Auth bypass in Wwbn Avideo

CVE-2026-33297

WWBN AVideo is an open source video platform. Prior to version 26.0, the `setPassword.json.php` endpoint in the CustomizeUser plugin allows administrators to set a channel password for any user. Due to a logic error in how the submitted pa…

Vulnerability class: IDOR (Insecure Direct Object Reference)

EPSS: 0.001 (17.6th percentile) — read the EPSS interpretation.

Affected products

Wwbn Avideo — versions < 26.0

Weakness classification (CWE)

CWE-639 — Authorization Bypass Through User-Controlled Key

References

https://github.com/WWBN/AVideo/security/advisories/GHSA-6547-8hrg-c55m (x_refsource_CONFIRM)
https://github.com/WWBN/AVideo/commit/7a6a94631a0a18c313894395e6eb6703cca4abd0 (x_refsource_MISC)