{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33763", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T18:30:14.126Z", "datePublished": "2026-03-27T14:25:12.794Z", "dateUpdated": "2026-03-30T12:06:27.809Z"}, "containers": {"cna": {"title": "AVideo has an Unauthenticated Video Password Brute-Force Vulnerability via Unrate-Limited Boolean Oracle", "problemTypes": [{"descriptions": [{"cweId": "CWE-307", "lang": "en", "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8prq-2jr2-cm92", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8prq-2jr2-cm92"}, {"name": "https://github.com/WWBN/AVideo/commit/01a0614fedcdaee47832c0d913a0fb86d8c28135", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/01a0614fedcdaee47832c0d913a0fb86d8c28135"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "<= 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T14:25:12.794Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_video_password_is_correct` API endpoint allows any unauthenticated user to verify whether a given password is correct for any password-protected video. The endpoint returns a boolean `passwordIsCorrect` field with no rate limiting, CAPTCHA, or authentication requirement, enabling efficient offline-speed brute-force attacks against video passwords. Commit 01a0614fedcdaee47832c0d913a0fb86d8c28135 contains a patch."}], "source": {"advisory": "GHSA-8prq-2jr2-cm92", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T12:06:10.864677Z", "id": "CVE-2026-33763", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T12:06:27.809Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33763", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T12:06:10.864677Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T12:06:24.463Z"}}], "cna": {"title": "AVideo has an Unauthenticated Video Password Brute-Force Vulnerability via Unrate-Limited Boolean Oracle", "source": {"advisory": "GHSA-8prq-2jr2-cm92", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"status": "affected", "version": "<= 26.0"}]}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8prq-2jr2-cm92", "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8prq-2jr2-cm92", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/WWBN/AVideo/commit/01a0614fedcdaee47832c0d913a0fb86d8c28135", "name": "https://github.com/WWBN/AVideo/commit/01a0614fedcdaee47832c0d913a0fb86d8c28135", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_video_password_is_correct` API endpoint allows any unauthenticated user to verify whether a given password is correct for any password-protected video. The endpoint returns a boolean `passwordIsCorrect` field with no rate limiting, CAPTCHA, or authentication requirement, enabling efficient offline-speed brute-force attacks against video passwords. Commit 01a0614fedcdaee47832c0d913a0fb86d8c28135 contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-307", "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T14:25:12.794Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33763", "state": "PUBLISHED", "dateUpdated": "2026-03-30T12:06:27.809Z", "dateReserved": "2026-03-23T18:30:14.126Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-27T14:25:12.794Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_video_password_is_correct` API endpoint allows any unauthenticated user to verify whether a given password is correct for any password-protected video. The endpoint returns a boolean `passwordIsCorrect` field with no rate limiting, CAPTCHA, or authentication requirement, enabling efficient offline-speed brute-force attacks against video passwords. Commit 01a0614fedcdaee47832c0d913a0fb86d8c28135 contains a patch."}], "id": "CVE-2026-33763", "lastModified": "2026-03-30T13:26:29.793", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T15:16:58.390", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo/commit/01a0614fedcdaee47832c0d913a0fb86d8c28135"}, {"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8prq-2jr2-cm92"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-307"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-03-27T15:52:24.734115+00:00", "value": {"mitigation_remediation": ["Upgrade AVideo to a version newer than 26.0 or apply the patch commit 01a0614fedcdaee47832c0d913a0fb86d8c28135.", "Verify that the get_api_video_password_is_correct endpoint no longer returns passwordIsCorrect or is disabled.", "Consider implementing rate limiting or CAPTCHA on the endpoint to prevent automated brute\u2011force attempts.", "Remove password protection from videos that do not require it to reduce attack surface."], "summary": {"action": "Apply Patch", "impact": "Unauthorized access to password-protected videos via offline brute force"}, "threat_synthesis": {"affected_systems": "The affected product is WWBN AVideo, all releases up to and including version 26.0. No other vendor or product is listed in the advisory.", "description_and_impact": "AVideo versions up to 26.0 expose an API that returns a boolean when a submitted password matches the stored password for any protected video. Because the response is immediate, unrate\u2011limited and does not require authentication, an attacker can repeatedly query the endpoint, collecting the true/false answer for each guess. This knowledge\u2011based authentication bypass allows the attacker to determine the exact password in a short period, and then openly view the protected video without authorization. The vulnerability is a classic authentication bypass and rate\u2011limit evasion (CWE\u2011307).", "risk_and_exploitability": "The CVSS score is 5.3, indicating moderate severity. No exploit probability score is provided and the issue is not listed in the KEV catalog, but the lack of rate limiting means an attacker could exhaust the password space quickly if the password is weak. The attack vector is remote, unauthenticated request to the API endpoint. Successful exploitation would grant view\u2011only access to the protected video, violating confidentiality. The impact is confined to the protected media content rather than system compromise."}}}}, "created": "2026-03-27T20:28:32.100869+00:00", "updated": "2026-03-30T07:01:45.520364+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}