waoowaoo
CVE-2026-15594
LOW
Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable with no privileges required, but high complexity; only limited confidentiality impact with no scope change, integrity, or availability effect.
Primary rating from Vendor (VulDB).
CVSS VectorVendor: VulDB
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability was found in waooAI waoowaoo up to 0.4.1. Impacted is the function stablePublicIdFromStorageKey in the library src/lib/media/hash.ts of the component Media Handler. The manipulation of the argument storageKey results in improper authorization. The attack may be performed from remote. The attack requires a high level of complexity. The exploitability is considered difficult. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
Improper authorization in waoowaoo (versions up to 0.4.1) allows remote, unauthenticated attackers to bypass access controls on media resources by manipulating the storageKey argument passed to the stablePublicIdFromStorageKey function in the Media Handler component. The impact is limited to partial confidentiality disclosure (VC:L in CVSS 4.0), with no integrity or availability consequence. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The vulnerability is exploitable remotely without authentication (AV:N, PR:N per CVSS 4.0 vector), but requires high attack complexity (AC:H), meaning the attacker must meet non-trivial preconditions - most likely precise knowledge of the storageKey input format accepted by the stablePublicIdFromStorageKey function or the ability to enumerate valid key structures. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 6.3 (Medium) reflects a genuine middle-ground risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with network access to a waoowaoo deployment crafts a manipulated storageKey value and submits it to the endpoint invoking stablePublicIdFromStorageKey, bypassing the authorization check to resolve a public identifier for a media asset they are not authorized to access. Because a public proof-of-concept exists on GitHub issue #201, the required storageKey manipulation technique is likely documented, though the high attack complexity suggests the attacker must understand the key structure or trial-and-error within a constrained parameter space. … |
| Remediation | No vendor-released patch has been identified at time of analysis; the project maintainer has not responded to the coordinated disclosure submitted via GitHub issue #201 (https://github.com/waooAI/waoowaoo/issues/201). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today