CVE-2026-33512 — Improper Authentication in Avideo

CWE-287 — Improper Authentication CWE-312 — Cleartext Storage of Sensitive Info CWE-326 — Inadequate Encryption Strength CWE-327 — Use of a Broken or Risky Cryptographic Algorithm4 documents4 sources

Severity

7.5HIGHNVD

EPSS

0.0%

top 91.69%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wwbn Avideo

Timeline

Latest updateMar 20

PublishedMar 23

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the API plugin exposes a `decryptString` action without any authentication. Anyone can submit ciphertext and receive plaintext. Ciphertext is issued publicly (e.g., `view/url2Embed.json.php`), so any user can recover protected tokens/metadata. Commit 3fdeecef37bb88967a02ccc9b9acc8da95de1c13 contains a patch.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDwwbn/avideo26.0

▶Packagistwwbn/avideo26.0

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

AVideo has an unauthenticated decrypt oracle leaking any ciphertext↗2026-03-20

▶

GHSA

AVideo has an unauthenticated decrypt oracle leaking any ciphertext↗2026-03-20

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33512 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