Plateforme
php
Composant
wwbn/avideo
Corrigé dans
26.0.1
26.0.1
CVE-2026-33512 describes an unauthenticated decryption vulnerability within the wwbn/avideo API plugin. This flaw allows attackers to submit ciphertext and receive plaintext, potentially exposing sensitive tokens and metadata. The vulnerability impacts wwbn/avideo versions up to 26.0. A fix is expected to be released by the vendor.
The core of the vulnerability lies in the decryptString action within the plugin/API/get.json.php endpoint, which lacks any authentication checks. Attackers can exploit this by crafting requests to plugin/API/API.php's getapidecryptString() function, providing ciphertext to be decrypted. Because the ciphertext can be obtained publicly (e.g., from view/url2Embed.json.php), an attacker can easily recover plaintext tokens and metadata. This could lead to unauthorized access to protected resources, data breaches, and potential compromise of the entire system. The public nature of the ciphertext significantly lowers the barrier to exploitation.
This vulnerability was publicly disclosed on 2026-03-20. The lack of authentication makes it relatively easy to exploit. Public proof-of-concept code is likely to emerge quickly. The vulnerability's impact is heightened by the public availability of the ciphertext, making it a potentially high-priority target. No KEV listing or confirmed exploitation reports are currently available.
Organizations using wwbn/avideo versions 26.0 and earlier, particularly those with publicly accessible API endpoints or those who rely on tokens and metadata protected by the decryption functionality, are at significant risk. Shared hosting environments where multiple users share the same server instance are also vulnerable.
• php / web:
curl -v 'https://example.com/plugin/API/get.json.php?string=YOUR_CIPHERTEXT' 2>&1 | grep -i 'HTTP/1.1 200 OK'• php / web: Examine access logs for requests to /plugin/API/get.json.php with a string parameter.
• generic web: Check for the existence of view/url2Embed.json.php and its contents for potentially exposed ciphertext.
disclosure
Statut de l'Exploit
EPSS
0.02% (percentile 6%)
CISA SSVC
Vecteur CVSS
The primary mitigation is to upgrade to a patched version of wwbn/avideo once available. Until then, implement temporary workarounds to limit the exposure of the vulnerable endpoint. A Web Application Firewall (WAF) can be configured to block requests to plugin/API/get.json.php or to enforce authentication for the decryptString action. Review and restrict access to view/url2Embed.json.php to prevent attackers from obtaining the ciphertext. Carefully monitor API logs for suspicious decryption requests. After upgrade, confirm the vulnerability is resolved by attempting to access the decryptString endpoint without authentication and verifying that access is denied.
Mettez à jour AVideo à une version postérieure à la 26.0. La mise à jour corrige la vulnérabilité de déchiffrement non authentifié. Consultez le commit 3fdeecef37bb88967a02ccc9b9acc8da95de1c13 pour plus de détails sur la correction.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-33512 is a HIGH severity vulnerability affecting wwbn/avideo versions up to 26.0. It allows unauthenticated attackers to decrypt strings, potentially exposing sensitive data.
You are affected if you are using wwbn/avideo version 26.0 or earlier and have not yet applied a patch or implemented mitigating controls.
Upgrade to a patched version of wwbn/avideo as soon as it becomes available. Until then, implement WAF rules to restrict access to the vulnerable endpoint and monitor API logs.
While no confirmed exploitation has been reported, the vulnerability's ease of exploitation and public disclosure suggest it may be targeted soon.
Refer to the official wwbn/avideo security advisories on their website or relevant security mailing lists for updates and patches.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.