How should we interpret CVSS severity scores?

CVSS estimates technical severity, but it does not automatically equal business risk. Prioritize using context like internet exposure, asset criticality, known exploitation, and whether compensating controls exist. A Medium CVSS on an exposed production system can be more urgent than a Critical on an isolated non-production host.

Vulnerability Database

Q: What is a Vulnerability (CVE) and why does it matter?

A security vulnerability is a weakness in software, hardware, or configuration that can be exploited to compromise confidentiality, integrity, or availability. Many vulnerabilities are tracked as CVEs (Common Vulnerabilities and Exposures), which provide a standardized identifier so teams can coordinate patching, mitigation, and risk assessment across tools and vendors.

Q: What's the difference between a vulnerability, an exploit, and a zero-day?

A vulnerability is the underlying weakness. An exploit is the method or code used to take advantage of it. A zero-day is a vulnerability that is unknown to the vendor or has no publicly available fix when attackers begin using it. Risk increases sharply when exploitation becomes reliable or widespread.

Q: Why do vulnerabilities keep reappearing in our environment?

Recurring findings usually come from incomplete asset discovery, inconsistent patch management, inherited images, and configuration drift. In modern environments, you also need to watch the software supply chain: dependencies, containers, build pipelines, and third-party services can reintroduce the same weakness even after you patch a single host.

Q: How do we prioritize remediation without burning out the team?

Use a repeatable triage model: focus first on externally exposed assets, high-value systems (identity, VPN, email, production), vulnerabilities with known exploits, and issues that enable remote code execution or privilege escalation. Then enforce patch SLAs and track progress so remediation is steady, not reactive.

Q: How can SynScan help reduce vulnerability risk over time?

SynScan combines attack surface monitoring and continuous security auditing to keep your inventory current, flag high-impact vulnerabilities early, and help you turn raw findings into a practical remediation plan.

352,262

Total vulnerabilities in the database

AVideo has Unauthenticated PGP Message Decryption via Public Endpoint — wwbn / avideo

Missing Authentication for Critical Function

Summary

The AVideo platform exposes a publicly accessible endpoint that performs server-side PGP decryption without requiring any form of authentication. Any anonymous user can submit a private key, ciphertext, and passphrase to the endpoint and receive the decrypted plaintext in the JSON response. This functionality is entirely unprotected, meaning no session, token, or credential is needed to invoke it.

Details

The endpoint at decryptMessage.json.php accepts a JSON body containing three user-supplied fields: a private key, an encrypted message, and a key password. The server passes these directly into a decryption routine and returns the result. There is no call to any authentication or session validation function before this operation is performed. The relevant server-side operation is:

$textDecrypted = decryptMessage($obj-&gt;textToDecrypt, $obj-&gt;privateKeyToDecryptMsg, $obj-&gt;keyPassword);

Because no access control exists, any unauthenticated request that reaches this endpoint will be processed. The primary concerns are exposure of private key material to server memory and logging infrastructure, and unconstrained consumption of server CPU resources for cryptographic operations. An attacker who has obtained a private key and matching ciphertext through other means can offload decryption work to the target server without holding any account on the platform.

PoC

curl -s -X POST \
  &quot;https://target.example.com/plugin/LoginControl/pgp/decryptMessage.json.php&quot; \
  -H &quot;Content-Type: application/json&quot; \
  -d &#039;{
    &quot;textToDecrypt&quot;: &quot;-----BEGIN PGP MESSAGE-----\n&lt;base64_ciphertext&gt;\n-----END PGP MESSAGE-----&quot;,
    &quot;privateKeyToDecryptMsg&quot;: &quot;-----BEGIN PGP PRIVATE KEY BLOCK-----\n&lt;base64_private_key&gt;\n-----END PGP PRIVATE KEY BLOCK-----&quot;,
    &quot;keyPassword&quot;: &quot;passphrase&quot;
  }&#039;

Impact

Private key material submitted to this endpoint is processed in server memory and may be captured in application logs, web server access logs, or error logs depending on server configuration. This can result in unintended disclosure of sensitive key material to administrators or anyone with log access. Additionally, the lack of any rate limiting combined with the absence of authentication allows any external party to submit large volumes of decryption requests, consuming server CPU resources without restriction. Any user who can reach the endpoint network-layer can trigger these effects.

Mitigation

A User::isLogged() check, or an equivalent session and authentication validation step, should be added at the top of decryptMessage.json.php before any user-supplied input is processed. Decryption operations should only be permitted for authenticated and authorized users. Server logging configuration should also be reviewed to ensure that POST body contents, including key material, are not written to persistent logs.

Published: Mar 19, 2026
Updated: Mar 20, 2026
GHSA: GHSA-5x2w-37xf-7962
Severity: Medium
Exploit:
CISA KEV:

No technical information available.

CWEs:

CWE-306

Affected Software
References

Software	From	Fixed in
wwbn / avideo	-	25.0.x

https://github.com/WWBN/AVideo/security/advisories/GHSA-5x2w-37xf-7962

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo

Frequently Asked Questions

What is a Vulnerability (CVE) and why does it matter?

A security vulnerability is a weakness in software, hardware, or configuration that can be exploited to compromise confidentiality, integrity, or availability. Many vulnerabilities are tracked as CVEs (Common Vulnerabilities and Exposures), which provide a standardized identifier so teams can coordinate patching, mitigation, and risk assessment across tools and vendors.

CVSS (Common Vulnerability Scoring System) estimates technical severity, but it doesn't automatically equal business risk. Prioritize using context like internet exposure, affected asset criticality, known exploitation (proof-of-concept or in-the-wild), and whether compensating controls exist. A "Medium" CVSS on an exposed, production system can be more urgent than a "Critical" on an isolated, non-production host.

A vulnerability is the underlying weakness. An exploit is the method or code used to take advantage of it. A zero-day is a vulnerability that is unknown to the vendor or has no publicly available fix when attackers begin using it. In practice, risk increases sharply when exploitation becomes reliable or widespread.

Recurring findings usually come from incomplete Asset Discovery, inconsistent patch management, inherited images, and configuration drift. In modern environments, you also need to watch the software supply chain: dependencies, containers, build pipelines, and third-party services can reintroduce the same weakness even after you patch a single host. Unknown or unmanaged assets (often called Shadow IT) are a common reason the same issues resurface.

Use a simple, repeatable triage model: focus first on externally exposed assets, high-value systems (identity, VPN, email, production), vulnerabilities with known exploits, and issues that enable remote code execution or privilege escalation. Then enforce patch SLAs and track progress using consistent metrics so remediation is steady, not reactive.

SynScan combines attack surface monitoring and continuous security auditing to keep your inventory current, flag high-impact vulnerabilities early, and help you turn raw findings into a practical remediation plan.