EUVD-2026-14479
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3Tags
Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the API plugin exposes a `decryptString` action without any authentication. Anyone can submit ciphertext and receive plaintext. Ciphertext is issued publicly (e.g., `view/url2Embed.json.php`), so any user can recover protected tokens/metadata. Commit 3fdeecef37bb88967a02ccc9b9acc8da95de1c13 contains a patch.
Analysis
WWBN AVideo versions up to and including 26.0 contain an unauthenticated API endpoint that allows arbitrary decryption of ciphertext. Attackers can exploit the decryptString action in the API plugin without authentication to decrypt publicly-issued ciphertext (such as from view/url2Embed.json.php), allowing recovery of protected tokens and metadata. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all WWBN AVideo instances in your environment and document their versions and network exposure. Within 7 days: Implement network-level access controls to restrict the /api/plugin/decryptString endpoint, deploy WAF rules to block API calls to this endpoint, and isolate affected systems from untrusted networks if possible. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today