{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33037", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T18:10:50.210Z", "datePublished": "2026-03-20T05:25:49.049Z", "dateUpdated": "2026-03-20T05:25:49.049Z"}, "containers": {"cna": {"title": "WWBN AVideo has predictable default admin credentials in official Docker deployment path", "problemTypes": [{"descriptions": [{"cweId": "CWE-1188", "lang": "en", "description": "CWE-1188: Insecure Default Initialization of Resource", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-89rv-p523-6wg9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-89rv-p523-6wg9"}, {"name": "https://github.com/WWBN/AVideo/commit/2075fac1a51f21fab5d8592235a095aa354a9de6", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/2075fac1a51f21fab5d8592235a095aa354a9de6"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "< 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T05:25:49.049Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 25.0 and below, the official Docker deployment files (docker-compose.yml, env.example) ship with the admin password set to \"password\", which is automatically used to seed the admin account during installation, meaning any instance deployed without overriding SYSTEM_ADMIN_PASSWORD is immediately vulnerable to trivial administrative takeover. No compensating controls exist: there is no forced password change on first login, no complexity validation, no default-password detection, and the password is hashed with weak MD5. Full admin access enables user data exposure, content manipulation, and potential remote code execution via file uploads and plugin management. The same insecure-default pattern extends to database credentials (avideo/avideo), compounding the risk. Exploitation depends on operators failing to change the default, a condition likely met in quick-start, demo, and automated deployments. This issue has been fixed in version 26.0."}], "source": {"advisory": "GHSA-89rv-p523-6wg9", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 25.0 and below, the official Docker deployment files (docker-compose.yml, env.example) ship with the admin password set to \"password\", which is automatically used to seed the admin account during installation, meaning any instance deployed without overriding SYSTEM_ADMIN_PASSWORD is immediately vulnerable to trivial administrative takeover. No compensating controls exist: there is no forced password change on first login, no complexity validation, no default-password detection, and the password is hashed with weak MD5. Full admin access enables user data exposure, content manipulation, and potential remote code execution via file uploads and plugin management. The same insecure-default pattern extends to database credentials (avideo/avideo), compounding the risk. Exploitation depends on operators failing to change the default, a condition likely met in quick-start, demo, and automated deployments. This issue has been fixed in version 26.0."}], "id": "CVE-2026-33037", "lastModified": "2026-03-20T13:37:50.737", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T06:16:11.817", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo/commit/2075fac1a51f21fab5d8592235a095aa354a9de6"}, {"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-89rv-p523-6wg9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1188"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-03-20T06:21:17.051802+00:00", "value": {"mitigation_remediation": ["Upgrade AVideo to version 26.0 or later.", "Set SYSTEM_ADMIN_PASSWORD to a strong, unique password during Docker deployment, and change the database credentials away from the defaults."], "summary": {"action": "Immediate Patch", "impact": "Administrative Takeover and Remote Code Execution"}, "threat_synthesis": {"affected_systems": "WWBN: AVideo versions 25.0 and below are affected. The issue manifests in the official Docker deployment path, specifically the docker\u2011compose.yml and env.example files that ship the default credentials. Version 26.0 and later contain the fix.", "description_and_impact": "The vulnerability arises from predictable default admin credentials shipped with the official Docker deployment files of WWBN AVideo. The admin user is automatically seeded with the password \"password\" and the database credentials default to \"avideo/avideo\". Because the password is stored using weak MD5 hashing, there is no forced password change or complexity validation. The effect is that any instance deployed without overriding the SYSTEM_ADMIN_PASSWORD environment variable is immediately susceptible to trivial administrative takeover, granting full account control, exposure of user data, content manipulation, and the potential for remote code execution via file uploads and plugin management.", "risk_and_exploitability": "The CVSS score is 8.1, indicating high severity. EPSS information is not available, and the vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector is remote access using the default admin credentials, which requires no special privileges; an attacker can simply trigger an HTTP login. Once authenticated, an attacker can alter data, upload malicious files, or otherwise execute code. The vulnerability is trivial to exploit in quick\u2011start, demo, or automated deployments where operators fail to customize the default password."}}}}, "created": "2026-03-20T08:52:28.533750+00:00", "updated": "2026-03-20T10:37:10.362172+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}