{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33038", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T18:10:50.210Z", "datePublished": "2026-03-20T05:35:56.812Z", "dateUpdated": "2026-03-20T18:07:54.011Z"}, "containers": {"cna": {"title": "AVideo affected by unauthenticated application takeover via exposed web installer on uninitialized deployments", "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "lang": "en", "description": "CWE-306: Missing Authentication for Critical Function", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-2f9h-23f7-8gcx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-2f9h-23f7-8gcx"}, {"name": "https://github.com/WWBN/AVideo/commit/b3fa7869dcb935c8ab5c001a88dc29d2f92cf8e1", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/b3fa7869dcb935c8ab5c001a88dc29d2f92cf8e1"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "< 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T05:35:56.812Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. Versions 25.0 and below are vulnerable to unauthenticated application takeover through the install/checkConfiguration.php endpoint. install/checkConfiguration.php performs full application initialization: database setup, admin account creation, and configuration file write, all from an unauthenticated POST input. The only guard is checking whether videos/configuration.php already exists. On uninitialized deployments, any remote attacker can complete the installation with attacker-controlled credentials and an attacker-controlled database, gaining full administrative access. This issue has been fixed in version 26.0."}], "source": {"advisory": "GHSA-2f9h-23f7-8gcx", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-2f9h-23f7-8gcx", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T16:28:13.379534Z", "id": "CVE-2026-33038", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T18:07:54.011Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33038", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-20T16:28:13.379534Z"}}}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-2f9h-23f7-8gcx", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T16:28:26.888Z"}}], "cna": {"title": "AVideo affected by unauthenticated application takeover via exposed web installer on uninitialized deployments", "source": {"advisory": "GHSA-2f9h-23f7-8gcx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"status": "affected", "version": "< 26.0"}]}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-2f9h-23f7-8gcx", "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-2f9h-23f7-8gcx", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/WWBN/AVideo/commit/b3fa7869dcb935c8ab5c001a88dc29d2f92cf8e1", "name": "https://github.com/WWBN/AVideo/commit/b3fa7869dcb935c8ab5c001a88dc29d2f92cf8e1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. Versions 25.0 and below are vulnerable to unauthenticated application takeover through the install/checkConfiguration.php endpoint. install/checkConfiguration.php performs full application initialization: database setup, admin account creation, and configuration file write, all from an unauthenticated POST input. The only guard is checking whether videos/configuration.php already exists. On uninitialized deployments, any remote attacker can complete the installation with attacker-controlled credentials and an attacker-controlled database, gaining full administrative access. This issue has been fixed in version 26.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306: Missing Authentication for Critical Function"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T05:35:56.812Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33038", "state": "PUBLISHED", "dateUpdated": "2026-03-20T18:07:54.011Z", "dateReserved": "2026-03-17T18:10:50.210Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T05:35:56.812Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "matchCriteriaId": "B468F0CE-E5E7-4607-BD15-B5763C47493E", "versionEndExcluding": "26.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. Versions 25.0 and below are vulnerable to unauthenticated application takeover through the install/checkConfiguration.php endpoint. install/checkConfiguration.php performs full application initialization: database setup, admin account creation, and configuration file write, all from an unauthenticated POST input. The only guard is checking whether videos/configuration.php already exists. On uninitialized deployments, any remote attacker can complete the installation with attacker-controlled credentials and an attacker-controlled database, gaining full administrative access. This issue has been fixed in version 26.0."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de video de c\u00f3digo abierto. Las versiones 25.0 e inferiores son vulnerables a una toma de control de aplicaci\u00f3n no autenticada a trav\u00e9s del endpoint install/checkConfiguration.php. install/checkConfiguration.php realiza la inicializaci\u00f3n completa de la aplicaci\u00f3n: configuraci\u00f3n de la base de datos, creaci\u00f3n de cuenta de administrador y escritura de archivo de configuraci\u00f3n, todo desde una entrada POST no autenticada. La \u00fanica protecci\u00f3n es verificar si videos/configuration.php ya existe. En despliegues no inicializados, cualquier atacante remoto puede completar la instalaci\u00f3n con credenciales controladas por el atacante y una base de datos controlada por el atacante, obteniendo acceso administrativo completo. Este problema ha sido solucionado en la versi\u00f3n 26.0."}], "id": "CVE-2026-33038", "lastModified": "2026-03-23T16:24:08.187", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T06:16:11.983", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/WWBN/AVideo/commit/b3fa7869dcb935c8ab5c001a88dc29d2f92cf8e1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-2f9h-23f7-8gcx"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-2f9h-23f7-8gcx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-03-23T17:26:42.462620+00:00", "value": {"mitigation_remediation": ["Upgrade the AVideo installation to version 26.0 or later", "If a patch cannot be applied immediately, block external access to the install/checkConfiguration.php endpoint (e.g., via firewall rules or .htaccess restrictions)", "Verify that the videos/configuration.php file exists and that the installer has not been successfully run on the deployment", "If the installer has already been executed with attacker-controlled settings, reconfigure the application with new administrator credentials and secure the database connection"], "summary": {"action": "Immediate Patch", "impact": "Unauthenticated application takeover enabling full administrative control"}, "threat_synthesis": {"affected_systems": "Vulnerable versions include WWBN AVideo 25.0 and earlier. The issue applies to all installations that have not yet completed the initial setup, as the sole protection is the existence of videos/configuration.php. The problem has been resolved in version 26.0, which removes this unchecked initialization pathway.", "description_and_impact": "The vulnerability allows an attacker to trigger the application\u2019s full initialization sequence via the install/checkConfiguration.php endpoint, which is accessible without authentication. By submitting a crafted POST request, the attacker can set the database connection, create a user account, and write configuration files, effectively installing the application under attacker-controlled credentials. Once installed, the attacker gains complete administrative privileges over the video platform, with the ability to manage users, content, and underlying configurations. This reflects a breach of confidentiality, integrity, and availability of all platform data.", "risk_and_exploitability": "The CVSS score of 8.1 categorizes this flaw as high severity, and the EPSS score of less than 1% indicates that exploitation is currently unlikely but the potential impact is severe. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers can exploit it remotely by sending an unauthenticated POST request to install/checkConfiguration.php on an uninitialized server, which the platform exposes publicly in default deployments. This access path does not require any authentication or user interaction beyond making the HTTP request, making it a straightforward risk for sites that expose the installer in production."}}}}, "created": "2026-03-20T08:52:26.001139+00:00", "updated": "2026-03-25T14:30:22.201794+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}