CVE-2026-33041: AVideo has an Unauthenticated Password Hash Oracle via encryptPass.json.php

March 17, 2026 (updated March 20, 2026)

/objects/encryptPass.json.php exposes the application’s password hashing algorithm to any unauthenticated user. An attacker can submit arbitrary passwords and receive their hashed equivalents, enabling offline password cracking against leaked database hashes.

References

github.com/WWBN/AVideo
github.com/WWBN/AVideo/commit/ea2efd04464560cca93c9ab48b445dbb944a4e46
github.com/WWBN/AVideo/security/advisories/GHSA-px7x-gq96-rmp5
github.com/advisories/GHSA-px7x-gq96-rmp5
nvd.nist.gov/vuln/detail/CVE-2026-33041

Code Behaviors & Features

Detect and mitigate CVE-2026-33041 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →