Medium severity5.3NVD Advisory· Published Mar 27, 2026· Updated Mar 31, 2026
CVE-2026-33763
CVE-2026-33763
Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the get_api_video_password_is_correct API endpoint allows any unauthenticated user to verify whether a given password is correct for any password-protected video. The endpoint returns a boolean passwordIsCorrect field with no rate limiting, CAPTCHA, or authentication requirement, enabling efficient offline-speed brute-force attacks against video passwords. Commit 01a0614fedcdaee47832c0d913a0fb86d8c28135 contains a patch.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wwbn/avideoPackagist | <= 26.0 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/WWBN/AVideo/commit/01a0614fedcdaee47832c0d913a0fb86d8c28135nvdPatchWEB
- github.com/WWBN/AVideo/security/advisories/GHSA-8prq-2jr2-cm92nvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-8prq-2jr2-cm92ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33763ghsaADVISORY
News mentions
0No linked articles in our index yet.