Platform
php
Component
wwbn/avideo
Fixed in
26.0.1
26.0.1
CVE-2026-33512 describes an unauthenticated decryption vulnerability within the wwbn/avideo API plugin. This flaw allows attackers to submit ciphertext and receive plaintext, potentially exposing sensitive tokens and metadata. The vulnerability impacts wwbn/avideo versions up to 26.0. A fix is expected to be released by the vendor.
The core of the vulnerability lies in the decryptString action within the plugin/API/get.json.php endpoint, which lacks any authentication checks. Attackers can exploit this by crafting requests to plugin/API/API.php's getapidecryptString() function, providing ciphertext to be decrypted. Because the ciphertext can be obtained publicly (e.g., from view/url2Embed.json.php), an attacker can easily recover plaintext tokens and metadata. This could lead to unauthorized access to protected resources, data breaches, and potential compromise of the entire system. The public nature of the ciphertext significantly lowers the barrier to exploitation.
This vulnerability was publicly disclosed on 2026-03-20. The lack of authentication makes it relatively easy to exploit. Public proof-of-concept code is likely to emerge quickly. The vulnerability's impact is heightened by the public availability of the ciphertext, making it a potentially high-priority target. No KEV listing or confirmed exploitation reports are currently available.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to a patched version of wwbn/avideo once available. Until then, implement temporary workarounds to limit the exposure of the vulnerable endpoint. A Web Application Firewall (WAF) can be configured to block requests to plugin/API/get.json.php or to enforce authentication for the decryptString action. Review and restrict access to view/url2Embed.json.php to prevent attackers from obtaining the ciphertext. Carefully monitor API logs for suspicious decryption requests. After upgrade, confirm the vulnerability is resolved by attempting to access the decryptString endpoint without authentication and verifying that access is denied.
Update AVideo to a version later than 26.0. The update fixes the unauthenticated decryption vulnerability. See commit 3fdeecef37bb88967a02ccc9b9acc8da95de1c13 for more details on the fix.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33512 is a HIGH severity vulnerability affecting wwbn/avideo versions up to 26.0. It allows unauthenticated attackers to decrypt strings, potentially exposing sensitive data.
You are affected if you are using wwbn/avideo version 26.0 or earlier and have not yet applied a patch or implemented mitigating controls.
Upgrade to a patched version of wwbn/avideo as soon as it becomes available. Until then, implement WAF rules to restrict access to the vulnerable endpoint and monitor API logs.
While no confirmed exploitation has been reported, the vulnerability's ease of exploitation and public disclosure suggest it may be targeted soon.
Refer to the official wwbn/avideo security advisories on their website or relevant security mailing lists for updates and patches.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.