CVE Catalog

CVE-2026-56346

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.39%

31th percentile - higher than 31% of all known CVEs

Summary

AVideo through version 25.0 contains an authentication bypass vulnerability in the decryptMessage.json.php endpoint that allows unauthenticated users to decrypt PGP messages. Remote attackers can submit private keys, ciphertext, and passphrases to perform server-side decryption without credentials, exposing key material to logs and enabling resource exhaustion attacks.

Risk Assessment

The risk includes exposure of sensitive PGP keys in logs and the potential for denial-of-service attacks through resource exhaustion caused by unauthorized decryption requests.

Recommendation

Immediately update AVideo to the latest patched version and restrict access to the decryptMessage.json.php endpoint to authenticated users only.

Original NVD description (English source)

AVideo through version 25.0 contains an authentication bypass vulnerability in the decryptMessage.json.php endpoint that allows unauthenticated users to decrypt PGP messages. Remote attackers can submit private keys, ciphertext, and passphrases to perform server-side decryption without credentials, exposing key material to logs and enabling resource exhaustion attacks.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS