CVE-2026-40935— WWBN/AVideo has CAPTCHA Bypass via Attacker-Controlled Length Parameter and Missing Token Invalidation on Failure
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-40935
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
WWBN/AVideo has CAPTCHA Bypass via Attacker-Controlled Length Parameter and Missing Token Invalidation on Failure
Source: NVD (National Vulnerability Database)
Vulnerability Description
WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/getCaptcha.php` accepts the CAPTCHA length (`ql`) directly from the query string with no clamping or sanitization, letting any unauthenticated client force the server to generate a 1-character CAPTCHA word. Combined with a case-insensitive `strcasecmp` comparison over a ~33-character alphabet and the fact that failed validations do NOT consume the stored session token, an attacker can trivially brute-force the CAPTCHA on any endpoint that relies on `Captcha::validation()` (user registration, password recovery, contact form, etc.) in at most ~33 requests per session. Commit bf1c76989e6a9054be4f0eb009d68f0f2464b453 contains a fix.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
可猜测的验证码
Source: NVD (National Vulnerability Database)
Vulnerability Title
WWBN AVideo 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
WWBN AVideo是WWBN团队的一个由PHP编写的视频平台建站系统。 WWBN AVideo 29.0及之前版本存在安全漏洞,该漏洞源于objects/getCaptcha.php直接从查询字符串接受CAPTCHA长度且未进行限制或清理,可能导致任何未经身份验证的客户端强制服务器生成1字符CAPTCHA,结合不区分大小写的strcasecmp比较和验证失败不消耗存储的会话令牌,攻击者可轻易暴力破解任何依赖Captcha::validation的端点上的CAPTCHA。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-40935
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-40935
请登录查看更多情报信息。
Same Patch Batch · WWBN · 2026-04-21 · 19 CVEs total
| CVE-2026-40911 | 10.0 CRITICAL | WWBN AVideo YPTSocket WebSocket Broadcast Relay Leads to Unauthenticated Cross-User JavaSc |
| CVE-2026-41064 | 9.3 CRITICAL | AVideo has an incomplete fix for CVE-2026-33502 (Command Injection) |
| CVE-2026-40909 | 8.7 HIGH | WWBN AVideo has a Path Traversal in Locale Save Endpoint that Enables Arbitrary PHP File W |
| CVE-2026-41055 | 8.6 HIGH | AVideo has an incomplete fix for CVE-2026-33039 (SSRF) |
| CVE-2026-40925 | 8.3 HIGH | WWBN AVideo has CSRF in configurationUpdate.json.php Enables Full Site Configuration Takeo |
| CVE-2026-41058 | 8.1 HIGH | AVideo has an incomplete fix for CVE-2026-33293 (Path Traversal) in AVideo |
| CVE-2026-41056 | 8.1 HIGH | AVideos has CORS Origin Reflection with Credentials on Sensitive API Endpoints that Enable |
| CVE-2026-41060 | 7.7 HIGH | AVideo's SSRF via same-domain hostname with alternate port bypasses isSSRFSafeURL |
| CVE-2026-40926 | 7.1 HIGH | WWBN AVideo Vulnerable to CSRF in Admin JSON Endpoints (Category CRUD, Plugin Update Scrip |
| CVE-2026-41057 | 7.1 HIGH | AVideo has CORS Origin Reflection Bypass via plugin/API/router.php and allowOrigin(true) t |
| CVE-2026-40907 | 6.5 MEDIUM | WWBN AVideo has IDOR in Live Restreams list.json.php that Exposes Other Users' Stream Keys |
| CVE-2026-41062 | 6.5 MEDIUM | WWBN/AVideo has an incomplete fix for a directory traversal bypass via query string in Rec |
| CVE-2026-40929 | 5.4 MEDIUM | WWBN AVideo's missing CSRF protection in objects/commentDelete.json.php enables mass comme |
| CVE-2026-41063 | 5.4 MEDIUM | WWBN AVideo has incomplete fix for CVE-2026-33500 (XSS) |
| CVE-2026-41061 | 5.4 MEDIUM | WWBN AVideo Vulnerable to stored XSS via Unanchored Duration Regex in Video Encoder Receiv |
| CVE-2026-40928 | 5.4 MEDIUM | AVideo: Missing CSRF Protection on State-Changing JSON Endpoints Enables Forced Comment Cr |
| CVE-2026-40908 | 5.3 MEDIUM | WWBN AVideo has an Unauthenticated Information Disclosure via git.json.php that Exposes De |
| CVE-2026-41304 | WWBN AVideo vulnerable to RCE caused by clonesite plugin |
IV. Related Vulnerabilities
Same product: AVideo
- CVE-2026-41304
WWBN AVideo vulnerable to RCE caused by clonesite plugin - CVE-2026-41064
AVideo has an incomplete fix for CVE-2026-33502 (Command Inj - CVE-2026-41063
WWBN AVideo has incomplete fix for CVE-2026-33500 (XSS) - CVE-2026-41062
WWBN/AVideo has an incomplete fix for a directory traversal - CVE-2026-41061
WWBN AVideo Vulnerable to stored XSS via Unanchored Duration
Same vendor: WWBN
- CVE-2026-41304
WWBN AVideo vulnerable to RCE caused by clonesite plugin - CVE-2026-41064
AVideo has an incomplete fix for CVE-2026-33502 (Command Inj - CVE-2026-41063
WWBN AVideo has incomplete fix for CVE-2026-33500 (XSS) - CVE-2026-41062
WWBN/AVideo has an incomplete fix for a directory traversal - CVE-2026-41061
WWBN AVideo Vulnerable to stored XSS via Unanchored Duration
Same weakness: CWE-804
- CVE-2026-27411
WordPress SiteGuard WP plugin plugin <= 1.7.9 - Captcha Bypa - CVE-2025-10423
newbee-mall kaptcha mallKaptcha Captcha - CVE-2025-8546
atjiu pybbs Verification Code login Captcha - CVE-2025-32036
DNN allows the possibility of bypassing Captcha - CVE-2025-1262
Advanced Google reCaptcha <= 1.27 - Built-in Math CAPTCHA By
V. Comments for CVE-2026-40935
No comments yet