{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40935", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-15T20:40:15.518Z", "datePublished": "2026-04-21T22:21:17.009Z", "dateUpdated": "2026-04-22T18:36:10.405Z"}, "containers": {"cna": {"title": "WWBN/AVideo has CAPTCHA Bypass via Attacker-Controlled Length Parameter and Missing Token Invalidation on Failure", "problemTypes": [{"descriptions": [{"cweId": "CWE-804", "lang": "en", "description": "CWE-804: Guessable CAPTCHA", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-hg7g-56h5-5pqr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-hg7g-56h5-5pqr"}, {"name": "https://github.com/WWBN/AVideo/commit/bf1c76989e6a9054be4f0eb009d68f0f2464b453", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/bf1c76989e6a9054be4f0eb009d68f0f2464b453"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "<= 29.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T22:21:17.009Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/getCaptcha.php` accepts the CAPTCHA length (`ql`) directly from the query string with no clamping or sanitization, letting any unauthenticated client force the server to generate a 1-character CAPTCHA word. Combined with a case-insensitive `strcasecmp` comparison over a ~33-character alphabet and the fact that failed validations do NOT consume the stored session token, an attacker can trivially brute-force the CAPTCHA on any endpoint that relies on `Captcha::validation()` (user registration, password recovery, contact form, etc.) in at most ~33 requests per session. Commit bf1c76989e6a9054be4f0eb009d68f0f2464b453 contains a fix."}], "source": {"advisory": "GHSA-hg7g-56h5-5pqr", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-hg7g-56h5-5pqr", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T18:34:39.128005Z", "id": "CVE-2026-40935", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T18:36:10.405Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40935", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T18:34:39.128005Z"}}}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-hg7g-56h5-5pqr", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T18:14:01.653Z"}}], "cna": {"title": "WWBN/AVideo has CAPTCHA Bypass via Attacker-Controlled Length Parameter and Missing Token Invalidation on Failure", "source": {"advisory": "GHSA-hg7g-56h5-5pqr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"status": "affected", "version": "<= 29.0"}]}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-hg7g-56h5-5pqr", "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-hg7g-56h5-5pqr", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/WWBN/AVideo/commit/bf1c76989e6a9054be4f0eb009d68f0f2464b453", "name": "https://github.com/WWBN/AVideo/commit/bf1c76989e6a9054be4f0eb009d68f0f2464b453", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/getCaptcha.php` accepts the CAPTCHA length (`ql`) directly from the query string with no clamping or sanitization, letting any unauthenticated client force the server to generate a 1-character CAPTCHA word. Combined with a case-insensitive `strcasecmp` comparison over a ~33-character alphabet and the fact that failed validations do NOT consume the stored session token, an attacker can trivially brute-force the CAPTCHA on any endpoint that relies on `Captcha::validation()` (user registration, password recovery, contact form, etc.) in at most ~33 requests per session. Commit bf1c76989e6a9054be4f0eb009d68f0f2464b453 contains a fix."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-804", "description": "CWE-804: Guessable CAPTCHA"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T22:21:17.009Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40935", "state": "PUBLISHED", "dateUpdated": "2026-04-22T18:36:10.405Z", "dateReserved": "2026-04-15T20:40:15.518Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T22:21:17.009Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "matchCriteriaId": "AC38CA07-71C1-4C86-B84A-83CF96367CBA", "versionEndIncluding": "29.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/getCaptcha.php` accepts the CAPTCHA length (`ql`) directly from the query string with no clamping or sanitization, letting any unauthenticated client force the server to generate a 1-character CAPTCHA word. Combined with a case-insensitive `strcasecmp` comparison over a ~33-character alphabet and the fact that failed validations do NOT consume the stored session token, an attacker can trivially brute-force the CAPTCHA on any endpoint that relies on `Captcha::validation()` (user registration, password recovery, contact form, etc.) in at most ~33 requests per session. Commit bf1c76989e6a9054be4f0eb009d68f0f2464b453 contains a fix."}], "id": "CVE-2026-40935", "lastModified": "2026-04-23T15:50:14.787", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T23:16:20.577", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/WWBN/AVideo/commit/bf1c76989e6a9054be4f0eb009d68f0f2464b453"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-hg7g-56h5-5pqr"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-hg7g-56h5-5pqr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-804"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,29.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-04-22T06:16:51.305680+00:00", "value": {"mitigation_remediation": ["Update WWBN AVideo to a release newer than 29.0 that includes commit bf1c76989e6a9054be4f0eb009d68f0f2464b453", "Temporarily disable CAPTCHA validation on registration, password recovery, and contact form endpoints until the patch is applied", "Ensure that a CAPTCHA failure triggers invalidation of the session token to prevent brute\u2011force reuse of the same token"], "summary": {"action": "Patch", "impact": "CAPTCHA bypass & brute force"}, "threat_synthesis": {"affected_systems": "Open source video platform WWBN:AVideo, affected in all releases up to and including version 29.0, where the vulnerability exists in the objects/getCaptcha.php handler.", "description_and_impact": "WWBN AVideo versions 29.0 and earlier permit any unauthenticated client to provide a CAPTCHA length parameter via the query string without validation, causing the server to generate a single\u2011character CAPTCHA. The server compares the supplied answer using a case\u2011insensitive comparison over an alphabet of roughly 33 characters and does not invalidate the stored session token when a validation fails. This combination allows an attacker to brute\u2011force the correct answer in about 33 attempts per session, enabling the exploitation of any feature that relies on Captcha::validation(), such as user registration, password recovery, or contact forms.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity. No EPSS data is available, and the flaw is not listed in CISA\u2019s KEV catalog. The attack can be launched from any network location with no authentication, making it relatively easy to exploit in any environment where the vulnerable code is deployed. Attackers can create or access accounts and other privileged operations by repeatedly solving the short CAPTCHA during account\u2011related activities."}}}}, "created": "2026-04-22T04:30:05.309203+00:00", "updated": "2026-04-22T06:30:10.664264+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}