CVE-2026-56346

MEDIUM 6.5

AVideo - Unauthenticated PGP Message Decryption via decryptMessage.json.php Endpoint

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

AVideo through version 25.0 contains an authentication bypass vulnerability in the decryptMessage.json.php endpoint that allows unauthenticated users to decrypt PGP messages. Remote attackers can submit private keys, ciphertext, and passphrases to perform server-side decryption without credentials, exposing key material to logs and enabling resource exhaustion attacks.

CWE	CWE-306
Vendor	avideo
Product	avideo
Published	Jun 20, 2026

Stay Ahead of the Next One

Get instant alerts for avideo avideo

Be the first to know when new medium vulnerabilities affecting avideo avideo are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

Low

Affected Versions

AVideo / AVideo

0 ≤ 25.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/WWBN/AVideo/security/advisories/GHSA-5x2w-37xf-7962 vulncheck.com: https://www.vulncheck.com/advisories/avideo-unauthenticated-pgp-message-decryption-via-decryptmessage-json-php-endpoint

Credits

🔍 fg0x0