CVE-2026-33488— AVideo has a PGP 2FA Bypass via Cryptographically Broken 512-bit RSA Key Generation in LoginControl Plugin
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-33488
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
AVideo has a PGP 2FA Bypass via Cryptographically Broken 512-bit RSA Key Generation in LoginControl Plugin
Source: NVD (National Vulnerability Database)
Vulnerability Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `createKeys()` function in the LoginControl plugin's PGP 2FA system generates 512-bit RSA keys, which have been publicly factorable since 1999. An attacker who obtains a target user's public key can factor the 512-bit RSA modulus on commodity hardware in hours, derive the complete private key, and decrypt any PGP 2FA challenge issued by the system — completely bypassing the second authentication factor. Additionally, the `generateKeys.json.php` and `encryptMessage.json.php` endpoints lack any authentication checks, exposing CPU-intensive key generation to anonymous users. Commit 00d979d87f8182095c8150609153a43f834e351e contains a patch.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
不充分的加密强度
Source: NVD (National Vulnerability Database)
Vulnerability Title
WWBN AVideo 加密问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
WWBN AVideo是WWBN团队的一个由PHP编写的视频平台建站系统。 WWBN AVideo 26.0及之前版本存在加密问题漏洞,该漏洞源于使用弱RSA密钥且端点缺少身份验证,可能导致绕过双因素身份验证和拒绝服务攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-33488
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-33488
请登录查看更多情报信息。
- Unicorn! · GitHubx_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2026-33488
Same Patch Batch · WWBN · 2026-03-23 · 34 CVEs total
| CVE-2026-33478 | 10.0 CRITICAL | AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, |
| CVE-2026-33352 | 9.8 CRITICAL | AVideo has an Unauthenticated SQL Injection via `doNotShowCats` Parameter (Backslash Escap |
| CVE-2026-33716 | 9.4 CRITICAL | AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in c |
| CVE-2026-33502 | 9.3 CRITICAL | AVideo has Unauthenticated SSRF via plugin/Live/test.php |
| CVE-2026-33351 | 9.1 CRITICAL | AVideo has Unauthenticated SSRF via `webSiteRootURL` Parameter in saveDVR.json.php, Chaini |
| CVE-2026-33507 | 8.8 HIGH | AVideo Affected by CSRF on Plugin Import Endpoint Enables Unauthenticated Remote Code Exec |
| CVE-2026-33717 | 8.8 HIGH | AVideo Vulnerable to Remote Code Execution via Persistent PHP Temp File in Encoder downloa |
| CVE-2026-33647 | 8.8 HIGH | AVideo Vulnerable to Remote Code Execution via MIME/Extension Mismatch in ImageGallery Fil |
| CVE-2026-33648 | 8.8 HIGH | AVideo Vulnerable to OS Command Injection via Unsanitized `users_id` and `liveTransmitionH |
| CVE-2026-33479 | 8.8 HIGH | AVideo has PHP Code Injection via eval() in Gallery saveSort.json.php Exploitable Through |
| CVE-2026-33719 | 8.6 HIGH | AVideo Vulnerable to Unauthenticated CDN Configuration Takeover via Empty Default Key Bypa |
| CVE-2026-33513 | 8.6 HIGH | AVideo has an Unauthenticated Local File Inclusion in API locale (RCE possible with writab |
| CVE-2026-33480 | 8.6 HIGH | AVideo has a SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in Unauthenticated Live |
| CVE-2026-33482 | 8.1 HIGH | AVideo has an OS Command Injection via $() Shell Substitution Bypass in sanitizeFFmpegComm |
| CVE-2026-33651 | 8.1 HIGH | AVideo has a Blind SQL Injection in Live Schedule Reminder via Unsanitized live_schedule_i |
| CVE-2026-33649 | 8.1 HIGH | AVideo's GET-Based CSRF in setPermission.json.php Enables Privilege Escalation via Arbitra |
| CVE-2026-33354 | 7.6 HIGH | AVideo has an authenticated arbitrary local file read via `chunkFile` path injection in `a |
| CVE-2026-33650 | 7.6 HIGH | AVideo's Video Moderator Privilege Escalation via Ownership Transfer Enables Arbitrary Vid |
| CVE-2026-33485 | 7.5 HIGH | AVideo has an Unauthenticated Blind SQL Injection in RTMP on_publish Callback via Stream N |
| CVE-2026-33512 | 7.5 HIGH | AVideo has an unauthenticated decrypt oracle leaking any ciphertext |
Showing top 20 of 34 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: AVideo
- CVE-2026-41304
WWBN AVideo vulnerable to RCE caused by clonesite plugin - CVE-2026-41064
AVideo has an incomplete fix for CVE-2026-33502 (Command Inj - CVE-2026-41063
WWBN AVideo has incomplete fix for CVE-2026-33500 (XSS) - CVE-2026-41062
WWBN/AVideo has an incomplete fix for a directory traversal - CVE-2026-41061
WWBN AVideo Vulnerable to stored XSS via Unanchored Duration
Same vendor: WWBN
- CVE-2026-41304
WWBN AVideo vulnerable to RCE caused by clonesite plugin - CVE-2026-41064
AVideo has an incomplete fix for CVE-2026-33502 (Command Inj - CVE-2026-41063
WWBN AVideo has incomplete fix for CVE-2026-33500 (XSS) - CVE-2026-41062
WWBN/AVideo has an incomplete fix for a directory traversal - CVE-2026-41061
WWBN AVideo Vulnerable to stored XSS via Unanchored Duration
Same weakness: CWE-326
- CVE-2018-25272
ELBA5 5.8.0 Remote Code Execution via Database Access - CVE-2025-1241
Encryption vulnerable to brute-force decryption in GoAnywher - CVE-2026-5363
Use of weak cryptographic key in TP-Link Archer C7 - CVE-2026-39349
OrangeHRM Uses AES-ECB for Sensitive Data Encryption Enables - CVE-2025-36379
IBM Security QRadar EDR Software has multiple vulnerabilitie
V. Comments for CVE-2026-33488
No comments yet