PT-2026-27188 · Avideo · Avideo

Restriction

Published

2026-03-23

Updated

2026-03-25

CVE-2026-33688

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions AVideo versions prior to 26.1

Description AVideo is an open source video platform. Versions up to and including 26.0 have an issue in the password recovery endpoint at objects/userRecoverPass.php. This endpoint performs user existence and account status checks before validating the captcha. An unauthenticated attacker can enumerate valid usernames and determine account status (active, inactive, or banned) without solving a captcha by observing distinct JSON error responses. The vulnerable functionality lies in the order of operations performed by the objects/userRecoverPass.php script.

Recommendations Update AVideo to version 26.1 or later.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-204

Related Identifiers

CVE-2026-33688

GHSA-M99F-MMVG-3XMX

Affected Products

Avideo

PT-2026-27188 · Avideo · Avideo

CVE-2026-33688

Weakness Enumeration

Related Identifiers

Affected Products

References · 7