#VU125497 Missing Authentication for Critical Function in AVideo - CVE-2026-34732
Published: April 8, 2026
Vulnerability identifier: #VU125497
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-34732
CWE-ID: CWE-306
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
AVideo
AVideo
Software vendor:
World Wide Broadcast Network
World Wide Broadcast Network
Description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to missing authentication in CreatePlugin/templates/list.json.php when handling requests to generated list.json.php endpoints. A remote attacker can send a specially crafted request to disclose sensitive information.
The issue affects list endpoints generated by the CreatePlugin code generator and can expose user PII, payment transaction logs, IP addresses, user agents, and internal system records.
Remediation
Install security update from vendor's website.