CVE-2026-56346

Description

AVideo through version 25.0 contains an authentication bypass vulnerability in the decryptMessage.json.php endpoint that allows unauthenticated users to decrypt PGP messages. Remote attackers can submit private keys, ciphertext, and passphrases to perform server-side decryption without credentials, exposing key material to logs and enabling resource exhaustion attacks.

CVSS breakdown

CVSS 4.0

Attack Vector

Network

Attack Complexity

Low

Attack Requirements

None

Privileges Required

None

User Interaction

None

Confidentiality (Vulnerable System)

Low

Integrity (Vulnerable System)

None

Availability (Vulnerable System)

Low

Confidentiality (Subsequent System)

None

Integrity (Subsequent System)

None

Availability (Subsequent System)

None

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

Low

Affected products

AVideo / AVideo0 – 25.0

References

VENDOR_ADVISORYhttps://github.com/WWBN/AVideo/security/advisories/GHSA-5x2w-37xf-7962
VENDOR_ADVISORYhttps://www.vulncheck.com/advisories/avideo-unauthenticated-pgp-message-decryption-via-decryptmessage-json-php-endpoint