MEDIUMCVE-2026-34738CVSS 4.3

CVE-2026-34738: AVideo Status Bypass - wwbn/avideo ≤26.0

Q: What is CVE-2026-34738 in wwbn/avideo?

It's a unique identifier for this specific vulnerability in AVideo.

Q: Am I affected by CVE-2026-34738 in wwbn/avideo?

It could allow the publication of inappropriate or unapproved content, impacting the platform's quality.

Q: How do I fix CVE-2026-34738 in wwbn/avideo?

Currently, no official fix is provided by AVideo. Mitigation measures are recommended.

Q: Is CVE-2026-34738 being actively exploited?

Implement stricter access controls and audit the code related to video status management.

Q: Where can I find the official wwbn/avideo advisory for CVE-2026-34738?

Monitor AVideo's communication channels and vulnerability databases like NVD.

Platform

php

Component

wwbn/avideo

Fixed in

26.0.1

AI Confidence: highNVDEPSS 0.0%Reviewed: Apr 2026

View on NVD

Save

CVE-2026-34738 is a security vulnerability affecting the wwbn/avideo component where the video processing pipeline allows unauthorized users to modify a video's status, bypassing moderation workflows. This enables any user with upload permissions to directly publish videos, circumventing content review processes and potentially leading to the dissemination of unapproved content. The vulnerability impacts versions of wwbn/avideo up to 26.0. No official patch is currently available.

Impact and Attack Scenarios

CVE-2026-34738 in AVideo allows any uploader with permissions to directly set a video's status to 'active' (a), bypassing admin-controlled moderation and draft workflows. This is because the setStatus() method validates the status code against a predefined list but does not verify if the caller has permission to set that particular status. An attacker could exploit this flaw to publish inappropriate or unapproved content, negatively impacting the platform's quality and security. The absence of a fix available exacerbates the risk, as the vulnerability remains open to exploitation.

Exploitation Context

An attacker with upload permissions in AVideo can exploit this vulnerability by sending an overrideStatus request with the value 'a' (active). Due to insufficient permission validation, the request will be processed without proper authorization, allowing the attacker to publish videos directly, bypassing the moderation process. The ease of exploitation lies in the simplicity of the request and the lack of adequate access controls. Exploitation could be automated, enabling the mass publication of unwanted content.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

Reports1 threat report

EPSS

0.03% (7% percentile)

CISA SSVC

Exploitationpoc

Automatableno

Technical Impact

Affected Software

Componentwwbn/avideo

Vendorosv

Affected rangeFixed in

<= 26.0 – <= 26.026.0.1

26.026.0.1

Weakness Classification (CWE)

CWE-285

Timeline

Reserved2026-03-30
Published2026-04-01
EPSS updated2026-04-08

Unpatched — 53 days since disclosure

Mitigation and Workarounds

Given that no official fix is provided, immediate mitigation focuses on implementing stricter access controls within the setStatus() method. This involves verifying the user's identity and permissions before allowing any status changes. A thorough audit of the code related to video status management is recommended to identify and rectify any other potential authorization failures. Furthermore, implementing detailed logging of status changes can aid in detecting and responding to exploitation attempts. Consider temporarily disabling the status change functionality until a proper solution is implemented.

How to fix

Actualizar AVideo a una versión posterior a la 26.0, una vez que se publique un parche. Como medida temporal, revisar y moderar manualmente todos los videos subidos para asegurar que el contenido sea apropiado antes de publicarlo.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-34738 in wwbn/avideo?