CVE-2026-56346 | AVideo through version 25.0 contains an authentication bypas… | CVSS 6.5 MEDIUM

Description

AVideo through version 25.0 contains an authentication bypass vulnerability in the decryptMessage.json.php endpoint that allows unauthenticated users to decrypt PGP messages. Remote attackers can submit private keys, ciphertext, and passphrases to perform server-side decryption without credentials, exposing key material to logs and enabling resource exhaustion attacks.

Metadata

CVE ID: CVE-2026-56346
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-20 18:13 UTC
Published: 2026-06-20 18:27 UTC
Last updated: 2026-06-20 18:27 UTC
Primary CWE: CWE-306
Missing Authentication for Critical Function
Vendor / Product: AVideo / AVideo
Sources: cve.org · NVD

Severity & Metrics

6.5 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Affected products (1)

Vendor	Product	Platform	Versions
AVideo	AVideo	—	0 ≤ 25.0

Weakness (CWE)

CWE	Source	Description
CWE-306	cna	Missing Authentication for Critical Function

CVSS scores (2)

Score	Severity	Version	Source	Vector
6.9	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N
6.5	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

References (2)

GHSA Advisory GHSA-5x2w-37xf-7962 https://github.com/WWBN/AVideo/security/advisories/GHSA-5x2w-37xf-7962
VulnCheck Advisory: AVideo - Unauthenticated PGP Message Decryption via decryptMessage.json.php Endpoint https://www.vulncheck.com/advisories/avideo-unauthenticated-pgp-message-decryption-via-decryptmessage-json-php-endpoint