CVE-2026-33512 - Vulnerability Details

- AVideo has an unauthenticated decrypt oracle leaking any ciphertext

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the API plugin exposes a `decryptString` action without any authentication. Anyone can submit ciphertext and receive plaintext. Ciphertext is issued publicly (e.g., `view/url2Embed.json.php`), so any user can recover protected tokens/metadata. Commit 3fdeecef37bb88967a02ccc9b9acc8da95de1c13 contains a patch.

Published: 2026-03-23

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

AVideo up to version 26.0 exposes a decryptString API action that decrypts any provided ciphertext without requiring authentication. Because the ciphertext is generated by publicly available endpoints, any user can submit it to the API and receive the corresponding plaintext. This flaw effectively acts as a decryption oracle, allowing adversaries to recover protected tokens, embed URLs, or other sensitive metadata. The weakness involves unauthorized access, plaintext exposure, weak encryption, and insufficient key management, as noted by the listed CWEs.

Affected Systems

The vulnerability affects the open‑source video platform AVideo from WWBN. All releases up through version 26.0 are vulnerable; later releases include a patch that removes the unauthenticated decrypt endpoint.

Risk and Exploitability

The CVSS base score of 7.5 reflects high severity. The EPSS score of less than 1 % indicates that automated exploitation is currently unlikely, and the flaw is not listed in CISA’s KEV catalog. Attackers can exploit it by simply calling the public decryptString endpoint with any ciphertext, requiring no prior authentication or privileged access. The ease of exploitation and potential to expose sensitive data make the risk significant for any system running an affected version.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

WWBN

AVideo

affected

Version	Status	Constraints
`<= 26.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Wwbn

Avideo

100%

Version	Status	Scheme	Platform
`[0,26.0]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update AVideo to the latest version that includes the patch (commit 3fdeecef37bb88967a02ccc9b9acc8da95de1c13).
If an upgrade cannot be performed immediately, disable or remove the decryptString API action, for example by disabling the API plugin or restricting access to the endpoint to authenticated users only.

Generated by OpenCVE AI on March 25, 2026 at 20:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-mwjc-5j4x-r686	AVideo has an unauthenticated decrypt oracle leaking any ciphertext

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0003.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/WWBN/AVideo/commit/3fdeecef37bb88967a02ccc9b9acc8da95de1c13
https://github.com/WWBN/AVideo/security/advisories/GHSA-mwjc-5j4x-r686

History

Wed, 25 Mar 2026 18:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:wwbn:avideo::::::::

Tue, 24 Mar 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 24 Mar 2026 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wwbn Wwbn avideo
Vendors & Products		Wwbn Wwbn avideo

Mon, 23 Mar 2026 18:45:00 +0000

Type	Values Removed	Values Added
Description		WWBN AVideo is an open source video platform. In versions up to and including 26.0, the API plugin exposes a `decryptString` action without any authentication. Anyone can submit ciphertext and receive plaintext. Ciphertext is issued publicly (e.g., `view/url2Embed.json.php`), so any user can recover protected tokens/metadata. Commit 3fdeecef37bb88967a02ccc9b9acc8da95de1c13 contains a patch.
Title		AVideo has an unauthenticated decrypt oracle leaking any ciphertext
Weaknesses		CWE-287 CWE-312 CWE-326 CWE-327
References		https://github.com/WWBN/AVideo/commit/3fdeecef37bb88967a02ccc9b9acc8da95de1c13 https://github.com/WWBN/AVideo/security/advisories/GHSA-mwjc-5j4x-r686
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Wwbn Avideo

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-23T18:17:47.070Z

Updated: 2026-03-24T18:34:59.006Z

Reserved: 2026-03-20T16:59:08.890Z

Link: CVE-2026-33512

Vulnrichment

Updated: 2026-03-24T18:34:55.839Z

NVD

Status : Analyzed

Published: 2026-03-23T19:16:40.420

Modified: 2026-03-25T17:51:40.870

Link: CVE-2026-33512

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-25T21:27:55Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object