CVE-2026-34732

MEDIUM

5.3

Description

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo CreatePlugin template for list.json.php does not include any authentication or authorization check. While the companion templates add.json.php and delete.json.php both require admin privileges, the list.json.php template was shipped without this guard. Every plugin that uses the CreatePlugin code generator inherits this omission, resulting in 21 unauthenticated data listing endpoints across the platform. These endpoints expose sensitive data including user PII, payment transaction logs, IP addresses, user agents, and internal system records. At time of publication, there are no publicly available patches.

CVE Details

CVSS v3.1 Score5.3

SeverityMEDIUM

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack VectorNETWORK

ComplexityLOW

Privileges RequiredNONE

User InteractionNONE

Published3/31/2026

Last Modified4/1/2026

Sourcenvd

Honeypot Sightings0

Affected Products

wwbn:avideo

Weaknesses (CWE)

CWE-306

References

https://github.com/WWBN/AVideo/security/advisories/GHSA-g2mg-cgr6-vmv7(security-advisories@github.com)

https://github.com/WWBN/AVideo/security/advisories/GHSA-g2mg-cgr6-vmv7(134c704f-9b21-4f2e-91b3-4a467353bcc0)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.