Home / Vulnerability Intelligence / CVE-2026-40935

CVE-2026-40935 - Vulnerability Analysis

MediumCVSS: 5.3

Last Updated: April 23, 2026

WWBN AVideo - Authentication Bypass

Published: April 21, 2026Updated: April 23, 2026PoC AvailableRemote Exploitable

Overview

WWBN AVideo <= 29.0 contains a broken authentication caused by unsanitized CAPTCHA length parameter in objects/getCaptcha.php, letting unauthenticated attackers brute-force CAPTCHA with ~33 requests per session.

Severity & Score

Severity: Medium

CVSS Score: 5.3

Impact

Attackers can bypass CAPTCHA protections, enabling automated abuse of user registration, password recovery, and contact forms.

Mitigation

Update to a version including commit bf1c76989e6a9054be4f0eb009d68f0f2464b453 or later.

References

https://github.com/WWBN/AVideo/commit/bf1c76989e6a9054be4f0eb009d68f0f2464b453
https://github.com/WWBN/AVideo/security/advisories/GHSA-hg7g-56h5-5pqr

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-40935
Severity: Medium
CVSS Score: 5.3
Type: broken_authentication
Status: confirmed

CWE

CWE-804

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N