Authentication Bypass in AVideo Open Source Video Platform
CVE-2026-40935

5.3MEDIUM

Key Information:

Vendor: Wwbn
Status: Avideo
Vendor: CVE Published:; 21 April 2026

What is CVE-2026-40935?

AVideo, an open-source video platform, has a vulnerability where the CAPTCHA generation process can be exploited by unauthenticated clients. The 'objects/getCaptcha.php' script accepts a CAPTCHA length parameter directly from the query string without proper sanitization or restrictions. This flaw allows attackers to request a 1-character CAPTCHA, leading to a trivial brute force attack on endpoints that depend on the captcha validation process, such as user registration and password recovery. As the system does not consume the session token upon failed validation attempts, attackers can succeed in bypassing CAPTCHA protections within approximately 33 requests. A fix has been implemented in the latest version to address this issue.

Affected Version(s)

AVideo <= 29.0

References

https://github.com/WWBN/AVideo/security/advisories/GHSA-h...

x_refsource_CONFIRM

https://github.com/WWBN/AVideo/commit/bf1c76989e6a9054be4...

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 15, 2026

CVE-2026-40935 Data

JSON

Wwbn

What is CVE-2026-40935?

Affected Version(s)

References

CVSS V3.1

Timeline