26.0.1
26.0.1
CVE-2026-33512 describes an unauthenticated decryption vulnerability within the wwbn/avideo API plugin. This flaw allows attackers to submit ciphertext and receive plaintext, potentially exposing sensitive tokens and metadata. The vulnerability impacts wwbn/avideo versions up to 26.0. A fix is expected to be released by the vendor.
The core of the vulnerability lies in the decryptString action within the plugin/API/get.json.php endpoint, which lacks any authentication checks. Attackers can exploit this by crafting requests to plugin/API/API.php's getapidecryptString() function, providing ciphertext to be decrypted. Because the ciphertext can be obtained publicly (e.g., from view/url2Embed.json.php), an attacker can easily recover plaintext tokens and metadata. This could lead to unauthorized access to protected resources, data breaches, and potential compromise of the entire system. The public nature of the ciphertext significantly lowers the barrier to exploitation.
This vulnerability was publicly disclosed on 2026-03-20. The lack of authentication makes it relatively easy to exploit. Public proof-of-concept code is likely to emerge quickly. The vulnerability's impact is heightened by the public availability of the ciphertext, making it a potentially high-priority target. No KEV listing or confirmed exploitation reports are currently available.
Organizations using wwbn/avideo versions 26.0 and earlier, particularly those with publicly accessible API endpoints or those who rely on tokens and metadata protected by the decryption functionality, are at significant risk. Shared hosting environments where multiple users share the same server instance are also vulnerable.
• php / web:
curl -v 'https://example.com/plugin/API/get.json.php?string=YOUR_CIPHERTEXT' 2>&1 | grep -i 'HTTP/1.1 200 OK'• php / web: Examine access logs for requests to /plugin/API/get.json.php with a string parameter.
• generic web: Check for the existence of view/url2Embed.json.php and its contents for potentially exposed ciphertext.
disclosure
漏洞利用状态
EPSS
0.02% (6% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation is to upgrade to a patched version of wwbn/avideo once available. Until then, implement temporary workarounds to limit the exposure of the vulnerable endpoint. A Web Application Firewall (WAF) can be configured to block requests to plugin/API/get.json.php or to enforce authentication for the decryptString action. Review and restrict access to view/url2Embed.json.php to prevent attackers from obtaining the ciphertext. Carefully monitor API logs for suspicious decryption requests. After upgrade, confirm the vulnerability is resolved by attempting to access the decryptString endpoint without authentication and verifying that access is denied.
将 AVideo 更新到 26.0 之后的版本。该更新修复了未认证的解密漏洞。请参阅提交 3fdeecef37bb88967a02ccc9b9acc8da95de1c13 以获取有关修复的更多详细信息。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-33512 is a HIGH severity vulnerability affecting wwbn/avideo versions up to 26.0. It allows unauthenticated attackers to decrypt strings, potentially exposing sensitive data.
You are affected if you are using wwbn/avideo version 26.0 or earlier and have not yet applied a patch or implemented mitigating controls.
Upgrade to a patched version of wwbn/avideo as soon as it becomes available. Until then, implement WAF rules to restrict access to the vulnerable endpoint and monitor API logs.
While no confirmed exploitation has been reported, the vulnerability's ease of exploitation and public disclosure suggest it may be targeted soon.
Refer to the official wwbn/avideo security advisories on their website or relevant security mailing lists for updates and patches.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。