High severityNVD Advisory· Published Mar 23, 2026· Updated Mar 24, 2026
AVideo has an unauthenticated decrypt oracle leaking any ciphertext
CVE-2026-33512
Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the API plugin exposes a decryptString action without any authentication. Anyone can submit ciphertext and receive plaintext. Ciphertext is issued publicly (e.g., view/url2Embed.json.php), so any user can recover protected tokens/metadata. Commit 3fdeecef37bb88967a02ccc9b9acc8da95de1c13 contains a patch.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wwbn/avideoPackagist | <= 26.0 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-mwjc-5j4x-r686ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33512ghsaADVISORY
- github.com/WWBN/AVideo/commit/3fdeecef37bb88967a02ccc9b9acc8da95de1c13ghsax_refsource_MISCWEB
- github.com/WWBN/AVideo/security/advisories/GHSA-mwjc-5j4x-r686ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.