{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33038", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T18:10:50.210Z", "datePublished": "2026-03-20T05:35:56.812Z", "dateUpdated": "2026-03-20T05:35:56.812Z"}, "containers": {"cna": {"title": "AVideo affected by unauthenticated application takeover via exposed web installer on uninitialized deployments", "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "lang": "en", "description": "CWE-306: Missing Authentication for Critical Function", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-2f9h-23f7-8gcx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-2f9h-23f7-8gcx"}, {"name": "https://github.com/WWBN/AVideo/commit/b3fa7869dcb935c8ab5c001a88dc29d2f92cf8e1", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/b3fa7869dcb935c8ab5c001a88dc29d2f92cf8e1"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "< 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T05:35:56.812Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. Versions 25.0 and below are vulnerable to unauthenticated application takeover through the install/checkConfiguration.php endpoint. install/checkConfiguration.php performs full application initialization: database setup, admin account creation, and configuration file write, all from an unauthenticated POST input. The only guard is checking whether videos/configuration.php already exists. On uninitialized deployments, any remote attacker can complete the installation with attacker-controlled credentials and an attacker-controlled database, gaining full administrative access. This issue has been fixed in version 26.0."}], "source": {"advisory": "GHSA-2f9h-23f7-8gcx", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. Versions 25.0 and below are vulnerable to unauthenticated application takeover through the install/checkConfiguration.php endpoint. install/checkConfiguration.php performs full application initialization: database setup, admin account creation, and configuration file write, all from an unauthenticated POST input. The only guard is checking whether videos/configuration.php already exists. On uninitialized deployments, any remote attacker can complete the installation with attacker-controlled credentials and an attacker-controlled database, gaining full administrative access. This issue has been fixed in version 26.0."}], "id": "CVE-2026-33038", "lastModified": "2026-03-20T13:37:50.737", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T06:16:11.983", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo/commit/b3fa7869dcb935c8ab5c001a88dc29d2f92cf8e1"}, {"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-2f9h-23f7-8gcx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-03-20T06:20:43.567933+00:00", "value": {"mitigation_remediation": ["Upgrade WWBN AVideo to version 26.0 or later where the installer has been removed or secured.", "If upgrade is not immediately possible, restrict or block access to install/checkConfiguration.php on the web server until deployment is complete."], "summary": {"action": "Immediate Patch", "impact": "Unauthenticated Application Takeover"}, "threat_synthesis": {"affected_systems": "The issue affects all uninitialized deployments of WWBN AVideo version 25.0 and earlier. The vulnerability is specifically tied to the install/checkConfiguration.php script in those versions.", "description_and_impact": "The vulnerability resides in the install/checkConfiguration.php endpoint of WWBN AVideo. An unauthenticated POST request can trigger full application initialization \u2013 creating database tables, generating administrative credentials, and writing configuration files. This allows a remote attacker to provision the application with attacker\u2011controlled database credentials and an arbitrary admin account, effectively granting full administrative access to the platform. The weakness is identified as CWE\u2011306 (Improper Authentication).", "risk_and_exploitability": "The CVSS score of 8.1 indicates high severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is remote, over HTTP(S), and requires no prior authentication. Once exploited, the attacker can fully control the application, including data and configuration, leading to compromise of confidentiality, integrity, and availability of the hosted content."}}}}, "created": "2026-03-20T08:52:26.001139+00:00", "updated": "2026-03-20T10:37:07.632007+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}