The vulnerability exists in a diagnostic API endpoint that reports the status of a remote FFmpeg server without requiring any authentication. As a result, anyone able to reach the endpoint can observe whether the platform is able to communicate with its FFmpeg instance, revealing details about the remote server configuration. This lack of authentication is a classic example of CWE‑306, missing authentication on an operation that could divulge sensitive information. The impact is purely at the level of confidentiality, enabling an attacker to gather reconnaissance data about the FFmpeg setup.

WWBN AVideo, the open‑source video platform, is affected in all releases from the beginning up to and including v26.0. The vulnerability resides solely in the check.ffmpeg.json.php API file; other FFmpeg‑management scripts such as kill.ffmpeg.json.php, list.ffmpeg.json.php, and ffmpeg.php correctly enforce an administrative check and remain secure.

The CVSS v3 score of 5.3 indicates a moderate risk. With an EPSS score below 1 % and no listing in the CISA KEV catalog, the probability of exploitation in the wild appears low. The likely attack vector is a direct HTTP request to the vulnerable endpoint, which can be performed from any network that can reach the AVideo instance. Because the information disclosed is limited to connectivity status, the threat is primarily to confidentiality and may aid in further reconnaissance rather than enabling a full system compromise.