CVE-2026-40935
Received Received - Intake
Insecure CAPTCHA Validation in WWBN AVideo Enables Brute Force

Publication date: 2026-04-21

Last updated on: 2026-04-23

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/getCaptcha.php` accepts the CAPTCHA length (`ql`) directly from the query string with no clamping or sanitization, letting any unauthenticated client force the server to generate a 1-character CAPTCHA word. Combined with a case-insensitive `strcasecmp` comparison over a ~33-character alphabet and the fact that failed validations do NOT consume the stored session token, an attacker can trivially brute-force the CAPTCHA on any endpoint that relies on `Captcha::validation()` (user registration, password recovery, contact form, etc.) in at most ~33 requests per session. Commit bf1c76989e6a9054be4f0eb009d68f0f2464b453 contains a fix.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-14
NVD
CVE-2026-40935
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 29.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-804 The product uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in WWBN AVideo versions 29.0 and prior, where the CAPTCHA length parameter (`ql`) in the `objects/getCaptcha.php` file is accepted directly from the query string without any clamping or sanitization.

This allows any unauthenticated client to force the server to generate a CAPTCHA with only 1 character. Because the CAPTCHA validation uses a case-insensitive comparison over a small alphabet (~33 characters) and failed attempts do not consume the stored session token, an attacker can easily brute-force the CAPTCHA.

This brute-force attack can be done in about 33 requests per session, affecting any endpoint relying on CAPTCHA validation, such as user registration, password recovery, and contact forms.

Impact Analysis

The vulnerability allows an attacker to bypass CAPTCHA protections on various endpoints without authentication.

  • It can enable automated attacks such as account creation, password recovery abuse, or spam submissions through contact forms.
  • This can lead to increased risk of unauthorized access attempts, spam, or denial of service on affected services.

Overall, it reduces the effectiveness of CAPTCHA as a security control, potentially exposing the system to abuse.

Mitigation Strategies

To mitigate this vulnerability, you should update WWBN AVideo to a version that includes the fix from commit bf1c76989e6a9054be4f0eb009d68f0f2464b453.

This fix addresses the issue by properly clamping or sanitizing the CAPTCHA length parameter, preventing attackers from forcing a 1-character CAPTCHA and thus stopping trivial brute-force attacks.

Detection Guidance

This vulnerability can be detected by checking if the endpoint `objects/getCaptcha.php` accepts a `ql` parameter in the query string that controls the CAPTCHA length without any sanitization or clamping.

One way to detect it is to send HTTP requests to the vulnerable endpoint with different `ql` values and observe if the server generates CAPTCHAs of the requested length, including a 1-character CAPTCHA.

For example, you can use curl commands like the following to test the behavior:

  • curl -i "http://<target>/objects/getCaptcha.php?ql=1"
  • curl -i "http://<target>/objects/getCaptcha.php?ql=5"

If the CAPTCHA length changes according to the `ql` parameter, it indicates the vulnerability is present.

Additionally, monitoring for repeated failed CAPTCHA validations that do not consume session tokens on endpoints relying on `Captcha::validation()` (such as user registration or password recovery) can help detect exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40935. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart