CVE-2026-33041

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions 25.0 and below

Description The /objects/encryptPass.json.php endpoint in WWBN AVideo exposes the application's password hashing algorithm to any unauthenticated user. An attacker can submit arbitrary passwords and receive their hashed equivalents, enabling offline password cracking against leaked database hashes. The encryptPassword() function uses a weak hash chain (md5+whirlpool+sha1, no salt by default), making password cracking extremely fast with access to database hashes. The vulnerable file is objects/encryptPass.json.php, and the vulnerable function is encryptPassword(). The encryptPassword() function is located in objects/functions.php around line 2101. The vulnerable parameter is pass in the API endpoint /objects/encryptPass.json.php.

Recommendations Versions 25.0 and below should be updated to version 26.0 or later.