CVE-2026-40935
Insecure CAPTCHA Validation in WWBN AVideo Enables Brute Force
Publication date: 2026-04-21
Last updated on: 2026-04-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 29.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-804 | The product uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in WWBN AVideo versions 29.0 and prior, where the CAPTCHA length parameter (`ql`) in the `objects/getCaptcha.php` file is accepted directly from the query string without any clamping or sanitization.
This allows any unauthenticated client to force the server to generate a CAPTCHA with only 1 character. Because the CAPTCHA validation uses a case-insensitive comparison over a small alphabet (~33 characters) and failed attempts do not consume the stored session token, an attacker can easily brute-force the CAPTCHA.
This brute-force attack can be done in about 33 requests per session, affecting any endpoint relying on CAPTCHA validation, such as user registration, password recovery, and contact forms.
How can this vulnerability impact me? :
The vulnerability allows an attacker to bypass CAPTCHA protections on various endpoints without authentication.
- It can enable automated attacks such as account creation, password recovery abuse, or spam submissions through contact forms.
- This can lead to increased risk of unauthorized access attempts, spam, or denial of service on affected services.
Overall, it reduces the effectiveness of CAPTCHA as a security control, potentially exposing the system to abuse.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update WWBN AVideo to a version that includes the fix from commit bf1c76989e6a9054be4f0eb009d68f0f2464b453.
This fix addresses the issue by properly clamping or sanitizing the CAPTCHA length parameter, preventing attackers from forcing a 1-character CAPTCHA and thus stopping trivial brute-force attacks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the endpoint `objects/getCaptcha.php` accepts a `ql` parameter in the query string that controls the CAPTCHA length without any sanitization or clamping.
One way to detect it is to send HTTP requests to the vulnerable endpoint with different `ql` values and observe if the server generates CAPTCHAs of the requested length, including a 1-character CAPTCHA.
For example, you can use curl commands like the following to test the behavior:
- curl -i "http://<target>/objects/getCaptcha.php?ql=1"
- curl -i "http://<target>/objects/getCaptcha.php?ql=5"
If the CAPTCHA length changes according to the `ql` parameter, it indicates the vulnerability is present.
Additionally, monitoring for repeated failed CAPTCHA validations that do not consume session tokens on endpoints relying on `Captcha::validation()` (such as user registration or password recovery) can help detect exploitation attempts.