CVE-2026-33488

Published: Mar 23, 2026 Last Modified: Mar 23, 2026

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 7,4

Source: [email protected]

Attack Vector: network

Attack Complexity: high

Privileges Required: none

User Interaction: none

Scope: unchanged

Confidentiality: high

Integrity: high

Availability: none

Description

AI Translation Available

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `createKeys()` function in the LoginControl plugin's PGP 2FA system generates 512-bit RSA keys, which have been publicly factorable since 1999. An attacker who obtains a target user's public key can factor the 512-bit RSA modulus on commodity hardware in hours, derive the complete private key, and decrypt any PGP 2FA challenge issued by the system — completely bypassing the second authentication factor. Additionally, the `generateKeys.json.php` and `encryptMessage.json.php` endpoints lack any authentication checks, exposing CPU-intensive key generation to anonymous users. Commit 00d979d87f8182095c8150609153a43f834e351e contains a patch.

326

Inadequate Encryption Strength

Draft

Abstraction: Class Structure: Simple

Common Consequences

Security Scopes Affected:

Access Control Confidentiality

Potential Impacts:

Bypass Protection Mechanism Read Application Data

Applicable Platforms

All platforms may be affected

View CWE Details

https://github.com/WWBN/AVideo/commit/00d979d87f8182095c815…

https://github.com/WWBN/AVideo/commit/00d979d87f8182095c8150609153a43f834e351e

https://github.com/WWBN/AVideo/security/advisories/GHSA-6m5…

https://github.com/WWBN/AVideo/security/advisories/GHSA-6m5f-j7w2-w953

CVE-2026-33488

Description

Inadequate Encryption Strength

Common Consequences

Applicable Platforms

Iscriviti alla newsletter