Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, AVideo allows content owners to password-protect individual videos. The video password is stored in the database in plaintext — no hashing, salting, or encryption is applied. If an attacker gains read access to the database (via SQL injection, a database backup, or misconfigured access controls), they obtain all video passwords in cleartext. Commit f2d68d2adbf73588ea61be2b781d93120a819e36 contains a patch.
Published: 2026-03-27
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Confidentiality breach via plaintext video passwords
Action: Apply patch
AI Analysis

Impact

AVideo allows owners to set passwords for videos, but the passwords are stored directly in the database without hashing, salting, or encryption. When an attacker can read the database, all video passwords are exposed in cleartext, compromising the confidentiality of protected content. This flaw is a direct result of improper storage of sensitive data, matching the weakness type of plain data storage without protection.

Affected Systems

The vulnerability affects the WWBN AVideo platform, specifically all releases up to and including version 26.0. Users of these versions who employ the video password feature are at risk, while newer releases that have applied the patch are not affected.

Risk and Exploitability

The CVSS score of 9.1 classifies this as critical, indicating a high impact should an exploit succeed. The EPSS score is below 1%, suggesting low current exploitation probability, and the vulnerability is not yet listed in CISA’s KEV catalog. Exploitation requires the attacker to gain read access to the database, which could be achieved through SQL injection, recovery of a backup, or misconfigured database permissions. Once read access is achieved, all passwords are released in plaintext, allowing unauthorized viewing of protected videos.

Generated by OpenCVE AI on March 31, 2026 at 17:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch contained in commit f2d68d2adbf73588ea61be2b781d93120a819e36 or upgrade to a version newer than 26.0.
  • Ensure database credentials are tightly controlled and that database access is limited to trusted administrators.
  • If immediate patching is not possible, consider disabling password protection for videos until the vulnerability is fixed.

Generated by OpenCVE AI on March 31, 2026 at 17:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-363v-5rh8-23wg AVideo has Plaintext Video Password Storage
History

Tue, 31 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions up to and including 26.0, AVideo allows content owners to password-protect individual videos. The video password is stored in the database in plaintext — no hashing, salting, or encryption is applied. If an attacker gains read access to the database (via SQL injection, a database backup, or misconfigured access controls), they obtain all video passwords in cleartext. Commit f2d68d2adbf73588ea61be2b781d93120a819e36 contains a patch.
Title AVideo has Plaintext Video Password Storage
Weaknesses CWE-312
References
Metrics cvssV4_0

{'score': 9.1, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T19:57:15.696Z

Reserved: 2026-03-24T15:10:05.678Z

Link: CVE-2026-33867

cve-icon Vulnrichment

Updated: 2026-03-27T18:44:25.976Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T17:16:29.893

Modified: 2026-03-31T16:43:15.033

Link: CVE-2026-33867

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:01:00Z

Weaknesses