CVE-2026-35449
published 2026-04-06CVE-2026-35449: WWBN AVideo is an open source video platform. In versions 26.0 and prior, the install/test.php diagnostic script has its CLI-only access guard disabled by…
PriorityP431medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.33%
25.1th percentile
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the install/test.php diagnostic script has its CLI-only access guard disabled by commenting out the die() statement. The script remains accessible via HTTP after installation, exposing video viewer statistics including IP addresses, session IDs, and user agents to unauthenticated visitors.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wwbn | avideo | <= 26.0 | — |
| wwbn | avideo | 0 – 26.0 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
AVideo: Unauthenticated Information Disclosure via Disabled CLI Guard in install/test.php
ghsa·2026-04-04
CVE-2026-35449 [MEDIUM] CWE-200 AVideo: Unauthenticated Information Disclosure via Disabled CLI Guard in install/test.php
AVideo: Unauthenticated Information Disclosure via Disabled CLI Guard in install/test.php
## Summary
The `install/test.php` diagnostic script has its CLI-only access guard disabled by commenting out the `die()` statement. The script remains accessible via HTTP after installation, exposing video viewer statistics including IP addresses, session IDs, and user agents to unauthenticated visitors.
## Details
The disabled guard at `install/test.php:5-7`:
```php
if (!isCommandLineInterface()) {
//return die('Command Line only');
}
```
The script also enables verbose error reporting:
```php
error_reporting(E_ALL);
ini_set('display_errors', '1');
```
It then queries `VideoStatistic::getLastStatistics()` and outputs the result via `var_dump()`:
```php
$resp = VideoStatistic::getLastStatisti
OSV
AVideo: Unauthenticated Information Disclosure via Disabled CLI Guard in install/test.php
osv·2026-04-04
CVE-2026-35449 [MEDIUM] AVideo: Unauthenticated Information Disclosure via Disabled CLI Guard in install/test.php
AVideo: Unauthenticated Information Disclosure via Disabled CLI Guard in install/test.php
## Summary
The `install/test.php` diagnostic script has its CLI-only access guard disabled by commenting out the `die()` statement. The script remains accessible via HTTP after installation, exposing video viewer statistics including IP addresses, session IDs, and user agents to unauthenticated visitors.
## Details
The disabled guard at `install/test.php:5-7`:
```php
if (!isCommandLineInterface()) {
//return die('Command Line only');
}
```
The script also enables verbose error reporting:
```php
error_reporting(E_ALL);
ini_set('display_errors', '1');
```
It then queries `VideoStatistic::getLastStatistics()` and outputs the result via `var_dump()`:
```php
$resp = VideoStatistic::getLastStatisti
No detection rules found.
No public exploits indexed.
2026-04-06
Published