Skip to main content

Waoowaoo

2 CVEs product

Monthly

CVE-2026-15594 LOW POC Monitor

Improper authorization in waoowaoo (versions up to 0.4.1) allows remote, unauthenticated attackers to bypass access controls on media resources by manipulating the storageKey argument passed to the stablePublicIdFromStorageKey function in the Media Handler component. The impact is limited to partial confidentiality disclosure (VC:L in CVSS 4.0), with no integrity or availability consequence. No vendor patch has been issued as of analysis time; a public exploit exists via a GitHub issue report (POC), though high attack complexity (AC:H) constrains opportunistic exploitation. This vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Waoowaoo
NVD VulDB GitHub
CVSS 4.0
2.9
EPSS
0.3%
CVE-2026-15557 MEDIUM POC This Month

Authentication bypass in waooAI waoowaoo through version 0.4.1 allows unauthenticated remote attackers to spoof internal user identity by manipulating the x-internal-user-id HTTP request header, defeating the authentication controls implemented across multiple auth functions in the API layer. Affected are the getInternalTaskSession, getAuthSession, requireUserAuth, requireProjectAuth, and requireProjectAuthLight functions in src/lib/api-auth.ts, meaning both user-level and project-level authorization gates can be circumvented. A publicly available exploit (POC) exists via GitHub issue #200; the vendor has not yet responded to the disclosure, and no patch has been released.

Authentication Bypass Waoowaoo
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.5%
EPSS 0% CVSS 2.9
LOW POC Monitor

Improper authorization in waoowaoo (versions up to 0.4.1) allows remote, unauthenticated attackers to bypass access controls on media resources by manipulating the storageKey argument passed to the stablePublicIdFromStorageKey function in the Media Handler component. The impact is limited to partial confidentiality disclosure (VC:L in CVSS 4.0), with no integrity or availability consequence. No vendor patch has been issued as of analysis time; a public exploit exists via a GitHub issue report (POC), though high attack complexity (AC:H) constrains opportunistic exploitation. This vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Waoowaoo
NVD VulDB GitHub
EPSS 1% CVSS 5.5
MEDIUM POC This Month

Authentication bypass in waooAI waoowaoo through version 0.4.1 allows unauthenticated remote attackers to spoof internal user identity by manipulating the x-internal-user-id HTTP request header, defeating the authentication controls implemented across multiple auth functions in the API layer. Affected are the getInternalTaskSession, getAuthSession, requireUserAuth, requireProjectAuth, and requireProjectAuthLight functions in src/lib/api-auth.ts, meaning both user-level and project-level authorization gates can be circumvented. A publicly available exploit (POC) exists via GitHub issue #200; the vendor has not yet responded to the disclosure, and no patch has been released.

Authentication Bypass Waoowaoo
NVD VulDB GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy