Weak Cryptographic Implementation in WWBN AVideo LoginControl Plugin
CVE-2026-33488

7.4HIGH

Key Information:

Vendor: Wwbn
Status: Avideo
Vendor: CVE Published:; 23 March 2026

What is CVE-2026-33488?

The WWBN AVideo platform features a significant cryptographic vulnerability within the LoginControl plugin's implementation of the PGP 2FA system. Versions up to and including 26.0 utilize the createKeys() function to generate 512-bit RSA keys, a size deemed insecure since 1999 due to their susceptibility to factorization using standard computing resources. Any malicious actor with access to a user's public key can, therefore, compute the private key within hours, enabling them to bypass the second authentication factor entirely. Furthermore, critical endpoints such as generateKeys.json.php and encryptMessage.json.php lack necessary authentication checks, allowing unauthenticated users to trigger CPU-intensive key generation processes. Remediation has been addressed in commit 00d979d87f8182095c8150609153a43f834e351e.

Affected Version(s)

AVideo <= 26.0

References

https://github.com/WWBN/AVideo/security/advisories/GHSA-6...

x_refsource_CONFIRM

https://github.com/WWBN/AVideo/commit/00d979d87f8182095c8...

x_refsource_MISC

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 23, 2026
Vulnerability Reserved
Mar 20, 2026

CVE-2026-33488 Data

JSON

Wwbn

What is CVE-2026-33488?

Affected Version(s)

References

CVSS V3.1

Timeline