CVE-2026-33512

Summary

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the API plugin exposes a decryptString action without any authentication. Anyone can submit ciphertext and receive plaintext. Ciphertext is issued publicly (e.g., view/url2Embed.json.php), so any user can recover protected tokens/metadata. Commit 3fdeecef37bb88967a02ccc9b9acc8da95de1c13 contains a patch.

Affected Software

VendorProductVersion RangeStatus
WWBNAVideo<= 26.0affected

Weaknesses

  • CWE-287: CWE-287: Improper Authentication
  • CWE-312: CWE-312: Cleartext Storage of Sensitive Information
  • CWE-326: CWE-326: Inadequate Encryption Strength
  • CWE-327: CWE-327: Use of a Broken or Risky Cryptographic Algorithm

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References