CVE-2026-34732Missing Authentication for Critical Function in Avideo

CWE-306Missing Authentication for Critical Function4 documents4 sources
Severity
7.5HIGHNVD
EPSS
0.1%
top 83.02%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Wwbn Avideo
Timeline
PublishedMar 31
Latest updateApr 1

Description

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo CreatePlugin template for list.json.php does not include any authentication or authorization check. While the companion templates add.json.php and delete.json.php both require admin privileges, the list.json.php template was shipped without this guard. Every plugin that uses the CreatePlugin code generator inherits this omission, resulting in 21 unauthenticated data listing endpoints across the platform. These e

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

NVDwwbn/avideo26.0
Packagistwwbn/avideo26.0

🔴Vulnerability Details

2
GHSA
AVideo: Missing Authentication in CreatePlugin list.json.php Template Affects 21 Endpoints2026-04-01
OSV
AVideo: Missing Authentication in CreatePlugin list.json.php Template Affects 21 Endpoints2026-04-01

🕵️Threat Intelligence

1
Wiz
CVE-2026-34732 Impact, Exploitability, and Mitigation Steps | Wiz