Observable Response Discrepancy in AVideo - CVE-2026-33688
Published: April 8, 2026
Vulnerability identifier: #VU125471
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-33688
CWE-ID: CWE-204
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: World Wide Broadcast Network
Affected software:
AVideo
AVideo
Detailed vulnerability description
The vulnerability allows a remote attacker to enumerate valid usernames and disclose account status information.
The vulnerability exists due to observable response discrepancy in objects/userRecoverPass.php when handling password recovery requests before captcha validation. A remote attacker can send specially crafted password recovery requests to enumerate valid usernames and disclose account status information.
No user interaction is required, and distinct JSON error responses reveal whether an account is active, inactive, or non-existent.
How to mitigate CVE-2026-33688
Install security update from vendor's website.