{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35449", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-02T19:25:52.192Z", "datePublished": "2026-04-06T21:46:07.363Z", "dateUpdated": "2026-04-07T13:28:55.133Z"}, "containers": {"cna": {"title": "WWBN AVideo has Unauthenticated Information Disclosure via Disabled CLI Guard in install/test.php", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-hg8q-8wqr-35xx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-hg8q-8wqr-35xx"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "<= 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T21:46:07.363Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 26.0 and prior, the install/test.php diagnostic script has its CLI-only access guard disabled by commenting out the die() statement. The script remains accessible via HTTP after installation, exposing video viewer statistics including IP addresses, session IDs, and user agents to unauthenticated visitors."}], "source": {"advisory": "GHSA-hg8q-8wqr-35xx", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-hg8q-8wqr-35xx", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T13:28:50.230315Z", "id": "CVE-2026-35449", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T13:28:55.133Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 26.0 and prior, the install/test.php diagnostic script has its CLI-only access guard disabled by commenting out the die() statement. The script remains accessible via HTTP after installation, exposing video viewer statistics including IP addresses, session IDs, and user agents to unauthenticated visitors."}], "id": "CVE-2026-35449", "lastModified": "2026-04-07T14:16:23.267", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T22:16:23.310", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-hg8q-8wqr-35xx"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-hg8q-8wqr-35xx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-04-07T02:15:53.272873+00:00", "value": {"mitigation_remediation": ["Upgrade AVideo to the latest release.", "If upgrading is not possible yet, delete or move install/test.php from the web root.", "Re\u2011enable the CLI guard by restoring the commented die() statement so the script can only be accessed via CLI."], "summary": {"action": "Apply Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the AVideo video platform manufactured by WWBN. All installations running version\u202f26.0 or earlier are potentially impacted. No specific subversions are listed, so any deployment of 26.0 or lower should be considered at risk.", "description_and_impact": "WWBN AVideo is an open\u2011source video platform. In versions 26.0 and earlier, the install/test.php diagnostic script had its CLI\u2011only access guard disabled because the die() statement was commented out. As a result, the script remains reachable through HTTP after the application has been installed. When accessed, the script outputs detailed video\u2011viewer statistics, including IP addresses, session IDs, and user\u2011agent strings. An unauthenticated visitor can obtain this data, leading to private information leakage and potential tracking or session\u2011replay attacks. The weakness aligns with CWE\u2011200, an information\u2011disclosure vulnerability.", "risk_and_exploitability": "CVSS\u202fv3 indicates a moderate risk with a score of\u202f5.3. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a simple HTTP GET request to the script's URL, as the script is publicly accessible after installation. This exploitation requires only the knowledge of the script\u2019s location; no authentication is needed. The disclosed information can assist attackers in identifying users or forging session\u2011related data, but it does not provide code execution or administrative privileges. Because the vulnerability is straightforward to exploit, administrators should address it promptly."}}}}, "created": "2026-04-07T06:53:40.325008+00:00", "updated": "2026-04-07T09:36:37.889698+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}