Description
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo installation script install/deleteSystemdPrivate.php contains a PHP operator precedence bug in its CLI-only access guard. The script is intended to run exclusively from the command line, but the guard condition !php_sapi_name() === 'cli' never evaluates to true due to how PHP resolves operator precedence. The ! (logical NOT) operator binds more tightly than === (strict comparison), causing the expression to always evaluate to false, which means the die() statement never executes. As a result, the script is accessible via HTTP without authentication and will delete files from the server's temp directory while also disclosing the temp directory contents in its response. At time of publication, there are no publicly available patches.
Published: 2026-03-31
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated deletion and disclosure of temporary files
Action: Apply Workaround
AI Analysis

Impact

A PHP operator precedence bug in the command‑line guard of the install/deleteSystemdPrivate.php script allows the script to run from a web request. The guard condition never triggers the die() exit, so when the script is accessed over HTTP the temporary directory contents are listed and files are deleted. This flaw enables an unauthenticated attacker to remove files from the server’s temp directory and expose potentially sensitive data, compromising data integrity and confidentiality.

Affected Systems

The weakness affects the WWBN AVideo platform in all releases 26.0 and earlier. The vulnerable code resides in install/deleteSystemdPrivate.php, which should only be executed from the command line but is accessible via the web server. No other vendors, products, or later versions are reported as affected.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. The EPSS score is below 1 %, and the issue is not listed in the CISA KEV catalog. The exploitation path is straightforward: a remote attacker can issue an HTTP request to the vulnerable script’s URL without authentication, causing file deletion and directory disclosure. No special privileges are required beyond web access, making it a realistic threat for any publicly exposed AVideo installation.

Generated by OpenCVE AI on April 2, 2026 at 05:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to a version newer than 26.0 when an official patch is released.
  • Edit the guard condition in install/deleteSystemdPrivate.php to correctly compare php_sapi_name() with 'cli', so the die() statement triggers when accessed outside the CLI.
  • Move or delete install/deleteSystemdPrivate.php from any directory that is web‑accessible.
  • Configure the web server or firewall to block HTTP access to the AVideo installation directory from untrusted hosts.
  • Review server logs for unexpected requests to the script and investigate any suspicious activity.

Generated by OpenCVE AI on April 2, 2026 at 05:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wwpw-hrx8-79r5 AVideo: Unauthenticated File Deletion via PHP Operator Precedence Bug in CLI Guard
History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*
Vendors & Products Wwbn
Wwbn avideo
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo installation script install/deleteSystemdPrivate.php contains a PHP operator precedence bug in its CLI-only access guard. The script is intended to run exclusively from the command line, but the guard condition !php_sapi_name() === 'cli' never evaluates to true due to how PHP resolves operator precedence. The ! (logical NOT) operator binds more tightly than === (strict comparison), causing the expression to always evaluate to false, which means the die() statement never executes. As a result, the script is accessible via HTTP without authentication and will delete files from the server's temp directory while also disclosing the temp directory contents in its response. At time of publication, there are no publicly available patches.
Title AVideo: Unauthenticated File Deletion via PHP Operator Precedence Bug in CLI Guard
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T18:45:09.886Z

Reserved: 2026-03-30T18:41:20.754Z

Link: CVE-2026-34733

cve-icon Vulnrichment

Updated: 2026-04-01T18:45:06.402Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T21:16:32.083

Modified: 2026-04-01T18:40:28.920

Link: CVE-2026-34733

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:10:38Z

Weaknesses