Skip to main content

waoowaoo CVE-2026-15594

LOW
Improper Authorization (CWE-285)
2026-07-13 VulDB
2.9
CVSS 4.0 · Vendor: VulDB

Severity by source

Vendor (VulDB) PRIMARY
2.9 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.7 LOW

Network-reachable with no privileges required, but high complexity; only limited confidentiality impact with no scope change, integrity, or availability effect.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Severity Changed
Jul 13, 2026 - 21:22 NVD
MEDIUM LOW
CVSS changed
Jul 13, 2026 - 21:22 NVD
6.3 (MEDIUM) 2.9 (LOW)
Analysis Generated
Jul 13, 2026 - 21:02 vuln.today
CVE Published
Jul 13, 2026 - 20:15 cve.org
MEDIUM 6.3

DescriptionCVE.org

A vulnerability was found in waooAI waoowaoo up to 0.4.1. Impacted is the function stablePublicIdFromStorageKey in the library src/lib/media/hash.ts of the component Media Handler. The manipulation of the argument storageKey results in improper authorization. The attack may be performed from remote. The attack requires a high level of complexity. The exploitability is considered difficult. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Improper authorization in waoowaoo (versions up to 0.4.1) allows remote, unauthenticated attackers to bypass access controls on media resources by manipulating the storageKey argument passed to the stablePublicIdFromStorageKey function in the Media Handler component. The impact is limited to partial confidentiality disclosure (VC:L in CVSS 4.0), with no integrity or availability consequence. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed waoowaoo media endpoint
Delivery
Analyze or enumerate storageKey format
Exploit
Craft manipulated storageKey argument
Execution
Submit request to stablePublicIdFromStorageKey
Persist
Bypass authorization check
Impact
Read unauthorized media asset

Vulnerability AssessmentAI

Exploitation The vulnerability is exploitable remotely without authentication (AV:N, PR:N per CVSS 4.0 vector), but requires high attack complexity (AC:H), meaning the attacker must meet non-trivial preconditions - most likely precise knowledge of the storageKey input format accepted by the stablePublicIdFromStorageKey function or the ability to enumerate valid key structures. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.3 (Medium) reflects a genuine middle-ground risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network access to a waoowaoo deployment crafts a manipulated storageKey value and submits it to the endpoint invoking stablePublicIdFromStorageKey, bypassing the authorization check to resolve a public identifier for a media asset they are not authorized to access. Because a public proof-of-concept exists on GitHub issue #201, the required storageKey manipulation technique is likely documented, though the high attack complexity suggests the attacker must understand the key structure or trial-and-error within a constrained parameter space. …
Remediation No vendor-released patch has been identified at time of analysis; the project maintainer has not responded to the coordinated disclosure submitted via GitHub issue #201 (https://github.com/waooAI/waoowaoo/issues/201). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-15594 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy