← Back to CVEs
CVE-2026-35449
MEDIUM5.3
Description
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the install/test.php diagnostic script has its CLI-only access guard disabled by commenting out the die() statement. The script remains accessible via HTTP after installation, exposing video viewer statistics including IP addresses, session IDs, and user agents to unauthenticated visitors.
CVE Details
CVSS v3.1 Score5.3
SeverityMEDIUM
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
Published4/6/2026
Last Modified4/6/2026
Sourcenvd
Honeypot Sightings0
Weaknesses (CWE)
CWE-200
References
https://github.com/WWBN/AVideo/security/advisories/GHSA-hg8q-8wqr-35xx(security-advisories@github.com)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.