Missing Authorization in AVideo - CVE-2026-35179
Published: April 8, 2026
Vulnerability identifier: #VU125504
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-35179
CWE-ID: CWE-862
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: World Wide Broadcast Network
Affected software:
AVideo
AVideo
Detailed vulnerability description
The vulnerability allows a remote attacker to modify content on the platform's Instagram account.
The vulnerability exists due to missing authorization in publishInstagram.json.php when handling requests to proxy Instagram Graph API calls. A remote attacker can send a specially crafted request with user-controlled Graph API parameters to modify content on the platform's Instagram account.
The endpoint forwards the request to Facebook's servers and uses the server's IP address for the API calls.
How to mitigate CVE-2026-35179
Install security update from vendor's website.