CVE-2026-34733

MEDIUM

AVideo: Unauthenticated File Deletion via PHP Operator Precedence Bug in CLI Guard

Title source: cna

Description

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo installation script install/deleteSystemdPrivate.php contains a PHP operator precedence bug in its CLI-only access guard. The script is intended to run exclusively from the command line, but the guard condition !php_sapi_name() === 'cli' never evaluates to true due to how PHP resolves operator precedence. The ! (logical NOT) operator binds more tightly than === (strict comparison), causing the expression to always evaluate to false, which means the die() statement never executes. As a result, the script is accessible via HTTP without authentication and will delete files from the server's temp directory while also disclosing the temp directory contents in its response. At time of publication, there are no publicly available patches.

References (1)

[X_Refsource_Confirm] https://github.com/WWBN/AVideo/security/advisories/GHSA-wwpw-hrx8-79r5

Scores

CVSS v3 6.5

EPSS 0.0005

EPSS Percentile 16.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-284

Status published

Products (3)

wwbn/avideo < 26.0

wwbn/avideo 0Packagist

WWBN/AVideo <= 26.0

Published Mar 31, 2026

Tracked Since Apr 01, 2026