Vulnerability Description
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo CreatePlugin template for list.json.php does not include any authentication or authorization check. While the companion templates add.json.php and delete.json.php both require admin privileges, the list.json.php template was shipped without this guard. Every plugin that uses the CreatePlugin code generator inherits this omission, resulting in 21 unauthenticated data listing endpoints across the platform. These endpoints expose sensitive data including user PII, payment transaction logs, IP addresses, user agents, and internal system records. At time of publication, there are no publicly available patches.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wwbn | Avideo | <= 26.0 |
Related Weaknesses (CWE)
References
- https://github.com/WWBN/AVideo/security/advisories/GHSA-g2mg-cgr6-vmv7ExploitVendor Advisory
- https://github.com/WWBN/AVideo/security/advisories/GHSA-g2mg-cgr6-vmv7ExploitVendor Advisory
FAQ
What is CVE-2026-34732?
CVE-2026-34732 is a vulnerability with a CVSS score of 5.3 (MEDIUM). WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo CreatePlugin template for list.json.php does not include any authentication or authorization check. While the compa...
How severe is CVE-2026-34732?
CVE-2026-34732 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-34732?
Check the references section above for vendor advisories and patch information. Affected products include: Wwbn Avideo.