CVE-2026-33361

HIGH NVD

CVSS Score 7.5

Severity HIGH

Published May 11, 2026

Vendor unknown

Description

In Meari IoT SDK image handling (libmrplayer.so) as observed in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and related white-label apps (<= 1.8.x), baby monitor ".jpgx3" files use reversible XOR over only the first 1024 bytes with a predictable key derivation model.

References

https://github.com/xn0tsa/nobody-puts-baby-in-a-corner
https://www.runzero.com/advisories/meari-weak-xor-obfuscation-cve-2026-33361/