Vulnerabilities ›

CVE-2026-33867

High ⚡ Exploit Available

WWBN AVideo is an open source video platform. In versions up to and including 26.0, AVideo allows content owners to password-protect individual videos. The video password is stored in the database in

CWE-312 — Weakness Type

                    Published: Mar 27, 2026                      ·  Modified: Apr 2, 2026                      ·  Source: NVD                

CVSS v3

7.5

🔗 NVD Official

📄 Description (English)

WWBN AVideo is an open source video platform. In versions up to and including 26.0, AVideo allows content owners to password-protect individual videos. The video password is stored in the database in plaintext — no hashing, salting, or encryption is applied. If an attacker gains read access to the database (via SQL injection, a database backup, or misconfigured access controls), they obtain all video passwords in cleartext. Commit f2d68d2adbf73588ea61be2b781d93120a819e36 contains a patch.

🤖 AI Executive Summary

CVE-2026-33867 affects WWBN AVideo up to version 26.0, where video passwords are stored in plaintext without hashing or encryption. An attacker with database read access (via SQL injection, backup theft, or misconfigured permissions) can obtain all video passwords in cleartext. This vulnerability is particularly critical for organizations using AVideo for sensitive content distribution, as it enables unauthorized access to protected videos and potential credential reuse attacks.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 3, 2026 10:49

🇸🇦 Saudi Arabia Impact Assessment

Saudi organizations using AVideo for content distribution—particularly in government media agencies, educational institutions (universities and online learning platforms), healthcare organizations for training videos, and corporate training departments—face significant risk. The vulnerability is especially critical for entities under SAMA oversight managing financial training content, NCA-regulated government agencies distributing sensitive communications, and healthcare providers using AVideo for confidential medical training. The plaintext password storage violates fundamental data protection principles and could expose organizational content to unauthorized access, competitive intelligence theft, and regulatory non-compliance.

🏢 Affected Saudi Sectors

Government and Public Administration Education and Universities Healthcare and Medical Training Banking and Financial Services Telecommunications Media and Broadcasting Corporate Training and Development Energy Sector

🎯 MITRE ATT&CK Techniques

T1005 — Data from Local System (database access) T1213 — Data from Information Repositories (database exfiltration) T1110 — Brute Force (password cracking if obtained) T1040 — Network Sniffing (if database traffic unencrypted) T1190 — Exploit Public-Facing Application (SQL injection vector) T1021 — Remote Services (database access via misconfigured controls)

⚖️ Saudi Risk Score (AI)

7.8

/ 10.0

🔧 Remediation Steps (English)

Immediate Actions:

1. Upgrade WWBN AVideo to version 26.1 or later that includes commit f2d68d2adbf73588ea61be2b781d93120a819e36

2. Audit database access logs for unauthorized read attempts or SQL injection attacks

3. Review database backup security and access controls; ensure backups are encrypted and access-restricted

4. Force password reset for all video passwords after patching

5. Implement database activity monitoring (DAM) to detect unauthorized queries



Patching Guidance:

- Test patch in non-production environment first

- Schedule maintenance window for production deployment

- Verify all video passwords are re-hashed using bcrypt or PBKDF2 post-patch



Compensating Controls (if immediate patching delayed):

- Implement database encryption at rest (TDE/transparent data encryption)

- Restrict database access to principle of least privilege

- Enable SQL injection prevention (parameterized queries, WAF rules)

- Implement database access logging and alerting

- Conduct immediate database access review



Detection Rules:

- Monitor for SQL injection attempts in AVideo application logs

- Alert on unusual database queries selecting password fields

- Track failed authentication attempts against video content

- Monitor for bulk password extraction queries

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. ترقية WWBN AVideo إلى الإصدار 26.1 أو أحدث الذي يتضمن الإصلاح المطلوب

2. تدقيق سجلات الوصول إلى قاعدة البيانات للكشف عن محاولات القراءة غير المصرح بها أو هجمات حقن SQL

