CVE-2026-34732

MEDIUM

AVideo: Missing Authentication in CreatePlugin list.json.php Template Affects 21 Endpoints

Title source: cna

Description

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo CreatePlugin template for list.json.php does not include any authentication or authorization check. While the companion templates add.json.php and delete.json.php both require admin privileges, the list.json.php template was shipped without this guard. Every plugin that uses the CreatePlugin code generator inherits this omission, resulting in 21 unauthenticated data listing endpoints across the platform. These endpoints expose sensitive data including user PII, payment transaction logs, IP addresses, user agents, and internal system records. At time of publication, there are no publicly available patches.

References (1)

[X_Refsource_Confirm] https://github.com/WWBN/AVideo/security/advisories/GHSA-g2mg-cgr6-vmv7

Scores

CVSS v3 5.3

EPSS 0.0004

EPSS Percentile 13.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-306

Status published

Products (3)

wwbn/avideo < 26.0

wwbn/avideo 0Packagist

WWBN/AVideo <= 26.0

Published Mar 31, 2026

Tracked Since Apr 01, 2026