConfiguration.php endpoint (e.g., via firewall rules or .htaccess restrictions)
  • Verify that the videos/configuration.php file exists and that the installer has not been successfully run on the deployment
  • If the installer has already been executed with attacker-controlled settings, reconfigure the application with new administrator credentials and secure the database connection

Generated by OpenCVE AI on March 23, 2026 at 17:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2f9h-23f7-8gcx AVideo affected by unauthenticated application takeover via exposed web installer on uninitialized deployments
History

Mon, 23 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

Fri, 20 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Fri, 20 Mar 2026 05:45:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. Versions 25.0 and below are vulnerable to unauthenticated application takeover through the install/checkConfiguration.php endpoint. install/checkConfiguration.php performs full application initialization: database setup, admin account creation, and configuration file write, all from an unauthenticated POST input. The only guard is checking whether videos/configuration.php already exists. On uninitialized deployments, any remote attacker can complete the installation with attacker-controlled credentials and an attacker-controlled database, gaining full administrative access. This issue has been fixed in version 26.0.
Title AVideo affected by unauthenticated application takeover via exposed web installer on uninitialized deployments
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T18:07:54.011Z

Reserved: 2026-03-17T18:10:50.210Z

Link: CVE-2026-33038

cve-icon Vulnrichment

Updated: 2026-03-20T16:28:26.888Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T06:16:11.983

Modified: 2026-03-23T16:24:08.187

Link: CVE-2026-33038

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:30:22Z

Weaknesses