3. مراجعة أمان النسخ الاحتياطية لقاعدة البيانات والتحكم في الوصول؛ التأكد من تشفير النسخ الاحتياطية وتقييد الوصول

4. فرض إعادة تعيين كلمة المرور لجميع كلمات مرور الفيديو بعد التصحيح

5. تنفيذ مراقبة نشاط قاعدة البيانات للكشف عن الاستعلامات غير المصرح بها



إرشادات التصحيح:

- اختبار التصحيح في بيئة غير الإنتاج أولاً

- جدولة نافذة صيانة لنشر الإنتاج

- التحقق من إعادة تجزئة جميع كلمات مرور الفيديو باستخدام bcrypt أو PBKDF2 بعد التصحيح



الضوابط البديلة (إذا تأخر التصحيح الفوري):

- تنفيذ تشفير قاعدة البيانات في الراحة (TDE)

- تقييد الوصول إلى قاعدة البيانات بمبدأ أقل امتياز

- تمكين منع حقن SQL (الاستعلامات المعاملة، قواعد WAF)

- تنفيذ تسجيل التنبيهات على الوصول إلى قاعدة البيانات

- إجراء مراجعة فورية لوصول قاعدة البيانات



قواعد الكشف:

- مراقبة محاولات حقن SQL في سجلات تطبيق AVideo

- التنبيه على استعلامات قاعدة البيانات غير العادية التي تحدد حقول كلمات المرور

- تتبع محاولات المصادقة الفاشلة ضد محتوى الفيديو

- مراقبة استعلامات استخراج كلمات المرور الضخمة

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.10.1.1 — Cryptographic controls for sensitive data (plaintext storage violation) ECC 2024 A.8.2.3 — User access management and authentication ECC 2024 A.12.6.1 — Management of technical vulnerabilities ECC 2024 A.5.1.2 — Information security policies and procedures

🔵 SAMA CSF

SAMA CSF ID.AM-2 — Asset management and inventory SAMA CSF PR.DS-1 — Data security and protection SAMA CSF PR.DS-2 — Data in transit protection SAMA CSF DE.CM-1 — Detection and monitoring

🟡 ISO 27001:2022

ISO 27001:2022 A.8.2.3 — Management of privileged access rights ISO 27001:2022 A.8.3.2 — Restriction of access to information ISO 27001:2022 A.10.1.1 — Cryptographic controls ISO 27001:2022 A.12.6.1 — Management of technical vulnerabilities and exposures

🟣 PCI DSS v4.0.1

PCI DSS 3.2.1 — Render PAN unreadable (if video passwords contain payment data) PCI DSS 6.2 — Ensure security patches are installed PCI DSS 8.2.1 — Use strong authentication

🔗 References & Sources 3

🔗

https://github.com/WWBN/AVideo/commit/f2d68d2adbf73588ea61be2b781d93120a819e36

security-advisories@github.com

Patch

🔗

https://github.com/WWBN/AVideo/security/advisories/GHSA-363v-5rh8-23wg

security-advisories@github.com

Exploit Vendor Advisory

🔗

https://github.com/WWBN/AVideo/security/advisories/GHSA-363v-5rh8-23wg

134c704f-9b21-4f2e-91b3-4a467353bcc0

Exploit Vendor Advisory

📦 Affected Products / CPE 1 entries

wwbn:avideo

📊 CVSS Score

7.5

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityN — None / Network

AvailabilityN — None / Network

📋 Quick Facts

Severity High

CVSS Score7.5

CWECWE-312

EPSS0.01%

Exploit ✓ Yes

Patch ✓ Yes

Published 2026-03-27

Source Feed nvd

🇸🇦 Saudi Risk Score

7.8

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

exploit-available patch-available CWE-312

🏢 Vendor Advisories

🔗 https://github.com/WWBN/AVideo/security/advisories/G... 🔗 https://github.com/WWBN/AVideo/security/advisories/G...

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-33867

💬 Comments

Introduce Yourself

Sign In Required