LeakyCreds
NewInstant webhook alerts now available ā€” notified within seconds of any credential detection.Learn more ā†’
Home / Vulnerability Intelligence / CVE-2026-33297

CVE-2026-33297 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: March 23, 2026

WWBN AVideo - Broken Access Control

Published: March 23, 2026Updated: March 23, 2026PoC AvailableRemote Exploitable

Overview

WWBN AVideo < 26.0 contains a broken access control caused by logic error in password processing in CustomizeUser plugin's setPassword.json.php endpoint, letting administrators set channel password to 0, allowing visitors to bypass access control, exploit requires administrator privileges.

Severity & Score

Severity: Critical
CVSS Score: 9.1
EPSS Score: 0.0%(Probability of exploitation in next 30 days)

Impact

Attackers can bypass channel-level access control by guessing the password '0', compromising channel security.

Mitigation

Update to version 26.0 or later.

References

Social Media Activity(4 posts)

TheHackerWire
TheHackerWire
@thehackerwire
Mar 23, 2026

šŸ”“ CVE-2026-33297 - Critical (9.1) WWBN AVideo is an open source video platform. Prior to version 26.0, the `setPassword.json.php` endpoint in the CustomizeUser plugin allows administrators to set a channel password for any user. Due to a logic error in how the submitted password v... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-33297/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Mar 23, 2026

šŸ”“ CVE-2026-33297 - Critical (9.1) WWBN AVideo is an open source video platform. Prior to version 26.0, the `setPassword.json.php` endpoint in the CustomizeUser plugin allows administrators to set a channel password for any user. Due to a logic error in how the submitted password v... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-33297/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Mar 23, 2026

šŸ”“ CVE-2026-33297 - Critical (9.1) WWBN AVideo is an open source video platform. Prior to version 26.0, the `setPassword.json.php` endpoint in the CustomizeUser plugin allows administrators to set a channel password for any user. Due to a logic error in how the submitted password v... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-33297/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Mar 23, 2026

šŸ”“ CVE-2026-33297 - Critical (9.1) WWBN AVideo is an open source video platform. Prior to version 26.0, the `setPassword.json.php` endpoint in the CustomizeUser plugin allows administrators to set a channel password for any user. Due to a logic error in how the submitted password v... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-33297/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID
CVE-2026-33297
Severity
Critical
CVSS Score
9.1
Type
broken_access_control
Status
confirmed
EPSS
0.0%
Social Posts
4

CWE

  • CWE-639

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score

0.0%Probability of exploitation in the next 30 days