WWBN AVideo Channel Password Bypass Vulnerability (CVE-2026-33297)
WWBN AVideo versions prior to 26.0 are vulnerable to a credential access vulnerability where passwords containing non-numeric characters are incorrectly processed, effectively setting the password to '0' and allowing trivial channel access bypass.
WWBN AVideo is an open-source video platform. A critical vulnerability exists in versions prior to 26.0 within the CustomizeUser plugin. Specifically, the setPassword.json.php endpoint is susceptible to a logic error affecting channel password assignments. When an administrator attempts to set a channel password containing non-numeric characters for any user, the system incorrectly coerces the password to the integer zero before storing it. This effectively sets the channel password to ‘0’…
Detection coverage 2
AVideo Password Reset Request
mediumDetects requests to the setPassword.json.php endpoint, which may indicate attempted exploitation of CVE-2026-33297.
AVideo Failed Login Attempt with '0' Password
highDetects failed login attempts with the password '0', which is the effective password after exploiting CVE-2026-33297.
Detection queries are kept inside the platform. Get full rules →