CVE-2026-34732 - Vulnerability Details

- AVideo: Missing Authentication in CreatePlugin list.json.php Template Affects 21 Endpoints

Description

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo CreatePlugin template for list.json.php does not include any authentication or authorization check. While the companion templates add.json.php and delete.json.php both require admin privileges, the list.json.php template was shipped without this guard. Every plugin that uses the CreatePlugin code generator inherits this omission, resulting in 21 unauthenticated data listing endpoints across the platform. These endpoints expose sensitive data including user PII, payment transaction logs, IP addresses, user agents, and internal system records. At time of publication, there are no publicly available patches.

Published: 2026-03-31

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

In AVideo up to version 26.0 the CreatePlugin list.json.php template lacks an authentication guard, allowing any user to access 21 endpoints that return full plugin listings. These listings expose user PII, payment transaction logs, IP addresses, user agents, and internal system records, enabling attackers to obtain sensitive information without authorization.

Affected Systems

The flaw affects the WWBN AVideo open‑source video platform, specifically versions 26.0 and earlier. Any plugin generated by CreatePlugin inherits the missing guard, creating 21 unauthenticated data‑listing endpoints across the platform.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity while an EPSS score of less than 1 % suggests the risk of exploitation is currently low. The vulnerability is not in CISA’s KEV catalog. Attackers can exploit the flaw simply by sending HTTP requests to the unsecured endpoints, making the attack straightforward and requiring no credentials. With no public patch yet available, the risk persists until a vendor fix is released or mitigated by controls.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

WWBN

AVideo

affected

Version	Status	Constraints
`<= 26.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Wwbn

Avideo

100%

Version	Status	Scheme	Platform
`[0,26.0]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Configure the web server or reverse proxy to require authentication for the affected URLs, effectively blocking unauthenticated access.
Monitor access logs for requests to the 21 endpoints to detect and investigate potential abuse.
Check WWBN’s website or GitHub for an official patch or update, and apply it as soon as it is available.
If an immediate patch is unavailable, consider removing or disabling the vulnerable endpoints from the deployment until a fix is applied.

Generated by OpenCVE AI on April 2, 2026 at 04:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-g2mg-cgr6-vmv7	AVideo: Missing Authentication in CreatePlugin list.json.php Template Affects 21 Endpoints

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00064.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/WWBN/AVideo/security/advisories/GHSA-g2mg-cgr6-vmv7

History

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wwbn Wwbn avideo
CPEs		cpe:2.3:a:wwbn:avideo::::::::
Vendors & Products		Wwbn Wwbn avideo
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 01 Apr 2026 02:15:00 +0000

Type	Values Removed	Values Added
Description		WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo CreatePlugin template for list.json.php does not include any authentication or authorization check. While the companion templates add.json.php and delete.json.php both require admin privileges, the list.json.php template was shipped without this guard. Every plugin that uses the CreatePlugin code generator inherits this omission, resulting in 21 unauthenticated data listing endpoints across the platform. These endpoints expose sensitive data including user PII, payment transaction logs, IP addresses, user agents, and internal system records. At time of publication, there are no publicly available patches.
Title		AVideo: Missing Authentication in CreatePlugin list.json.php Template Affects 21 Endpoints
Weaknesses		CWE-306
References		https://github.com/WWBN/AVideo/security/advisories/GHSA-g2mg-cgr6-vmv7
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

Wwbn Avideo

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-31T20:51:51.138Z

Updated: 2026-04-01T13:38:51.374Z

Reserved: 2026-03-30T18:41:20.754Z

Link: CVE-2026-34732

Vulnrichment

Updated: 2026-04-01T13:38:41.764Z

NVD

Status : Analyzed

Published: 2026-03-31T21:16:31.910

Modified: 2026-04-01T18:38:07.460

Link: CVE-2026-34732

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-02T20:10:38Z

Weaknesses

CWE-306

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object