CVE-2026-33041
Received Received - Intake
Information Disclosure in WWBN AVideo Password Hash Endpoint

Publication date: 2026-03-20

Last updated on: 2026-03-23

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/encryptPass.json.php exposes the application's password hashing algorithm to any unauthenticated user. An attacker can submit arbitrary passwords and receive their hashed equivalents, enabling offline password cracking against leaked database hashes. If an attacker obtains password hashes from the database (via SQL injection, backup exposure, etc.), they can instantly crack them by comparing against pre-computed hashes from this endpoint. This endpoint eliminates the need for an attacker to reverse-engineer the hashing algorithm. Combined with the weak hash chain (md5+whirlpool+sha1, no salt by default), an attacker with access to database hashes can crack passwords extremely quickly. This issue was fixed in version 26.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-23
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33041
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 26.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-33041 is a vulnerability in WWBN AVideo versions 25.0 and below where the endpoint /objects/encryptPass.json.php allows any unauthenticated user to submit arbitrary passwords and receive their hashed equivalents.'}, {'type': 'paragraph', 'content': "This exposure reveals the application's password hashing algorithm, which uses a weak hash chain (md5+whirlpool+sha1) without salting by default, making the hash output predictable and identical to stored database hashes."}, {'type': 'paragraph', 'content': 'Attackers can use this endpoint as a password hash oracle to generate hashes for candidate passwords, enabling efficient offline password cracking if they obtain password hashes from the database through other means such as SQL injection or backup exposure.'}, {'type': 'paragraph', 'content': 'This vulnerability eliminates the need for attackers to reverse-engineer the hashing algorithm, significantly aiding in rapid password cracking.'}] [2]

Impact Analysis

If an attacker obtains password hashes from your database, they can use the exposed endpoint to quickly generate matching hashes for guessed passwords, allowing them to crack user passwords offline very efficiently.

This can lead to unauthorized access to user accounts, potentially compromising sensitive user data and the integrity of your system.

Because the hashing algorithm is weak and unsalted by default, attackers can build rainbow tables or precomputed hash lists to accelerate brute force attacks.

Overall, this vulnerability increases the risk of credential compromise and unauthorized access without requiring the attacker to have any privileges or authentication.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the endpoint `/objects/encryptPass.json.php` is accessible without authentication and responds to arbitrary password inputs with hashed equivalents.'}, {'type': 'paragraph', 'content': 'You can use commands like curl to test this endpoint from your network or system:'}, {'type': 'list_item', 'content': "curl -X POST -d 'password=test' https://your-avideo-instance/objects/encryptPass.json.php"}, {'type': 'list_item', 'content': 'If the response returns a hashed password without requiring authentication, the system is vulnerable.'}, {'type': 'paragraph', 'content': 'Additionally, monitoring for excessive requests to this endpoint (more than 20 calls per 5 minutes from the same IP) can indicate attempts to exploit the vulnerability.'}] [1]

Mitigation Strategies

Immediate mitigation steps include restricting access to the `/objects/encryptPass.json.php` endpoint by enforcing authentication and rate limiting.

  • Implement rate limiting to allow a maximum of 20 calls per 5 minutes per IP address to prevent abuse.
  • Require authentication for access to the endpoint, either via an authenticated admin session or a valid server-to-server HMAC token.
  • Ensure that the plaintext password is not returned in the response to avoid information disclosure.

Upgrading to version 26.0 or later of WWBN AVideo, where these protections are implemented, is recommended to fully address the vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33041. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart