CVE-2026-34362
Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the verifyTokenSocket() function in plugin/YPTSocket/functions.php has its token timeout validation commented out, causing WebSocket tokens to never expire despite being generated with a 12-hour timeout. This allows captured or legitimately obtained tokens to provide permanent WebSocket access, even after user accounts are deleted, banned, or demoted from admin. Admin tokens grant access to real-time connection data for all online users including IP addresses, browser info, and page locations. Commit 5d5237121bf82c24e9e0fdd5bc1699f1157783c5 fixes the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wwbn/avideoPackagist | <= 26.0 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/WWBN/AVideo/commit/5d5237121bf82c24e9e0fdd5bc1699f1157783c5nvdPatchWEB
- github.com/WWBN/AVideo/security/advisories/GHSA-2mg4-pfgx-64cfnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-2mg4-pfgx-64cfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-34362ghsaADVISORY
News mentions
0No linked articles in our index yet.