CVE-2026-33038

HIGH 8.1

AVideo affected by unauthenticated application takeover via exposed web installer on uninitialized deployments

CVSS Score

8.1

EPSS Score

0.1%

EPSS Percentile

29th

WWBN AVideo is an open source video platform. Versions 25.0 and below are vulnerable to unauthenticated application takeover through the install/checkConfiguration.php endpoint. install/checkConfiguration.php performs full application initialization: database setup, admin account creation, and configuration file write, all from an unauthenticated POST input. The only guard is checking whether videos/configuration.php already exists. On uninitialized deployments, any remote attacker can complete the installation with attacker-controlled credentials and an attacker-controlled database, gaining full administrative access. This issue has been fixed in version 26.0.

CWE	CWE-306
Vendor	wwbn
Product	avideo
Published	Mar 20, 2026
Last Updated	Mar 20, 2026

Stay Ahead of the Next One

Get instant alerts for wwbn avideo

Be the first to know when new high vulnerabilities affecting wwbn avideo are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

WWBN / AVideo

< 26.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/WWBN/AVideo/security/advisories/GHSA-2f9h-23f7-8gcx github.com: https://github.com/WWBN/AVideo/commit/b3fa7869dcb935c8ab5c001a88dc29d2f92cf8e1