प्लेटफ़ॉर्म
php
घटक
wwbn/avideo
में ठीक किया गया
26.0.1
26.0.1
CVE-2026-34732 is a medium-severity vulnerability affecting wwbn/avideo versions up to 26.0. This vulnerability stems from a missing authentication check in the CreatePlugin template within list.json.php, allowing unauthenticated access to sensitive data. Exploitation can lead to exposure of user PII, payment transaction logs, and internal system records, impacting data privacy and security.
The primary impact of CVE-2026-34732 is the unauthorized disclosure of sensitive data. Attackers can leverage the missing authentication check to directly query the list.json.php endpoint, bypassing standard access controls. This can expose a wide range of information, including personally identifiable information (PII) of users, detailed payment transaction logs, IP addresses, user agents, and potentially internal system records. The scope of the data exposed is significant, as 21 unauthenticated data listing endpoints are affected across the platform. This vulnerability shares similarities with other data exposure flaws where inadequate access controls lead to unintended data leakage, potentially enabling identity theft, fraud, and further system compromise.
CVE-2026-34732 was published on 2026-04-01. The CVSS score is 5.3 (MEDIUM), indicating a moderate risk. There is currently no indication of active exploitation or a KEV listing. Public proof-of-concept (POC) code is not yet available, but the vulnerability's simplicity suggests that a POC could be developed relatively easily.
Organizations using wwbn/avideo versions 26.0 and earlier, particularly those with publicly accessible instances or those handling sensitive user data, are at significant risk. Shared hosting environments where multiple users share the same instance are also particularly vulnerable, as an attacker could potentially exploit this vulnerability to access data belonging to other users.
• php: Examine list.json.php for the absence of authentication checks within the CreatePlugin template. Use grep to search for the template code without authentication logic.
grep -r 'CreatePlugin' /path/to/avideo/list.json.php | grep -v 'authentication'• generic web: Monitor access logs for requests to list.json.php originating from unexpected or unauthorized IP addresses. Look for patterns of repeated requests to the same endpoint.
grep "/list.json.php" /var/log/apache2/access.log | awk '{print $1}' | sort | uniq -c• generic web: Check response headers for unusual or unexpected content that might indicate data leakage. Use curl to inspect the headers.
curl -I https://your-avideo-instance/list.json.phpdisclosure
एक्सप्लॉइट स्थिति
EPSS
0.05% (17% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2026-34732 is to upgrade to a patched version of wwbn/avideo. Unfortunately, the input does not specify a fixed_in version. Until a patch is available, consider implementing temporary workarounds such as restricting network access to the list.json.php endpoint using a Web Application Firewall (WAF) or proxy server. Configure the WAF to block requests to this endpoint from unauthorized sources. Additionally, review and harden access controls to other related endpoints to minimize the potential attack surface. After upgrade, confirm by verifying that the CreatePlugin template now includes appropriate authentication checks by attempting to access the affected endpoints without proper credentials.
AVideo को 26.0 से बाद के संस्करण में अपडेट करें, यदि उपलब्ध हो। अन्यथा, list.json.php टेम्पलेट और CreatePlugin कोड का उपयोग करने वाले प्लगइन्स में प्रमाणीकरण की कमी को ठीक करने के लिए विक्रेता द्वारा प्रदान किए गए सुरक्षा पैच की समीक्षा करें और लागू करें।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-34732 is a medium-severity vulnerability in wwbn/avideo versions up to 26.0 where the CreatePlugin template lacks authentication, allowing unauthorized access to sensitive data.
You are affected if you are using wwbn/avideo version 26.0 or earlier and have not yet upgraded to a patched version.
Upgrade to a patched version of wwbn/avideo. Until a patch is available, implement temporary workarounds like WAF rules to restrict access to the vulnerable endpoint.
There is currently no indication of active exploitation, but the vulnerability's simplicity suggests a POC could be developed.
Refer to the wwbn/avideo security advisories for the latest information and updates regarding CVE-2026-34732.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।