CVE-2026-33297

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions prior to 26.0

Description WWBN AVideo is an open source video platform. A logic error in the setPassword.json.php endpoint within the CustomizeUser plugin allows administrators to inadvertently set a channel password to zero for any user. This occurs because any password containing non-numeric characters is silently converted to the integer zero before being stored. Consequently, any visitor can bypass channel-level access control by simply guessing the password '0'. The endpoint, setPassword.json.php, processes the ProfilePassword request parameter using the intval() function, which converts alphanumeric strings to 0. This silent coercion means administrators are unaware that the intended password is not being stored correctly. The vulnerability affects channel-level access control and does not enable account takeover or privilege escalation, but it renders the password protection feature ineffective for non-numeric passwords.

Recommendations Versions prior to 26.0 should be updated to version 26.0 or later.