CVE-2026-33867

Name of the Vulnerable Software and Affected Versions AVideo versions up to and including 26.0

Description AVideo allows content owners to password-protect individual videos. The video password is stored in the database in plaintext, without hashing, salting, or encryption. An attacker gaining read access to the database—through methods like SQL injection, database backups, or misconfigured access controls—can obtain all video passwords in cleartext. The vulnerable setter is located in objects/video.php and is defined as: public function setVideo password($video password). The vulnerable getter is also located in objects/video.php and is defined as: public function getVideo password(). The comparison of the entered password with the stored plaintext password occurs directly, using the following logic: if ($video->getVideo password() === $ POST['password']). This poses a credential harvesting risk, as users often reuse passwords across multiple services.

Recommendations Versions up to and including 26.0: Hash video passwords on write using password hash($video password, PASSWORD BCRYPT) and verify on read using password verify($ POST['password'], $stored hash).