#VU125467 Improper Authentication in AVideo - CVE-2026-33512
Published: April 8, 2026
Vulnerability identifier: #VU125467
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-33512
CWE-ID: CWE-287
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
AVideo
AVideo
Software vendor:
World Wide Broadcast Network
World Wide Broadcast Network
Description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper authentication in the API plugin decryptString action when handling crafted requests to the unauthenticated API endpoint. A remote attacker can submit ciphertext to recover plaintext and disclose sensitive information.
Publicly accessible ciphertext returned by url2Embed.json.php can be decrypted through this oracle.
Remediation
Install security update from vendor's website.