CVE-2026-33297CRITICAL 9.1EPSS p25.9%

CVE-2026-33297CVE-2026-33297

Description

WWBN AVideo is an open source video platform. Prior to version 26.0, the `setPassword.json.php` endpoint in the CustomizeUser plugin allows administrators to set a channel password for any user. Due to a logic error in how the submitted password value is processed, any password containing non-numeric characters is silently coerced to the integer zero before being stored. This means that regardless of the intended password, the stored channel password becomes 0, which any visitor can trivially guess to bypass channel-level access control. Version 26.0 contains a patch for the issue.

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS0.34% probability of exploitation · percentile 25.9% · 2026-06-18T12:00:27Z
Published2026-03-23
Last modified2026-03-23

Underlying weaknesses· 1

CWE-639

References

  1. https://github.com/WWBN/AVideo/commit/7a6a94631a0a18c313894395e6eb6703cca4abd0
  2. https://github.com/WWBN/AVideo/security/advisories/GHSA-6547-8hrg-c55m

1

TypeTargetConfidenceTier
WeaknessAuthorization Bypass Through User-Controlled Keycwe-6390%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-33719
CVE
CVE-2026-33037
CVE
CVE-2026-34394
CVE
CVE-2026-33649
CVE
CVE-2026-33038
CVE
CVE-2026-33716
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.