#VU125487 Missing Authorization in AVideo - CVE-2026-34245
Published: April 8, 2026
Vulnerability identifier: #VU125487
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-34245
CWE-ID: CWE-862
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
AVideo
AVideo
Software vendor:
World Wide Broadcast Network
World Wide Broadcast Network
Description
The vulnerability allows a remote user to modify broadcast schedules for other users' playlists.
The vulnerability exists due to missing authorization in plugin/PlayLists/View/Playlists_schedules/add.json.php when handling schedule creation or modification requests. A remote user can send a specially crafted request to modify broadcast schedules for other users' playlists.
When the schedule executes, the rebroadcast runs under the targeted playlist owner's identity.
Remediation
Install security update from vendor's website.