CVE-2026-33038

Name of the Vulnerable Software and Affected Versions AVideo versions 25.0 and below

Description AVideo, an open source video platform, has an unauthenticated application takeover issue. The install/checkConfiguration.php endpoint allows full application initialization – database setup, admin account creation, and configuration file write – from unauthenticated POST input. The only existing safeguard is a check to see if videos/configuration.php already exists. On uninitialized deployments, a remote attacker can complete the installation with attacker-controlled credentials and a database, gaining full administrative access. The endpoint allows the attacker to supply their own database host, eliminating the need to guess database credentials. The admin user is created with attacker-controlled passwords and unsanitized input, potentially leading to SQL injection. The configuration file is written with attacker-controlled values, embedding database credentials and other settings. The CLI installer is protected, but the web endpoint is not, creating an inconsistent defense.

Recommendations Versions 25.0 and below: Add a one-time setup token to the installation process. Versions 25.0 and below: Restrict installer access to localhost or the command line interface only. Versions 25.0 and below: Parameterize SQL queries to prevent SQL injection. Versions 25.0 and below: Upgrade password hashing from md5() to password hash() with PASSWORD BCRYPT or PASSWORD ARGON2ID.