#VU125471 Observable Response Discrepancy in AVideo - CVE-2026-33688
Published: April 8, 2026
Vulnerability identifier: #VU125471
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-33688
CWE-ID: CWE-204
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
AVideo
AVideo
Software vendor:
World Wide Broadcast Network
World Wide Broadcast Network
Description
The vulnerability allows a remote attacker to enumerate valid usernames and disclose account status information.
The vulnerability exists due to observable response discrepancy in objects/userRecoverPass.php when handling password recovery requests before captcha validation. A remote attacker can send specially crafted password recovery requests to enumerate valid usernames and disclose account status information.
No user interaction is required, and distinct JSON error responses reveal whether an account is active, inactive, or non-existent.
Remediation
Install security update from vendor's website.