Platform
php
Component
wwbn/avideo
Fixed in
26.0.1
26.0.1
CVE-2026-35450 describes an information disclosure vulnerability within the plugin/API/check.ffmpeg.json.php endpoint of wwbn/avideo. This endpoint exposes the FFmpeg remote server configuration status without requiring authentication, allowing attackers to determine connectivity. The vulnerability affects versions of wwbn/avideo up to and including 26.0. A fix is available in version 26.1.
The primary impact of CVE-2026-35450 is the potential for unauthorized disclosure of information regarding the FFmpeg remote server configuration. While the endpoint only reveals connectivity status, this information could be leveraged in conjunction with other reconnaissance efforts to map the network and identify potential attack vectors. An attacker could use this to confirm the presence and accessibility of FFmpeg, a component often used in media processing, and potentially probe for further vulnerabilities within that system. The lack of authentication means any user, even unauthenticated, can access this information.
CVE-2026-35450 was publicly disclosed on 2026-04-04. There is no indication of active exploitation or inclusion in the CISA KEV catalog at the time of writing. Public proof-of-concept code is not currently available, but the simplicity of the vulnerability suggests that it could be easily exploited.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2026-35450 is to upgrade to version 26.1 of wwbn/avideo, which includes the fix for this vulnerability. If upgrading immediately is not feasible, consider implementing a temporary workaround by restricting access to the plugin/API/check.ffmpeg.json.php endpoint. This can be achieved through firewall rules or web server configuration to limit access to trusted IP addresses or user roles. Monitor access logs for unusual activity targeting this endpoint. After upgrading, confirm the vulnerability is resolved by attempting to access the endpoint and verifying that it either returns an error or requires authentication.
Update the AVideo plugin to version 26.1 or higher to mitigate the vulnerability. This update corrects the lack of authentication in the check.ffmpeg.json.php endpoint, preventing unauthorized disclosure of FFmpeg server configuration information.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35450 is a vulnerability in wwbn/avideo versions up to 26.0 where the check.ffmpeg.json.php endpoint exposes FFmpeg remote server configuration without authentication, allowing attackers to determine connectivity status.
You are affected if you are using wwbn/avideo versions 26.0 or earlier. The vulnerability allows unauthorized access to FFmpeg configuration information.
Upgrade to version 26.1 of wwbn/avideo. As a temporary workaround, restrict access to the plugin/API/check.ffmpeg.json.php endpoint using firewall rules or web server configuration.
There is currently no evidence of active exploitation, but the vulnerability's simplicity suggests it could be easily exploited.
Refer to the wwbn/avideo project's official website or repository for the latest security advisories and release notes.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.