CVE-2026-34395 - Vulnerability Details

- AVideo: Mass User PII Disclosure via Missing Authorization in YPTWallet users.json.php

Description

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/YPTWallet/view/users.json.php endpoint returns all platform users with their personal information and wallet balances to any authenticated user. The endpoint checks User::isLogged() but does not check User::isAdmin(), so any registered user can dump the full user database. At time of publication, there are no publicly available patches.

Published: 2026-03-31

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw in the YPTWallet users.json.php endpoint allows any authenticated user to retrieve the complete list of platform users along with their personal information and wallet balances. Because the code only checks for generic authentication and never confirms administrative privileges, attackers can harvest sensitive data by simply logging into the system. The vulnerability is a classic example of missing authority checks, categorized as CWE-862, resulting in privacy compromise for all registered users.

Affected Systems

The issue affects the WWBN AVideo open‑source video platform, specifically versions 26.0 and earlier. The problematic endpoint resides in the YPTWallet plugin. Anyone running an affected instance, regardless of the underlying operating system, is potentially vulnerable if the plugin is installed.

Risk and Exploitability

The CVSS base score of 6.5 signals a medium‑severity risk. EPSS indicates less than 1% chance of exploitation in the wild, and the flaw is not listed in the CISA KEV catalog. Exploitation requires only that the user is authenticated; an attacker who creates a free account or compromises another user’s credentials can trigger the data dump. No publicly available patch exists at publication, so the vulnerability remains exploitable until an update is released.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

WWBN

AVideo

affected

Version	Status	Constraints
`<= 26.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Wwbn

Avideo

100%

Version	Status	Scheme	Platform
`[0,26.0]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply an official patch or update to AVideo when it becomes available.
If a patch is not yet released, disable or remove the YPTWallet plugin to eliminate the vulnerable endpoint.
Alternatively, restrict access to the /YPTWallet/view/users.json.php endpoint so that only administrative users can invoke it.
Verify that no other authenticated users have unnecessary access privileges in the platform.
Regularly check the WWBN project page for new security releases.

Generated by OpenCVE AI on April 2, 2026 at 03:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-77jp-mgcw-rfmr	AVideo vulnerable to Mass User PII Disclosure via Missing Authorization in YPTWallet users.json.php

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00038.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/WWBN/AVideo/security/advisories/GHSA-77jp-mgcw-rfmr

History

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wwbn Wwbn avideo
CPEs		cpe:2.3:a:wwbn:avideo::::::::
Vendors & Products		Wwbn Wwbn avideo
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 01 Apr 2026 02:15:00 +0000

Type	Values Removed	Values Added
Description		WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/YPTWallet/view/users.json.php endpoint returns all platform users with their personal information and wallet balances to any authenticated user. The endpoint checks User::isLogged() but does not check User::isAdmin(), so any registered user can dump the full user database. At time of publication, there are no publicly available patches.
Title		AVideo: Mass User PII Disclosure via Missing Authorization in YPTWallet users.json.php
Weaknesses		CWE-862
References		https://github.com/WWBN/AVideo/security/advisories/GHSA-77jp-mgcw-rfmr
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Wwbn Avideo

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-31T20:38:54.373Z

Updated: 2026-04-01T18:35:40.270Z

Reserved: 2026-03-27T13:45:29.619Z

Link: CVE-2026-34395

Vulnrichment

Updated: 2026-04-01T18:35:36.563Z

NVD

Status : Analyzed

Published: 2026-03-31T21:16:30.817

Modified: 2026-04-01T20:35:18.280

Link: CVE-2026-34395

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-02T20:10:45Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object