A vulnerability labeled as problematic has been found in waooAI waoowaoo up to 0.4.1. Impacted is the function stablePublicIdFromStorageKey in the library src/lib/media/hash.ts of the component Media Handler. The manipulation of the argument storageKey results in improper authorization.

This vulnerability was named CVE-2026-15594. The attack may be performed from remote. In addition, an exploit is available.

The project was informed of the problem early through an issue report but has not responded yet.