Main Vulnerability Database Vulnerabilities #VU125485

#VU125485 Insufficient Session Expiration in AVideo - CVE-2026-34362

Published: April 8, 2026

Vulnerability identifier: #VU125485

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-34362

CWE-ID: CWE-613

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
AVideo

Software vendor:
World Wide Broadcast Network

Description

The vulnerability allows a remote user to disclose sensitive information and impersonate users over WebSocket connections.

The vulnerability exists due to insufficient session expiration in verifyTokenSocket() in plugin/YPTSocket/functions.php when validating WebSocket tokens. A remote user can reuse a captured or previously obtained WebSocket token to disclose sensitive information and impersonate users over WebSocket connections.

Admin tokens can expose real-time connection data for online users, including IP addresses, browser information, and page locations, and tokens remain usable even after account deletion, banning, or privilege demotion.

Remediation

Install security update from vendor's website.

#VU125485 Insufficient Session Expiration in AVideo - CVE-2026-34362

Description

Remediation

External links

Please verify you're human