CVE-2026-33763

Name of the Vulnerable Software and Affected Versions AVideo versions up to and including 26.0

Description The get api video password is correct API endpoint allows any unauthenticated user to verify whether a given password is correct for any password-protected video. The endpoint returns a boolean passwordIsCorrect field without rate limiting, CAPTCHA, or authentication requirements, enabling efficient brute-force attacks against video passwords. The application's checkRateLimit() mechanism is not applied to this password verification endpoint. Video passwords are stored in plaintext, and the password comparison uses loose equality (==) instead of strict equality (===). An attacker can brute-force the password of any password-protected video on the platform. The lack of rate limiting allows an attacker to test thousands of passwords per second. Successful exploitation bypasses access control for password-protected content. The vulnerable endpoint is located at plugin/API/API.php:1111-1133 and the get() dispatcher is at API.php:191-209. The video passwords are stored in objects/video.php:523-527. The API endpoint is ''/plugin/API/get.json.php?APIName=video password is correct'' and takes videos id and video password as parameters.

Recommendations For versions up to and including 26.0: Add rate limiting to the ''get api video password is correct'' endpoint using the existing checkRateLimit() mechanism. Hash video passwords using password hash()/password verify() instead of plaintext storage and loose comparison. Use strict comparison (===) if plaintext passwords must be retained temporarily during migration.