Cyber Resilience

CVE-2026-33038

HighPublic PoC

Published: 20 March 2026

Published
20 March 2026
Modified
23 March 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0049 38.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33038 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Wwbn Avideo. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-33038 is a critical vulnerability in WWBN AVideo, an open source video platform, affecting versions 25.0 and below. The issue resides in the install/checkConfiguration.php endpoint, which enables unauthenticated application takeover. This endpoint handles full application initialization—including database setup, admin account creation, and configuration file writing—directly from unauthenticated POST input. Its sole safeguard is verifying whether videos/configuration.php already exists, leaving uninitialized deployments exposed.

Remote attackers with no privileges can exploit this vulnerability on uninitialized AVideo instances by submitting a POST request with attacker-controlled parameters. Successful exploitation completes the installation process using the attacker's specified credentials and database details, granting full administrative access to the platform. The CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) underscores the high confidentiality, integrity, and availability impacts, with attack complexity elevated due to the need for an uninitialized state. It is associated with CWE-306 (Missing Authentication for Critical Function).

The vulnerability has been fixed in AVideo version 26.0. Security practitioners should upgrade to this version immediately on affected deployments. Additional details are available in the GitHub security advisory at GHSA-2f9h-23f7-8gcx and the patching commit b3fa7869dcb935c8ab5c001a88dc29d2f92cf8e1.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

WWBN AVideo is an open source video platform. Versions 25.0 and below are vulnerable to unauthenticated application takeover through the install/checkConfiguration.php endpoint. install/checkConfiguration.php performs full application initialization: database setup, admin account creation, and configuration file write, all from an unauthenticated…

more

POST input. The only guard is checking whether videos/configuration.php already exists. On uninitialized deployments, any remote attacker can complete the installation with attacker-controlled credentials and an attacker-controlled database, gaining full administrative access. This issue has been fixed in version 26.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is an unauthenticated remote code path in a public-facing web application's installation endpoint (checkConfiguration.php) that directly enables initial access and full admin takeover on uninitialized instances, mapping to T1190 Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33719Same product: Wwbn Avideo
CVE-2026-34731Same product: Wwbn Avideo
CVE-2026-34732Same product: Wwbn Avideo
CVE-2025-34434Same product: Wwbn Avideo
CVE-2026-33292Same product: Wwbn Avideo
CVE-2026-33479Same product: Wwbn Avideo
CVE-2026-33767Same product: Wwbn Avideo
CVE-2026-33770Same product: Wwbn Avideo
CVE-2026-40925Same product: Wwbn Avideo
CVE-2026-28501Same product: Wwbn Avideo

Affected Assets

wwbn
avideo
≤ 26.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates identification and authentication prior to permitting critical actions like unauthenticated application initialization and admin account creation via the install/checkConfiguration.php endpoint.

prevent

Enforces approved access control policies to block unauthorized POST requests that perform database setup, admin creation, and configuration writes on uninitialized deployments.

prevent

Requires identification and authentication for non-organizational users or processes, preventing remote attackers from completing installation with attacker-controlled credentials.

References