CVE-2026-33512 PUBLISHED

AVideo has an unauthenticated decrypt oracle leaking any ciphertext

Assigner: GitHub_M
Reserved: 20.03.2026 Published: 23.03.2026 Updated: 23.03.2026

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the API plugin exposes a decryptString action without any authentication. Anyone can submit ciphertext and receive plaintext. Ciphertext is issued publicly (e.g., view/url2Embed.json.php), so any user can recover protected tokens/metadata. Commit 3fdeecef37bb88967a02ccc9b9acc8da95de1c13 contains a patch.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS Score: 7.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	WWBN
Product	AVideo
Versions	Version <= 26.0 is affected

References

Problem Types

CWE-287: Improper Authentication CWE
CWE-312: Cleartext Storage of Sensitive Information CWE
CWE-326: Inadequate Encryption Strength CWE
CWE-327: Use of a Broken or Risky Cryptographic Algorithm CWE