Is Docker affected by EUVD-2026-13575?

WWBN AVideo instances running version 25.0 or below are exposed to immediate administrative compromise due to hardcoded default credentials that bypass authentication entirely.

EUVD-2026-13575

| CVE-2026-33037 HIGH

2026-03-20 [email protected]

8.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 20, 2026 - 08:37 vuln.today

EUVD ID Assigned

Mar 20, 2026 - 08:37 euvd

EUVD-2026-13575

CVE Published

Mar 20, 2026 - 06:16 nvd

HIGH 8.1

Description

WWBN AVideo is an open source video platform. In versions 25.0 and below, the official Docker deployment files (docker-compose.yml, env.example) ship with the admin password set to "password", which is automatically used to seed the admin account during installation, meaning any instance deployed without overriding SYSTEM_ADMIN_PASSWORD is immediately vulnerable to trivial administrative takeover. No compensating controls exist: there is no forced password change on first login, no complexity validation, no default-password detection, and the password is hashed with weak MD5. Full admin access enables user data exposure, content manipulation, and potential remote code execution via file uploads and plugin management. The same insecure-default pattern extends to database credentials (avideo/avideo), compounding the risk. Exploitation depends on operators failing to change the default, a condition likely met in quick-start, demo, and automated deployments. This issue has been fixed in version 26.0.

Analysis

WWBN AVideo open source video platform versions 25.0 and below ship with a hardcoded default administrator password ('password') in official Docker deployment files that is automatically used during installation without any forced change mechanism. Attackers can gain immediate administrative access to unpatched instances, enabling user data exposure, content manipulation, and potential remote code execution via file upload and plugin management features. …

Remediation

Within 24 hours: Identify all WWBN AVideo deployments in your environment and document their internet exposure status. Within 7 days: Implement network segmentation to restrict administrative access, enforce strong password changes on all admin accounts, and disable file upload and plugin management features if not operationally critical. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.2

CVSS: +40

POC: 0

EUVD-2026-13575 vulnerability details – vuln.today

Back

EUVD-2026-13575

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

EUVD-2026-13575

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code