CVE-2026-34731
published 2026-03-31CVE-2026-34731: WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo on_publish_done.php endpoint in the Live plugin allows unauthenticated…
PriorityP350high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.48%
37.8th percentile
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo on_publish_done.php endpoint in the Live plugin allows unauthenticated users to terminate any active live stream. The endpoint processes RTMP callback events to mark streams as finished in the database, but performs no authentication or authorization checks before doing so. An attacker can enumerate active stream keys from the unauthenticated stats.json.php endpoint, then send crafted POST requests to on_publish_done.php to terminate any live broadcast. This enables denial-of-service against all live streaming functionality on the platform. At time of publication, there are no publicly available patches.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wwbn | avideo | <= 26.0 | — |
| wwbn | avideo | 0 – 26.0 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
AVideo: Unauthenticated Live Stream Termination via RTMP Callback on_publish_done.php
osv·2026-04-01
CVE-2026-34731 [HIGH] AVideo: Unauthenticated Live Stream Termination via RTMP Callback on_publish_done.php
AVideo: Unauthenticated Live Stream Termination via RTMP Callback on_publish_done.php
## Summary
The AVideo `on_publish_done.php` endpoint in the Live plugin allows unauthenticated users to terminate any active live stream. The endpoint processes RTMP callback events to mark streams as finished in the database, but performs no authentication or authorization checks before doing so.
An attacker can enumerate active stream keys from the unauthenticated `stats.json.php` endpoint, then send crafted POST requests to `on_publish_done.php` to terminate any live broadcast. This enables denial-of-service against all live streaming functionality on the platform.
## Details
The file `plugin/Live/on_publish_done.php` processes RTMP server callbacks when a stream ends. It accepts a POST parameter
GHSA
AVideo: Unauthenticated Live Stream Termination via RTMP Callback on_publish_done.php
ghsa·2026-04-01
CVE-2026-34731 [HIGH] CWE-306 AVideo: Unauthenticated Live Stream Termination via RTMP Callback on_publish_done.php
AVideo: Unauthenticated Live Stream Termination via RTMP Callback on_publish_done.php
## Summary
The AVideo `on_publish_done.php` endpoint in the Live plugin allows unauthenticated users to terminate any active live stream. The endpoint processes RTMP callback events to mark streams as finished in the database, but performs no authentication or authorization checks before doing so.
An attacker can enumerate active stream keys from the unauthenticated `stats.json.php` endpoint, then send crafted POST requests to `on_publish_done.php` to terminate any live broadcast. This enables denial-of-service against all live streaming functionality on the platform.
## Details
The file `plugin/Live/on_publish_done.php` processes RTMP server callbacks when a stream ends. It accepts a POST parameter
No detection rules found.
No public exploits indexed.
2026-03-31
Published