Main Vulnerability Database Vulnerabilities #VU125497

Missing Authentication for Critical Function in AVideo - CVE-2026-34732

Published: April 8, 2026

Vulnerability identifier: #VU125497

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-34732

CWE-ID: CWE-306

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: World Wide Broadcast Network

Affected software:
AVideo

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to missing authentication in CreatePlugin/templates/list.json.php when handling requests to generated list.json.php endpoints. A remote attacker can send a specially crafted request to disclose sensitive information.

The issue affects list endpoints generated by the CreatePlugin code generator and can expose user PII, payment transaction logs, IP addresses, user agents, and internal system records.

How to mitigate CVE-2026-34732

Install security update from vendor's website.

Sources

https://github.com/WWBN/AVideo/security/advisories/GHSA-g2mg-cgr6-vmv7

Missing Authentication for Critical Function in AVideo - CVE-2026-34732

Detailed vulnerability description

How to mitigate CVE-2026-34732

Sources

Please verify you're human