The vulnerability (CVE-2026-40935) in WWBN AVideo (<=29.0) arises from the objects/getCaptcha.php script accepting the CAPTCHA length parameter (ql) directly from the query string without sanitization or clamping. This allows an attacker to force the server to generate a very short (1-character) CAPTCHA. The CAPTCHA validation uses a case-insensitive comparison over a roughly 33-character alphabet, and importantly, failed CAPTCHA validations do not consume or invalidate the stored session token. Consequently, an attacker can brute-force the CAPTCHA with at most approximately 33 requests per session, compromising endpoints that rely on Captcha::validation(), including user registration, password recovery, and contact forms. A code commit has been identified that fixes the issue, but no formal patch or vendor advisory is currently documented.

The vulnerability allows an unauthenticated attacker to bypass CAPTCHA protections by brute-forcing a very short CAPTCHA in a small number of attempts without session token invalidation. This can lead to automated abuse of endpoints protected by CAPTCHA, such as user registration, password recovery, and contact forms, potentially facilitating account enumeration or unauthorized actions. The CVSS score is 5.3 (medium severity), reflecting the ease of exploitation but limited direct confidentiality or availability impact.

A fix is available in the codebase as identified by commit bf1c76989e6a9054be4f0eb009d68f0f2464b453. Users of WWBN AVideo should apply this fix or upgrade to a version including it. No official vendor advisory or patch release is currently referenced, so users should monitor the vendor's channels for an official update. Until patched, consider implementing additional rate limiting or CAPTCHA validation improvements to mitigate brute-force attempts.