CVE-2026-34738
Description
WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's video processing pipeline accepts an overrideStatus request parameter that allows any uploader to set a video's status to any valid state, including "active" (a). This bypasses the admin-controlled moderation and draft workflows. The setStatus() method validates the status code against a list of known values but does not verify that the caller has permission to set that particular status. As a result, any user with upload permissions can publish videos directly, circumventing content review processes. At time of publication, there are no publicly available patches.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wwbn/avideoPackagist | <= 26.0 | — |
Affected products
2Patches
Vulnerability mechanics
References
4- github.com/WWBN/AVideo/security/advisories/GHSA-m577-w9j8-ch7jnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-m577-w9j8-ch7jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-34738ghsaADVISORY
- github.com/WWBN/AVideo/commit/34f0237e2449d2e564a69fe3c5c71c830f5d11fdghsaWEB
News mentions
0No linked articles in our index yet.