CVE-2026-33512

Source
https://cve.org/CVERecord?id=CVE-2026-33512
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33512.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-33512
Aliases
Published
2026-03-23T18:17:47.070Z
Modified
2026-07-15T01:49:10.716530203Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
AVideo has an unauthenticated decrypt oracle leaking any ciphertext
Details

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the API plugin exposes a decryptString action without any authentication. Anyone can submit ciphertext and receive plaintext. Ciphertext is issued publicly (e.g., view/url2Embed.json.php), so any user can recover protected tokens/metadata. Commit 3fdeecef37bb88967a02ccc9b9acc8da95de1c13 contains a patch.

Database specific
{
    "cwe_ids": [
        "CWE-287",
        "CWE-312",
        "CWE-326",
        "CWE-327"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33512.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/wwbn/avideo

Affected ranges

Type
GIT
Repo
https://github.com/wwbn/avideo
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "26.0"
        }
    ],
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ]
}

Affected versions

10.*
10.8
Other
11
11.*
11.1
11.1.1
11.5
11.6
12.*
12.4
14.*
14.3
14.3.1
18.*
18.0
2.*
2.2
2.7
21.*
21.0
22.*
22.0
24.*
24.0
25.*
25.0
26.*
26.0
3.*
3.4
4.*
4.0
7.*
7.2
7.3
7.4
7.6
7.7
7.8
8.*
8.1
8.5
8.6
8.7
8.9
8.9.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33512.json"