CVE-2026-33688

Name of the Vulnerable Software and Affected Versions AVideo versions prior to 26.1

Description AVideo is an open source video platform. Versions up to and including 26.0 have an issue in the password recovery endpoint at objects/userRecoverPass.php. This endpoint performs user existence and account status checks before validating the captcha. An unauthenticated attacker can enumerate valid usernames and determine account status (active, inactive, or banned) without solving a captcha by observing distinct JSON error responses. The vulnerable functionality lies in the order of operations performed by the objects/userRecoverPass.php script.

Recommendations Update AVideo to version 26.1 or later.