CVE-2026-56346
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk31th percentile - higher than 31% of all known CVEs
Summary
AVideo through version 25.0 contains an authentication bypass vulnerability in the decryptMessage.json.php endpoint that allows unauthenticated users to decrypt PGP messages. Remote attackers can submit private keys, ciphertext, and passphrases to perform server-side decryption without credentials, exposing key material to logs and enabling resource exhaustion attacks.
Risk Assessment
The risk includes exposure of sensitive PGP keys in logs and the potential for denial-of-service attacks through resource exhaustion caused by unauthorized decryption requests.
Recommendation
Immediately update AVideo to the latest patched version and restrict access to the decryptMessage.json.php endpoint to authenticated users only.
Original NVD description (English source)
AVideo through version 25.0 contains an authentication bypass vulnerability in the decryptMessage.json.php endpoint that allows unauthenticated users to decrypt PGP messages. Remote attackers can submit private keys, ciphertext, and passphrases to perform server-side decryption without credentials, exposing key material to logs and enabling resource exhaustion attacks.

