CVE-2026-15594 in waoowaooinfo

Summary

by MITRE • 07/14/2026

A vulnerability was found in waooAI waoowaoo up to 0.4.1. Impacted is the function stablePublicIdFromStorageKey in the library src/lib/media/hash.ts of the component Media Handler. The manipulation of the argument storageKey results in improper authorization. The attack may be performed from remote. The attack requires a high level of complexity. The exploitability is considered difficult. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/14/2026

The vulnerability identified in waooAI waoowaoo version 0.4.1 represents a critical authorization flaw within the Media Handler component, specifically affecting the stablePublicIdFromStorageKey function located in src/lib/media/hash.ts. This issue stems from inadequate input validation and authorization checks when processing the storageKey argument, creating a pathway for unauthorized access to media resources. The vulnerability's classification as remote exploitation indicates that attackers can leverage this weakness without requiring physical access to the system or direct network proximity, significantly expanding the potential attack surface.

The technical implementation flaw manifests in how the function processes storageKey parameters without proper authorization verification mechanisms. This oversight allows malicious actors to manipulate input values and potentially bypass intended access controls, leading to unauthorized retrieval of media content that should be restricted. The complexity requirement for exploitation suggests that while the vulnerability exists, sophisticated attack techniques are necessary to successfully exploit it, though the public availability of exploit information reduces the barrier to entry. The vulnerability's presence in a core media handling library means that any application utilizing this component could be compromised.

The operational impact of this vulnerability extends beyond simple data exposure, potentially enabling attackers to access sensitive media resources including user-generated content, proprietary materials, or confidential information stored within the system. This unauthorized access capability can lead to data breaches, intellectual property theft, and potential privacy violations depending on the nature of the media content. The fact that the project has received advance notice through issue reporting but has not yet responded indicates a delay in remediation that leaves systems vulnerable to active exploitation.

Security professionals should consider this vulnerability in relation to CWE-285 which addresses improper authorization issues, and potentially CWE-20 which covers input validation problems. From an ATT&CK framework perspective, this weakness aligns with techniques involving privilege escalation and unauthorized access, specifically T1078 for valid accounts and T1566 for social engineering. Organizations should prioritize immediate remediation efforts including code review of the affected function, implementation of proper authorization checks, and potentially temporary mitigation measures such as rate limiting or access control restrictions while permanent fixes are deployed. The public availability of exploit information necessitates urgent action to prevent potential exploitation by threat actors who may be actively targeting systems using this vulnerable software version.

Responsible

VulDB

Disclosure

07/14/2026

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00000

KEV

no

Activities

low

Sources

Do you need the next level of professionalism?

Upgrade your account now!