Platform
php
Component
wwbn/avideo
Fixed in
26.0.1
26.0.1
CVE-2026-33867 is a critical vulnerability affecting wwbn/avideo versions up to 26.0. It allows attackers who gain read access to the database to retrieve video passwords stored in plaintext. This lack of encryption poses a significant risk to content owners and their users. A fix is available, requiring users to upgrade to a patched version of the software.
The primary impact of CVE-2026-33867 is the exposure of video passwords. If an attacker successfully gains access to the database—through SQL injection, unauthorized access to database backups, or misconfigured access controls—they can retrieve all video passwords in cleartext. This allows them to bypass password protection and access protected video content without authorization. The blast radius extends to all content owners using wwbn/avideo and storing video passwords, potentially impacting a large number of users. This vulnerability shares similarities with other plaintext storage vulnerabilities where sensitive data is exposed due to inadequate security measures.
CVE-2026-33867 was publicly disclosed on 2026-03-26. The CVSS score of 9.5 (CRITICAL) indicates a high probability of exploitation. There are currently no known public proof-of-concept exploits, but the plaintext storage of passwords makes it a high-value target for attackers. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.01% (3% percentile)
CISA SSVC
The primary mitigation for CVE-2026-33867 is to upgrade to a patched version of wwbn/avideo. Until a patch is available, consider implementing stricter database access controls to limit who can read the database. This includes reviewing and restricting user permissions, implementing strong authentication mechanisms, and regularly auditing database access logs. If a direct upgrade is not feasible due to compatibility issues, explore temporary workarounds such as encrypting the database at the operating system level, although this is not a complete solution. After upgrade, confirm the video passwords are no longer stored in plaintext by inspecting the database directly.
Update AVideo to a version later than 26.0. This will fix the issue of video passwords being stored in plaintext. The update includes a patch that implements a more secure method for storing passwords.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33867 is a critical vulnerability in wwbn/avideo where video passwords are stored in plaintext within the database, allowing attackers with database access to retrieve them.
You are affected if you are using wwbn/avideo versions 26.0 or earlier and are storing video passwords using the default password protection feature.
Upgrade to a patched version of wwbn/avideo. Until a patch is available, implement stricter database access controls.
While no public exploits are currently known, the plaintext storage makes it a high-value target, and exploitation is possible.
Refer to the official wwbn/avideo security advisories on their website or relevant security mailing lists.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.