Main Vulnerability Database Vulnerabilities #VU129506

Information disclosure in AVideo - CVE-2026-33041

Published: May 4, 2026

Vulnerability identifier: #VU129506

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-33041

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: World Wide Broadcast Network

Affected software:
AVideo

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to exposure of sensitive information to an unauthorized actor in objects/encryptPass.json.php when handling password hash requests. A remote attacker can submit arbitrary passwords to obtain their hashed equivalents to disclose sensitive information.

By default, salt is not enabled, making the returned hash deterministic and identical to what is stored in the database.

How to mitigate CVE-2026-33041

Install security update from vendor's website.

Sources

https://github.com/WWBN/AVideo/security/advisories/GHSA-px7x-gq96-rmp5

Information disclosure in AVideo - CVE-2026-33041

Detailed vulnerability description

How to mitigate CVE-2026-33041

Sources

Please verify you're human