CVE-2026-33867
Published: 27 March 2026
Summary
CVE-2026-33867 is a high-severity Cleartext Storage of Sensitive Information (CWE-312) vulnerability in Wwbn Avideo. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 1.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-28 (Protection of Information at Rest).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires cryptographic mechanisms to protect the confidentiality of sensitive information like video passwords at rest in the database, directly preventing cleartext exposure even if read access is gained.
Mandates protecting authenticator content from unauthorized disclosure and modification, directly addressing plaintext storage of video access passwords.
Enforces least privilege on database access, limiting who can read the plaintext video passwords and mitigating unauthorized access vectors like misconfigurations.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Cleartext DB password storage directly enables T1552 (unsecured credentials retrieval after DB read access); initial DB compromise via SQLi or similar maps to T1190 (exploit public-facing application).
NVD Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, AVideo allows content owners to password-protect individual videos. The video password is stored in the database in plaintext — no hashing, salting, or encryption is…
more
applied. If an attacker gains read access to the database (via SQL injection, a database backup, or misconfigured access controls), they obtain all video passwords in cleartext. Commit f2d68d2adbf73588ea61be2b781d93120a819e36 contains a patch.
Deeper analysisAI
CVE-2026-33867 affects WWBN AVideo, an open source video platform, in versions up to and including 26.0. The vulnerability involves the plaintext storage of passwords used to protect individual videos in the database, without any hashing, salting, or encryption applied. This issue, classified under CWE-312 (Cleartext Storage of Sensitive Information), has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with network accessibility and no privileges required.
An attacker who gains read access to the AVideo database—through methods such as SQL injection, acquisition of a database backup, or exploitation of misconfigured access controls—can directly retrieve all video passwords in cleartext. No authentication or user interaction is needed beyond obtaining database read privileges, allowing unauthorized access to otherwise password-protected video content across the platform.
Mitigation is available via a patch in commit f2d68d2adbf73588ea61be2b781d93120a819e36 on the AVideo GitHub repository. The GitHub Security Advisory GHSA-363v-5rh8-23wg provides further details on the issue and remediation steps. Administrators should update to a patched version and review database access controls to prevent unauthorized reads.
Details
- CWE(s)