CVE-2026-56346
6.9
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N
Summary
AVideo through version 25.0 contains an authentication bypass vulnerability in the decryptMessage.json.php endpoint that allows unauthenticated users to decrypt PGP messages. Remote attackers can submit private keys, ciphertext, and passphrases to perform server-side decryption without credentials, exposing key material to logs and enabling resource exhaustion attacks.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| AVideo | AVideo | 0 <= 25.0 | affected |
Weaknesses
- CWE-306: Missing Authentication for Critical Function
References
- https://github.com/WWBN/AVideo/security/advisories/GHSA-5x2w-37xf-7962
- https://www.vulncheck.com/advisories/avideo-unauthenticated-pgp-message-decryption-via-decryptmessage-json-php-endpoint
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.