CVE-2026-33512
AVideo has an unauthenticated decrypt oracle leaking any ciphertext
Description
### Summary The API plugin exposes a `decryptString` action without any authentication. Anyone can submit ciphertext and receive plaintext. Ciphertext is issued publicly (e.g., `view/url2Embed.json.php`), so any user can recover protected tokens/metadata. Severity: High. ### Details - Entry: `plugin/API/get.json.php` is unauthenticated. - Handler: `plugin/API/API.php` `get_api_decryptString()` (lines ~5945–5966): ```php $string = decryptString($_REQUEST['string']); return new ApiObject($string, empty($string)); ``` No APISecret or user check occurs before decrypting. - Public ciphertext source: `view/url2Embed.json.php` returns `playLink`/`playEmbedLink` (`encryptString(json_encode(...))`) to any caller. ### PoC 1. Obtain ciphertext: ``` GET /view/url2Embed.json.php?url=https://example.com/video.mp4 ``` Copy `playLink`. 2. Decrypt without auth: ``` POST /plugin/API/get.json.php?APIName=decryptString Content-Type: application/x-www-form-urlencoded string=<playLink ciphertext> ``` Response contains the plaintext JSON (videoLink, title, users_id, etc.). ### Impact - Any encrypted payload produced by the platform can be decrypted by anyone. - Leaks tokens/links intended to be confidential; enables replay and tampering where secrecy was assumed. ### Mitigation - Require API secret or authenticated/authorized user for `decryptString`, or remove the endpoint. - Prefer one-way signatures (HMAC) instead of exposing generic decryption. - Rotate encryption keys/salts after patch to invalidate exposed ciphertexts.
How to fix CVE-2026-33512
No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.
- —no fix listed
Is CVE-2026-33512 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, <= 26.0