Improper-Authentication — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/improper-authentication/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 24 Mar 2026 12:00:00 +0000WWBN AVideo Unauthenticated decryptString Vulnerabilityhttps://feed.craftedsignal.io/briefs/2026-03-avideo-decryptstring/Tue, 24 Mar 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-avideo-decryptstring/WWBN AVideo, up to version 26.0, contains an improper authentication vulnerability (CVE-2026-33512) in the API plugin's `decryptString` action, allowing unauthenticated users to decrypt publicly accessible ciphertext and potentially recover protected tokens/metadata.WWBN AVideo is an open-source video platform. Versions up to and including 26.0 are vulnerable to an improper authentication issue within the API plugin. The decryptString action, intended for internal decryption processes, is exposed without any authentication requirements. Attackers can exploit this vulnerability to submit ciphertext, which is publicly accessible through endpoints like view/url2Embed.json.php, and receive the corresponding plaintext. Successful exploitation allows…

]]>highadvisorycve-2026-33512avideoimproper-authenticationapi-vulnerability