Medium severity5.3NVD Advisory· Published Apr 6, 2026· Updated Apr 23, 2026

CVE-2026-35449

Description

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the install/test.php diagnostic script has its CLI-only access guard disabled by commenting out the die() statement. The script remains accessible via HTTP after installation, exposing video viewer statistics including IP addresses, session IDs, and user agents to unauthenticated visitors.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
wwbn/avideoPackagist	<= 26.0	—

Affected products

WWBN/Avideo
cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*
Range: <=26.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/WWBN/AVideo/security/advisories/GHSA-hg8q-8wqr-35xxnvdExploitMitigationVendor AdvisoryWEB
github.com/advisories/GHSA-hg8q-8wqr-35xxghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-35449ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000