Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionGitHub Advisory
WWBN AVideo is an open source video platform. In versions 25.0 and below, the official Docker deployment files (docker-compose.yml, env.example) ship with the admin password set to "password", which is automatically used to seed the admin account during installation, meaning any instance deployed without overriding SYSTEM_ADMIN_PASSWORD is immediately vulnerable to trivial administrative takeover. No compensating controls exist: there is no forced password change on first login, no complexity validation, no default-password detection, and the password is hashed with weak MD5. Full admin access enables user data exposure, content manipulation, and potential remote code execution via file uploads and plugin management. The same insecure-default pattern extends to database credentials (avideo/avideo), compounding the risk. Exploitation depends on operators failing to change the default, a condition likely met in quick-start, demo, and automated deployments. This issue has been fixed in version 26.0.
AnalysisAI
WWBN AVideo open source video platform versions 25.0 and below ship with a hardcoded default administrator password ('password') in official Docker deployment files that is automatically used during installation without any forced change mechanism. Attackers can gain immediate administrative access to unpatched instances, enabling user data exposure, content manipulation, and potential remote code execution via file upload and plugin management features. The issue is compounded by weak MD5 password hashing and similarly insecure default database credentials (avideo/avideo).
Technical ContextAI
This vulnerability is classified under CWE-1188 (Insecure Default Initialization of Resource), specifically relating to hardcoded credentials in infrastructure-as-code deployment files. The WWBN AVideo platform uses Docker Compose for deployment orchestration, with environment configuration templates (docker-compose.yml and env.example) containing the SYSTEM_ADMIN_PASSWORD parameter preset to 'password'. During automated installation, this value seeds the administrative account without validation, complexity enforcement, or post-installation password change requirements. The authentication mechanism relies on MD5 hashing, a cryptographically broken algorithm vulnerable to collision attacks and rainbow table lookups, further degrading the security posture even if passwords were changed post-deployment.
RemediationAI
Upgrade WWBN AVideo to version 26.0 or later, which addresses the insecure default credential issue as documented in GitHub commit 2075fac1a51f21fab5d8592235a095aa354a9de6 and security advisory GHSA-89rv-p523-6wg9 (https://github.com/WWBN/AVideo/security/advisories/GHSA-89rv-p523-6wg9). For existing deployments that cannot be immediately upgraded, immediately change the administrator password through the application interface to a strong, unique credential and rotate database credentials from the default 'avideo/avideo' combination. Review all Docker environment files to ensure SYSTEM_ADMIN_PASSWORD is set to a secure value before any new deployments. Implement network segmentation to restrict administrative interface access to trusted IP ranges and consider placing the application behind a web application firewall with brute-force protection. Organizations should audit all existing AVideo instances deployed via Docker to verify that default credentials were changed post-installation.
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac
Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post
Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build
Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l
Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2
An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve
Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13575