{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33041", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T18:10:50.210Z", "datePublished": "2026-03-20T05:50:07.423Z", "dateUpdated": "2026-03-20T05:50:07.423Z"}, "containers": {"cna": {"title": "AVideo has an Unauthenticated Password Hash Oracle via encryptPass.json.php", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-px7x-gq96-rmp5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-px7x-gq96-rmp5"}, {"name": "https://github.com/WWBN/AVideo/commit/ea2efd04464560cca93c9ab48b445dbb944a4e46", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/ea2efd04464560cca93c9ab48b445dbb944a4e46"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "< 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T05:50:07.423Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/encryptPass.json.php exposes the application's password hashing algorithm to any unauthenticated user. An attacker can submit arbitrary passwords and receive their hashed equivalents, enabling offline password cracking against leaked database hashes. If an attacker obtains password hashes from the database (via SQL injection, backup exposure, etc.), they can instantly crack them by comparing against pre-computed hashes from this endpoint. This endpoint eliminates the need for an attacker to reverse-engineer the hashing algorithm. Combined with the weak hash chain (md5+whirlpool+sha1, no salt by default), an attacker with access to database hashes can crack passwords extremely quickly. This issue was fixed in version 26.0."}], "source": {"advisory": "GHSA-px7x-gq96-rmp5", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/encryptPass.json.php exposes the application's password hashing algorithm to any unauthenticated user. An attacker can submit arbitrary passwords and receive their hashed equivalents, enabling offline password cracking against leaked database hashes. If an attacker obtains password hashes from the database (via SQL injection, backup exposure, etc.), they can instantly crack them by comparing against pre-computed hashes from this endpoint. This endpoint eliminates the need for an attacker to reverse-engineer the hashing algorithm. Combined with the weak hash chain (md5+whirlpool+sha1, no salt by default), an attacker with access to database hashes can crack passwords extremely quickly. This issue was fixed in version 26.0."}], "id": "CVE-2026-33041", "lastModified": "2026-03-20T06:16:12.503", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T06:16:12.503", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo/commit/ea2efd04464560cca93c9ab48b445dbb944a4e46"}, {"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-px7x-gq96-rmp5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-03-20T07:21:02.430466+00:00", "value": {"mitigation_remediation": ["Upgrade to AVideo version 26.0 or later to remove the encryptPass.json.php endpoint and fix the hashing algorithm issue."], "summary": {"action": "Apply Patch", "impact": "Password Cracking"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in WWBN AVideo versions 25.0 and earlier. The affected product is the open\u2011source video platform AVideo, hosted in the WWBN repository. No specific sub\u2011components are listed beyond the encryptPass.json.php endpoint.\n", "description_and_impact": "AVideo exposes /objects/encryptPass.json.php to unauthenticated users, allowing any attacker to submit arbitrary passwords and receive the resulting hash. This creates an oracle for the hashed values used by the application. The hash algorithm chain is weak (md5+whirlpool+sha1, no salt by default). Once an attacker obtains password hashes from the database\u2014through SQL injection, backup exposure, or other means\u2014they can immediately match the leaked hash with a pre\u2011computed hash from the endpoint, enabling rapid offline cracking of user passwords. This threat results in confidentiality compromise, as attacker can recover plaintext passwords.\n", "risk_and_exploitability": "The CVSS score of 5.3 indicates medium severity. EPSS score is unavailable, and the issue is not listed in the CISA KEV catalog. The attack vector is unauthenticated and remote, targeting a publicly exposed HTTP endpoint. While the endpoint alone does not grant direct system access, it provides a critical aid to attackers who have already compromised database credentials or gained access to password hashes. The presence of a weak, unsalted hash chain significantly increases the likelihood of rapid credential compromise. Therefore, the risk is that attackers who obtain any database hash can exploit this oracle to immediately recover corresponding passwords.\n"}}}}, "created": "2026-03-20T08:52:23.184420+00:00", "updated": "2026-03-20T10:37:04.566136+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}