CVE-2026-34733
published 2026-03-31CVE-2026-34733: WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo installation script install/deleteSystemdPrivate.php contains a PHP…
PriorityP348high7.3CVSS 3.1
AVNACLPRNUINSUCLILAL
EPSS
0.34%
25.9th percentile
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo installation script install/deleteSystemdPrivate.php contains a PHP operator precedence bug in its CLI-only access guard. The script is intended to run exclusively from the command line, but the guard condition !php_sapi_name() === 'cli' never evaluates to true due to how PHP resolves operator precedence. The ! (logical NOT) operator binds more tightly than === (strict comparison), causing the expression to always evaluate to false, which means the die() statement never executes. As a result, the script is accessible via HTTP without authentication and will delete files from the server's temp directory while also disclosing the temp directory contents in its response. At time of publication, there are no publicly available patches.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wwbn | avideo | <= 26.0 | — |
| wwbn | avideo | 0 – 26.0 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
AVideo: Unauthenticated File Deletion via PHP Operator Precedence Bug in CLI Guard
osv·2026-04-01
CVE-2026-34733 [MEDIUM] AVideo: Unauthenticated File Deletion via PHP Operator Precedence Bug in CLI Guard
AVideo: Unauthenticated File Deletion via PHP Operator Precedence Bug in CLI Guard
## Summary
The AVideo installation script `install/deleteSystemdPrivate.php` contains a PHP operator precedence bug in its CLI-only access guard. The script is intended to run exclusively from the command line, but the guard condition `!php_sapi_name() === 'cli'` never evaluates to true due to how PHP resolves operator precedence. The `!` (logical NOT) operator binds more tightly than `===` (strict comparison), causing the expression to always evaluate to `false`, which means the `die()` statement never executes. As a result, the script is accessible via HTTP without authentication and will delete files from the server's temp directory while also disclosing the temp directory contents in its response.
##
GHSA
AVideo: Unauthenticated File Deletion via PHP Operator Precedence Bug in CLI Guard
ghsa·2026-04-01
CVE-2026-34733 [MEDIUM] CWE-284 AVideo: Unauthenticated File Deletion via PHP Operator Precedence Bug in CLI Guard
AVideo: Unauthenticated File Deletion via PHP Operator Precedence Bug in CLI Guard
## Summary
The AVideo installation script `install/deleteSystemdPrivate.php` contains a PHP operator precedence bug in its CLI-only access guard. The script is intended to run exclusively from the command line, but the guard condition `!php_sapi_name() === 'cli'` never evaluates to true due to how PHP resolves operator precedence. The `!` (logical NOT) operator binds more tightly than `===` (strict comparison), causing the expression to always evaluate to `false`, which means the `die()` statement never executes. As a result, the script is accessible via HTTP without authentication and will delete files from the server's temp directory while also disclosing the temp directory contents in its response.
##
No detection rules found.
No public exploits indexed.
2026-03-31
Published