CVE-2026-34364
Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the categories.json.php endpoint, which serves the category listing API, fails to enforce user group-based access controls on categories. In the default request path (no ?user= parameter), user group filtering is entirely skipped, exposing all non-private categories including those restricted to specific user groups. When the ?user= parameter is supplied, a type confusion bug causes the filter to use the admin user's (user_id=1) group memberships instead of the current user's, rendering the filter ineffective. Commit 6e8a673eed07be5628d0b60fbfabd171f3ce74c9 contains a fix.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wwbn/avideoPackagist | <= 26.0 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/WWBN/AVideo/commit/6e8a673eed07be5628d0b60fbfabd171f3ce74c9nvdPatchWEB
- github.com/WWBN/AVideo/security/advisories/GHSA-73gr-r64q-7jh4nvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-73gr-r64q-7jh4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-34364ghsaADVISORY
News mentions
0No linked articles in our index yet.