CVE-2026-33037

Name of the Vulnerable Software and Affected Versions AVideo versions 25.0 and below

Description AVideo is an open source video platform. In versions 25.0 and below, the official Docker deployment files (docker-compose.yml, env.example) are distributed with the administrator password set to 'password'. This password is automatically used to initialize the administrator account during installation. Consequently, any instance deployed without overriding the SYSTEM ADMIN PASSWORD variable is immediately susceptible to trivial administrative takeover. There are no mitigating controls in place, such as forced password changes on first login, complexity validation, or default password detection. The password is hashed using weak MD5. Full administrator access allows for user data exposure, content manipulation, and potential remote code execution through file uploads and plugin management. The same insecure default pattern applies to database credentials (avideo/avideo), increasing the risk. Exploitation relies on operators failing to change the default value, a condition likely to occur in quick-start, demonstration, and automated deployments.

Recommendations AVideo versions prior to 26.0 should be updated to version 26.0 or later.