CVE-2026-33688 - Vulnerability Details

- AVideo has Pre-Captcha User Enumeration and Account Status Disclosure in Password Recovery Endpoint

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the password recovery endpoint at `objects/userRecoverPass.php` performs user existence and account status checks before validating the captcha. This allows an unauthenticated attacker to enumerate valid usernames and determine whether accounts are active, inactive, or banned — at scale and without solving any captcha — by observing three distinct JSON error responses. Commit e42f54123b460fd1b2ee01f2ce3d4a386e88d157 contains a patch.

Published: 2026-03-23

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability occurs in the password recovery endpoint of the AVideo platform, where user existence and account status checks are performed before captcha validation. An unauthenticated attacker can trigger three distinct JSON error responses and, without solving any captcha, determine whether a supplied username exists and whether the account is active, inactive, or banned. This allows enumeration of valid usernames and disclosure of account status, represented by CWE‑204.

Affected Systems

The affected product is WWBN AVideo, versions up to and including 26.0. No additional products or vendors are listed.

Risk and Exploitability

With a CVSS score of 5.3 and an EPSS score below 1 %, the vulnerability has moderate severity and low to moderate exploitation probability. The attacker requires only unauthenticated access to the public password recovery endpoint, indicating a remote network attack vector. Although the vulnerability is not listed in the CISA KEV catalog, it can still facilitate further attacks such as targeted credential stuffing or impersonation by exposing legitimate usernames and account states.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

WWBN

AVideo

affected

Version	Status	Constraints
`<= 26.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Wwbn

Avideo

100%

Version	Status	Scheme	Platform
`[0,26.0]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the patched commit e42f54123b460fd1b2ee01f2ce3d4a386e88d157 or upgrade to a version newer than 26.0
Restrict access to the password recovery endpoint with firewall rules or rate limiting as a temporary workaround
Monitor application logs for repeated enumeration attempts and investigate anomalous activity

Generated by OpenCVE AI on March 25, 2026 at 20:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-m99f-mmvg-3xmx	AVideo has Pre-Captcha User Enumeration and Account Status Disclosure in Password Recovery Endpoint

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00082.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/WWBN/AVideo/commit/e42f54123b460fd1b2ee01f2ce3d4a386e88d157
https://github.com/WWBN/AVideo/security/advisories/GHSA-m99f-mmvg-3xmx

History

Wed, 25 Mar 2026 18:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:wwbn:avideo::::::::

Tue, 24 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 24 Mar 2026 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wwbn Wwbn avideo
Vendors & Products		Wwbn Wwbn avideo

Mon, 23 Mar 2026 19:00:00 +0000

Type	Values Removed	Values Added
Description		WWBN AVideo is an open source video platform. In versions up to and including 26.0, the password recovery endpoint at `objects/userRecoverPass.php` performs user existence and account status checks before validating the captcha. This allows an unauthenticated attacker to enumerate valid usernames and determine whether accounts are active, inactive, or banned — at scale and without solving any captcha — by observing three distinct JSON error responses. Commit e42f54123b460fd1b2ee01f2ce3d4a386e88d157 contains a patch.
Title		AVideo has Pre-Captcha User Enumeration and Account Status Disclosure in Password Recovery Endpoint
Weaknesses		CWE-204
References		https://github.com/WWBN/AVideo/commit/e42f54123b460fd1b2ee01f2ce3d4a386e88d157 https://github.com/WWBN/AVideo/security/advisories/GHSA-m99f-mmvg-3xmx
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

Wwbn Avideo

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-23T18:43:59.276Z

Updated: 2026-03-24T14:10:04.402Z

Reserved: 2026-03-23T16:34:59.932Z

Link: CVE-2026-33688

Vulnrichment

Updated: 2026-03-24T14:09:53.831Z

NVD

Status : Analyzed

Published: 2026-03-23T19:16:42.017

Modified: 2026-03-25T18:05:21.360

Link: CVE-2026-33688

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-25T20:37:05Z

Weaknesses

CWE-204

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object