Description
AVideo versions prior to 20.1 with the ImageGallery plugin enabled is vulnerable to unauthenticated file upload and deletion. Plugin endpoints responsible for managing gallery images fail to enforce authentication checks and do not validate ownership, allowing unauthenticated attackers to upload or delete images associated with any image-based video.
References (4)
Core 4
Core References
Patch patch
https://github.com/WWBN/AVideo/commit/c279999cbd
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/avideo-imagegallery-plugin-unauthenticated-file-upload-and-deletion
Various Sources technical-description
exploit
https://chocapikk.com/posts/2025/avideo-security-vulnerabilities/
Scores
CVSS v3
9.1
EPSS
0.0027
EPSS Percentile
50.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-306
Status
published
Products (1)
wwbn/avideo
< 20.0
Published
Dec 17, 2025
Tracked Since
Feb 18, 2026