Platform
php
Component
wwbn/avideo
Fixed in
26.0.1
26.0.1
CVE-2026-34732 is a medium-severity vulnerability affecting wwbn/avideo versions up to 26.0. This vulnerability stems from a missing authentication check in the CreatePlugin template within list.json.php, allowing unauthenticated access to sensitive data. Exploitation can lead to exposure of user PII, payment transaction logs, and internal system records, impacting data privacy and security.
The primary impact of CVE-2026-34732 is the unauthorized disclosure of sensitive data. Attackers can leverage the missing authentication check to directly query the list.json.php endpoint, bypassing standard access controls. This can expose a wide range of information, including personally identifiable information (PII) of users, detailed payment transaction logs, IP addresses, user agents, and potentially internal system records. The scope of the data exposed is significant, as 21 unauthenticated data listing endpoints are affected across the platform. This vulnerability shares similarities with other data exposure flaws where inadequate access controls lead to unintended data leakage, potentially enabling identity theft, fraud, and further system compromise.
CVE-2026-34732 was published on 2026-04-01. The CVSS score is 5.3 (MEDIUM), indicating a moderate risk. There is currently no indication of active exploitation or a KEV listing. Public proof-of-concept (POC) code is not yet available, but the vulnerability's simplicity suggests that a POC could be developed relatively easily.
Exploit Status
EPSS
0.05% (17% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34732 is to upgrade to a patched version of wwbn/avideo. Unfortunately, the input does not specify a fixed_in version. Until a patch is available, consider implementing temporary workarounds such as restricting network access to the list.json.php endpoint using a Web Application Firewall (WAF) or proxy server. Configure the WAF to block requests to this endpoint from unauthorized sources. Additionally, review and harden access controls to other related endpoints to minimize the potential attack surface. After upgrade, confirm by verifying that the CreatePlugin template now includes appropriate authentication checks by attempting to access the affected endpoints without proper credentials.
Update AVideo to a version later than 26.0, if available. Otherwise, review and apply the security patches provided by the vendor to correct the lack of authentication in the list.json.php template and in plugins that use the CreatePlugin code.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34732 is a medium-severity vulnerability in wwbn/avideo versions up to 26.0 where the CreatePlugin template lacks authentication, allowing unauthorized access to sensitive data.
You are affected if you are using wwbn/avideo version 26.0 or earlier and have not yet upgraded to a patched version.
Upgrade to a patched version of wwbn/avideo. Until a patch is available, implement temporary workarounds like WAF rules to restrict access to the vulnerable endpoint.
There is currently no indication of active exploitation, but the vulnerability's simplicity suggests a POC could be developed.
Refer to the wwbn/avideo security advisories for the latest information and updates regarding CVE-2026-34732.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.