Cleartext storage of sensitive information in AVideo - CVE-2026-33867
Published: April 8, 2026
Vulnerability identifier: #VU125481
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-33867
CWE-ID: CWE-312
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: World Wide Broadcast Network
Affected software:
AVideo
AVideo
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to cleartext storage of sensitive information in objects/video.php when storing and checking video passwords. A remote attacker can obtain read access to the database to disclose sensitive information.
Passwords for protected videos are stored and compared in plaintext, and exposure can occur through database reads such as SQL injection, backup disclosure, or misconfigured access controls.
How to mitigate CVE-2026-33867
Install security update from vendor's website.