CVE-2026-33361

Name of the Vulnerable Software and Affected Versions CloudEdge version 5.5.0 (build 220) Arenti version 1.8.1 (build 220) White-label apps versions 1.8.x and earlier

Description In the Meari IoT SDK image handling within the libmrplayer.so library, baby monitor images using the ".jpgx3" extension are protected by a reversible XOR operation. This operation only affects the first 1024 bytes of the JPEG file and utilizes a predictable key derivation model based on the MD5 hash of the device serial, the length of the serial, and a secret. The serial number is transmitted within the same MQTT message, facilitating the decryption of the images.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.