Plattform
php
Komponente
wwbn/avideo
Behoben in
26.0.1
26.0.1
CVE-2026-33512 describes an unauthenticated decryption vulnerability within the wwbn/avideo API plugin. This flaw allows attackers to submit ciphertext and receive plaintext, potentially exposing sensitive tokens and metadata. The vulnerability impacts wwbn/avideo versions up to 26.0. A fix is expected to be released by the vendor.
The core of the vulnerability lies in the decryptString action within the plugin/API/get.json.php endpoint, which lacks any authentication checks. Attackers can exploit this by crafting requests to plugin/API/API.php's getapidecryptString() function, providing ciphertext to be decrypted. Because the ciphertext can be obtained publicly (e.g., from view/url2Embed.json.php), an attacker can easily recover plaintext tokens and metadata. This could lead to unauthorized access to protected resources, data breaches, and potential compromise of the entire system. The public nature of the ciphertext significantly lowers the barrier to exploitation.
This vulnerability was publicly disclosed on 2026-03-20. The lack of authentication makes it relatively easy to exploit. Public proof-of-concept code is likely to emerge quickly. The vulnerability's impact is heightened by the public availability of the ciphertext, making it a potentially high-priority target. No KEV listing or confirmed exploitation reports are currently available.
Organizations using wwbn/avideo versions 26.0 and earlier, particularly those with publicly accessible API endpoints or those who rely on tokens and metadata protected by the decryption functionality, are at significant risk. Shared hosting environments where multiple users share the same server instance are also vulnerable.
• php / web:
curl -v 'https://example.com/plugin/API/get.json.php?string=YOUR_CIPHERTEXT' 2>&1 | grep -i 'HTTP/1.1 200 OK'• php / web: Examine access logs for requests to /plugin/API/get.json.php with a string parameter.
• generic web: Check for the existence of view/url2Embed.json.php and its contents for potentially exposed ciphertext.
disclosure
Exploit-Status
EPSS
0.02% (6% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade to a patched version of wwbn/avideo once available. Until then, implement temporary workarounds to limit the exposure of the vulnerable endpoint. A Web Application Firewall (WAF) can be configured to block requests to plugin/API/get.json.php or to enforce authentication for the decryptString action. Review and restrict access to view/url2Embed.json.php to prevent attackers from obtaining the ciphertext. Carefully monitor API logs for suspicious decryption requests. After upgrade, confirm the vulnerability is resolved by attempting to access the decryptString endpoint without authentication and verifying that access is denied.
Aktualisieren Sie AVideo auf eine Version nach 26.0. Das Update behebt die nicht authentifizierte Entschlüsselungsschwachstelle. Weitere Details zur Behebung finden Sie im Commit 3fdeecef37bb88967a02ccc9b9acc8da95de1c13.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33512 is a HIGH severity vulnerability affecting wwbn/avideo versions up to 26.0. It allows unauthenticated attackers to decrypt strings, potentially exposing sensitive data.
You are affected if you are using wwbn/avideo version 26.0 or earlier and have not yet applied a patch or implemented mitigating controls.
Upgrade to a patched version of wwbn/avideo as soon as it becomes available. Until then, implement WAF rules to restrict access to the vulnerable endpoint and monitor API logs.
While no confirmed exploitation has been reported, the vulnerability's ease of exploitation and public disclosure suggest it may be targeted soon.
Refer to the official wwbn/avideo security advisories on their website or relevant security mailing lists for updates and patches.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.