Improper Authorization in Media Handler Component of WaooAI Product
CVE-2026-15594
Key Information:
Badges
What is CVE-2026-15594?
A vulnerability exists in the WaooAI Media Handler's stablePublicIdFromStorageKey function, specifically in the src/lib/media/hash.ts file. This issue arises from improper authorization related to the manipulation of the 'storageKey' argument, potentially allowing attackers to gain unauthorized access. The exploitation of this vulnerability can be executed remotely; however, it requires significant complexity, making the exploitation process challenging. Despite notifying the project about this security concern, there has been no response or patch issued to date.
Affected Version(s)
waoowaoo 0.4.0
waoowaoo 0.4.1
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved
