CVE-2026-33512

HIGH NVD

CVSS Score 7.5

Severity HIGH

Published Mar 23, 2026

Vendor unknown

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the API plugin exposes a `decryptString` action without any authentication. Anyone can submit ciphertext and receive plaintext. Ciphertext is issued publicly (e.g., `view/url2Embed.json.php`), so any user can recover protected tokens/metadata. Commit 3fdeecef37bb88967a02ccc9b9acc8da95de1c13 contains a patch.

References

https://github.com/WWBN/AVideo/commit/3fdeecef37bb88967a02ccc9b9acc8da95de1c13
https://github.com/WWBN/AVideo/security/advisories/GHSA-mwjc-5j4x-r686