CVE-2026-40935

Name of the Vulnerable Software and Affected Versions AVideo versions prior to 29.1

Description In the open source video platform AVideo, the endpoint "objects/getCaptcha.php" accepts the CAPTCHA length via the ql query string parameter without clamping or sanitization. This allows unauthenticated clients to force the server to generate a 1-character CAPTCHA word. Because the system uses a case-insensitive strcasecmp comparison over a 33-character alphabet and failed validations do not consume the stored session token, an attacker can brute-force the CAPTCHA on any endpoint utilizing the Captcha::validation() function, such as user registration, password recovery, and contact forms, in approximately 33 requests per session.

Recommendations Update to a version later than 29.0 that includes commit bf1c76989e6a9054be4f0eb009d68f0f2464b453.