CVE-2026-33867
Plaintext Password Storage in WWBN AVideo Enables Credential Exposure
Publication date: 2026-03-27
Last updated on: 2026-03-31
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 26.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-312 | The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33867 is a vulnerability in the WWBN AVideo platform versions up to and including 26.0 where video passwords are stored in plaintext in the database without any hashing, salting, or encryption.
The setter method for video passwords only trims the input and saves it directly, and the password check compares the entered password directly to the stored plaintext password without cryptographic verification.
If an attacker gains read access to the database through SQL injection, leaked backups, or misconfigured access controls, they can retrieve all video passwords in cleartext without any effort to crack them.
This vulnerability is classified as Cleartext Storage of Sensitive Information (CWE-312) and has a high severity rating.
How can this vulnerability impact me? :
If exploited, this vulnerability allows attackers who gain read access to the database to obtain all video passwords in plaintext.
Since users often reuse passwords across different services, attackers can use these exposed passwords to compromise other accounts or services.
This can lead to unauthorized access to protected video content and potentially broader credential harvesting and account compromises.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting the database for video passwords stored in plaintext. Specifically, you can query the videos table to find any non-empty video_password entries that are not hashed.
- Run the SQL command: SELECT clean_title, video_password FROM videos WHERE video_password != ''; to retrieve all video passwords stored in plaintext.
- Check for any SQL injection vulnerabilities that might allow unauthorized read access to the database.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves updating the AVideo platform to a patched version where video passwords are hashed using bcrypt.
- Upgrade to AVideo version 29.0 or later, which includes the fix that hashes video passwords upon storage.
- Apply the patch that changes password storage to use PHP's password_hash($video_password, PASSWORD_BCRYPT) function.
- Verify passwords on access using password_verify to prevent plaintext password exposure.
- Restrict and audit database access controls to prevent unauthorized read access.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability involves storing video passwords in plaintext in the database without hashing, salting, or encryption. This cleartext storage of sensitive information (CWE-312) poses a significant risk if an attacker gains read access to the database, potentially exposing user credentials.
Such insecure handling of sensitive data can lead to non-compliance with common data protection standards and regulations like GDPR and HIPAA, which require appropriate protection of personal and sensitive information to prevent unauthorized access and data breaches.
Because passwords are stored in plaintext, this vulnerability increases the risk of credential harvesting and broader account compromise, which can result in violations of privacy and security requirements mandated by these regulations.