Description

WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/getCaptcha.php` accepts the CAPTCHA length (`ql`) directly from the query string with no clamping or sanitization, letting any unauthenticated client force the server to generate a 1-character CAPTCHA word. Combined with a case-insensitive `strcasecmp` comparison over a ~33-character alphabet and the fact that failed validations do NOT consume the stored session token, an attacker can trivially brute-force the CAPTCHA on any endpoint that relies on `Captcha::validation()` (user registration, password recovery, contact form, etc.) in at most ~33 requests per session. Commit bf1c76989e6a9054be4f0eb009d68f0f2464b453 contains a fix.

INFO

Published Date :

2026-04-21T22:21:17.009Z

Last Modified :

2026-04-22T18:36:10.405Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-40935 vulnerability.

Vendors Products
Wwbn
  • Avideo
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-40935.

URL Resource
https://github.com/WWBN/AVideo/commit/bf1c76989e6a9054be4f0eb009d68f0f2464b453 cve-icon cve-icon
https://github.com/WWBN/AVideo/security/advisories/GHSA-hg7g-56h5-5pqr cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact