Description
WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/encryptPass.json.php exposes the application's password hashing algorithm to any unauthenticated user. An attacker can submit arbitrary passwords and receive their hashed equivalents, enabling offline password cracking against leaked database hashes. If an attacker obtains password hashes from the database (via SQL injection, backup exposure, etc.), they can instantly crack them by comparing against pre-computed hashes from this endpoint. This endpoint eliminates the need for an attacker to reverse-engineer the hashing algorithm. Combined with the weak hash chain (md5+whirlpool+sha1, no salt by default), an attacker with access to database hashes can crack passwords extremely quickly. This issue was fixed in version 26.0.
Published: 2026-03-20
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Credential compromise via offline password cracking
Action: Immediate Patch
AI Analysis

Impact

An unauthenticated web endpoint in the AVideo platform exposes the internal password hashing function, allowing any user to submit arbitrary passwords and receive their hashed forms. This creates a password‑hash oracle. If attackers also obtain hashed passwords from the database—through SQL injection, backups, or other leaks—they can compare the oracle output against the leaked hashes and recover the original passwords with relative ease. The weakness is compounded by the use of a weak, unsalted hash chain (md5+whirlpool+sha1), which accelerates offline cracking. Successful compromise of user credentials can lead to unauthorized access to user accounts and thereby to the underlying media assets and administrative functions.

Affected Systems

The vulnerability affects the open‑source video platform produced by WWBN, known as AVideo, in all releases version 25.0 and earlier. These versions expose the /objects/encryptPass.json.php endpoint to unauthenticated requests.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, and the EPSS score of less than 1% suggests that exploitation is currently unlikely to be widespread. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers can exploit the flaw by simply sending HTTP requests to the vulnerable endpoint; however, meaningful damage occurs only when they also have access to the database hash store, which might be obtained via separate vulnerabilities such as SQL injection or data exfiltration. Once a hash is acquired from the database, the oracle can accelerate the cracking process dramatically, posing a significant risk to users’ confidentiality and integrity of credentials.

Generated by OpenCVE AI on March 23, 2026 at 17:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AVideo to version 26.0 or later, where the oracle has been removed.
  • If upgrading is not immediately possible, block or restrict access to /objects/encryptPass.json.php using network firewall rules or require authentication before the endpoint can be called.
  • If the endpoint must remain available, consider disabling it entirely or removing it from production deployments.
  • After a database compromise or suspected exposure, reset all user passwords and regenerate the database with a stronger hashing algorithm that includes salts and key stretching.
  • Identify and remediate any other vulnerabilities—particularly SQL injection flaws—that could expose the stored password hashes to attackers.

Generated by OpenCVE AI on March 23, 2026 at 17:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-px7x-gq96-rmp5 AVideo has an Unauthenticated Password Hash Oracle via encryptPass.json.php
History

Mon, 23 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

Fri, 20 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Fri, 20 Mar 2026 06:00:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/encryptPass.json.php exposes the application's password hashing algorithm to any unauthenticated user. An attacker can submit arbitrary passwords and receive their hashed equivalents, enabling offline password cracking against leaked database hashes. If an attacker obtains password hashes from the database (via SQL injection, backup exposure, etc.), they can instantly crack them by comparing against pre-computed hashes from this endpoint. This endpoint eliminates the need for an attacker to reverse-engineer the hashing algorithm. Combined with the weak hash chain (md5+whirlpool+sha1, no salt by default), an attacker with access to database hashes can crack passwords extremely quickly. This issue was fixed in version 26.0.
Title AVideo has an Unauthenticated Password Hash Oracle via encryptPass.json.php
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T15:51:35.423Z

Reserved: 2026-03-17T18:10:50.210Z

Link: CVE-2026-33041

cve-icon Vulnrichment

Updated: 2026-03-20T15:51:27.557Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T06:16:12.503

Modified: 2026-03-23T16:15:03.300

Link: CVE-2026-33041

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:30:19Z

Weaknesses