Description
WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/getCaptcha.php` accepts the CAPTCHA length (`ql`) directly from the query string with no clamping or sanitization, letting any unauthenticated client force the server to generate a 1-character CAPTCHA word. Combined with a case-insensitive `strcasecmp` comparison over a ~33-character alphabet and the fact that failed validations do NOT consume the stored session token, an attacker can trivially brute-force the CAPTCHA on any endpoint that relies on `Captcha::validation()` (user registration, password recovery, contact form, etc.) in at most ~33 requests per session. Commit bf1c76989e6a9054be4f0eb009d68f0f2464b453 contains a fix.
Published: 2026-04-21
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: CAPTCHA bypass & brute force
Action: Patch
AI Analysis

Impact

WWBN AVideo versions 29.0 and earlier permit any unauthenticated client to provide a CAPTCHA length parameter via the query string without validation, causing the server to generate a single‑character CAPTCHA. The server compares the supplied answer using a case‑insensitive comparison over an alphabet of roughly 33 characters and does not invalidate the stored session token when a validation fails. This combination allows an attacker to brute‑force the correct answer in about 33 attempts per session, enabling the exploitation of any feature that relies on Captcha::validation(), such as user registration, password recovery, or contact forms.

Affected Systems

Open source video platform WWBN:AVideo, affected in all releases up to and including version 29.0, where the vulnerability exists in the objects/getCaptcha.php handler.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. No EPSS data is available, and the flaw is not listed in CISA’s KEV catalog. The attack can be launched from any network location with no authentication, making it relatively easy to exploit in any environment where the vulnerable code is deployed. Attackers can create or access accounts and other privileged operations by repeatedly solving the short CAPTCHA during account‑related activities.

Generated by OpenCVE AI on April 22, 2026 at 06:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WWBN AVideo to a release newer than 29.0 that includes commit bf1c76989e6a9054be4f0eb009d68f0f2464b453
  • Temporarily disable CAPTCHA validation on registration, password recovery, and contact form endpoints until the patch is applied
  • Ensure that a CAPTCHA failure triggers invalidation of the session token to prevent brute‑force reuse of the same token

Generated by OpenCVE AI on April 22, 2026 at 06:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 05:30:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/getCaptcha.php` accepts the CAPTCHA length (`ql`) directly from the query string with no clamping or sanitization, letting any unauthenticated client force the server to generate a 1-character CAPTCHA word. Combined with a case-insensitive `strcasecmp` comparison over a ~33-character alphabet and the fact that failed validations do NOT consume the stored session token, an attacker can trivially brute-force the CAPTCHA on any endpoint that relies on `Captcha::validation()` (user registration, password recovery, contact form, etc.) in at most ~33 requests per session. Commit bf1c76989e6a9054be4f0eb009d68f0f2464b453 contains a fix.
Title WWBN/AVideo has CAPTCHA Bypass via Attacker-Controlled Length Parameter and Missing Token Invalidation on Failure
Weaknesses CWE-804
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-22T18:36:10.405Z

Reserved: 2026-04-15T20:40:15.518Z

Link: CVE-2026-40935

cve-icon Vulnrichment

Updated: 2026-04-22T18:14:01.653Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-21T23:16:20.577

Modified: 2026-04-22T21:23:52.620

Link: CVE-2026-40935

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T06:30:10Z

Weaknesses