CVE-2026-33037

{"id": "CVE-2026-33037", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.2}]}, "published": "2026-03-20T06:16:11.817", "references": [{"url": "https://github.com/WWBN/AVideo/commit/2075fac1a51f21fab5d8592235a095aa354a9de6", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-89rv-p523-6wg9", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-1188"}]}], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 25.0 and below, the official Docker deployment files (docker-compose.yml, env.example) ship with the admin password set to \"password\", which is automatically used to seed the admin account during installation, meaning any instance deployed without overriding SYSTEM_ADMIN_PASSWORD is immediately vulnerable to trivial administrative takeover. No compensating controls exist: there is no forced password change on first login, no complexity validation, no default-password detection, and the password is hashed with weak MD5. Full admin access enables user data exposure, content manipulation, and potential remote code execution via file uploads and plugin management. The same insecure-default pattern extends to database credentials (avideo/avideo), compounding the risk. Exploitation depends on operators failing to change the default, a condition likely met in quick-start, demo, and automated deployments. This issue has been fixed in version 26.0."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de video de c\u00f3digo abierto. En las versiones 25.0 e inferiores, los archivos oficiales de despliegue de Docker (docker-compose.yml, env.example) se distribuyen con la contrase\u00f1a de administrador establecida como 'password', que se utiliza autom\u00e1ticamente para inicializar la cuenta de administrador durante la instalaci\u00f3n, lo que significa que cualquier instancia desplegada sin sobrescribir SYSTEM_ADMIN_PASSWORD es inmediatamente vulnerable a una toma de control administrativa trivial. No existen controles compensatorios: no hay cambio de contrase\u00f1a forzado en el primer inicio de sesi\u00f3n, no hay validaci\u00f3n de complejidad, no hay detecci\u00f3n de contrase\u00f1a por defecto, y la contrase\u00f1a se hashea con un MD5 d\u00e9bil. El acceso completo de administrador permite la exposici\u00f3n de datos de usuario, la manipulaci\u00f3n de contenido y la potencial ejecuci\u00f3n remota de c\u00f3digo a trav\u00e9s de la carga de archivos y la gesti\u00f3n de plugins. El mismo patr\u00f3n de valores predeterminados inseguros se extiende a las credenciales de la base de datos (avideo/avideo), lo que agrava el riesgo. La explotaci\u00f3n depende de que los operadores no cambien el valor predeterminado, una condici\u00f3n que probablemente se cumpla en despliegues de inicio r\u00e1pido, demostraciones y automatizados. Este problema ha sido solucionado en la versi\u00f3n 26.0."}], "lastModified": "2026-03-23T16:25:29.030", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B468F0CE-E5E7-4607-BD15-B5763C47493E", "versionEndExcluding": "26.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}