CVE-2026-34732
Description
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo CreatePlugin template for list.json.php does not include any authentication or authorization check. While the companion templates add.json.php and delete.json.php both require admin privileges, the list.json.php template was shipped without this guard. Every plugin that uses the CreatePlugin code generator inherits this omission, resulting in 21 unauthenticated data listing endpoints across the platform. These endpoints expose sensitive data including user PII, payment transaction logs, IP addresses, user agents, and internal system records. At time of publication, there are no publicly available patches.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wwbn/avideoPackagist | <= 26.0 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/WWBN/AVideo/security/advisories/GHSA-g2mg-cgr6-vmv7nvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-g2mg-cgr6-vmv7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-34732ghsaADVISORY
- github.com/WWBN/AVideo/commit/ea9f555850eb399126a103c1df2156b48734c990ghsaWEB
News mentions
0No linked articles in our index yet.