CVE-2026-34732
Description
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo CreatePlugin template for list.json.php does not include any authentication or authorization check. While the companion templates add.json.php and delete.json.php both require admin privileges, the list.json.php template was shipped without this guard. Every plugin that uses the CreatePlugin code generator inherits this omission, resulting in 21 unauthenticated data listing endpoints across the platform. These endpoints expose sensitive data including user PII, payment transaction logs, IP addresses, user agents, and internal system records. At time of publication, there are no publicly available patches.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wwbn/avideoPackagist | <= 26.0 | — |
Affected products
2Patches
Vulnerability mechanics
References
4- github.com/WWBN/AVideo/security/advisories/GHSA-g2mg-cgr6-vmv7nvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-g2mg-cgr6-vmv7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-34732ghsaADVISORY
- github.com/WWBN/AVideo/commit/ea9f555850eb399126a103c1df2156b48734c990ghsaWEB
News mentions
0No linked articles in our index yet.