CVE-2026-34732
published 2026-03-31CVE-2026-34732: WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo CreatePlugin template for list.json.php does not include any…
PriorityP348high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.38%
29.5th percentile
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo CreatePlugin template for list.json.php does not include any authentication or authorization check. While the companion templates add.json.php and delete.json.php both require admin privileges, the list.json.php template was shipped without this guard. Every plugin that uses the CreatePlugin code generator inherits this omission, resulting in 21 unauthenticated data listing endpoints across the platform. These endpoints expose sensitive data including user PII, payment transaction logs, IP addresses, user agents, and internal system records. At time of publication, there are no publicly available patches.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wwbn | avideo | <= 26.0 | — |
| wwbn | avideo | 0 – 26.0 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
AVideo: Missing Authentication in CreatePlugin list.json.php Template Affects 21 Endpoints
ghsa·2026-04-01
CVE-2026-34732 [MEDIUM] CWE-306 AVideo: Missing Authentication in CreatePlugin list.json.php Template Affects 21 Endpoints
AVideo: Missing Authentication in CreatePlugin list.json.php Template Affects 21 Endpoints
## Summary
The AVideo `CreatePlugin` template for `list.json.php` does not include any authentication or authorization check. While the companion templates `add.json.php` and `delete.json.php` both require admin privileges, the `list.json.php` template was shipped without this guard. Every plugin that uses the CreatePlugin code generator inherits this omission, resulting in 21 unauthenticated data listing endpoints across the platform. These endpoints expose sensitive data including user PII, payment transaction logs, IP addresses, user agents, and internal system records.
## Details
The `list.json.php` template in `CreatePlugin/templates/` lacks any authentication check. Comparing with the sibli
OSV
AVideo: Missing Authentication in CreatePlugin list.json.php Template Affects 21 Endpoints
osv·2026-04-01
CVE-2026-34732 [MEDIUM] AVideo: Missing Authentication in CreatePlugin list.json.php Template Affects 21 Endpoints
AVideo: Missing Authentication in CreatePlugin list.json.php Template Affects 21 Endpoints
## Summary
The AVideo `CreatePlugin` template for `list.json.php` does not include any authentication or authorization check. While the companion templates `add.json.php` and `delete.json.php` both require admin privileges, the `list.json.php` template was shipped without this guard. Every plugin that uses the CreatePlugin code generator inherits this omission, resulting in 21 unauthenticated data listing endpoints across the platform. These endpoints expose sensitive data including user PII, payment transaction logs, IP addresses, user agents, and internal system records.
## Details
The `list.json.php` template in `CreatePlugin/templates/` lacks any authentication check. Comparing with the sibli
No detection rules found.
No public exploits indexed.
2026-03-31
Published