PHP
CVE-2026-35449
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
The install/test.php diagnostic script has its CLI-only access guard disabled by commenting out the die() statement. The script remains accessible via HTTP after installation, exposing video viewer statistics including IP addresses, session IDs, and user agents to unauthenticated visitors.
Details
The disabled guard at install/test.php:5-7:
if (!isCommandLineInterface()) {
//return die('Command Line only');
}The script also enables verbose error reporting:
error_reporting(E_ALL);
ini_set('display_errors', '1');It then queries VideoStatistic::getLastStatistics() and outputs the result via var_dump():
$resp = VideoStatistic::getLastStatistics(getVideos_id(), User::getId());
var_dump($resp);The VideoStatistic object contains: ip (viewer IP address), session_id, user_agent, users_id, and JSON metadata. The display_errors=1 setting also leaks internal filesystem paths in any PHP warnings.
The install/ directory is not restricted by .htaccess (it only disables directory listing via Options -Indexes) and no web server rules block access to individual PHP files in this directory.
Proof of Concept
# Request viewer stats for video ID 1
curl "https://your-avideo-instance.com/install/test.php?videos_id=1"Confirmed accessible on live AVideo instances (HTTP 200).
Impact
Unauthenticated disclosure of viewer IP addresses (PII under GDPR), session identifiers, and user agents. The enabled display_errors also reveals internal server paths on errors.
- CWE: CWE-200 (Exposure of Sensitive Information)
- Severity: Low
Recommended Fix
Uncomment the CLI guard at install/test.php:6 to restore the intended access restriction:
if (!isCommandLineInterface()) {
return die('Command Line only');
}--- *Found by aisafe.io*
AnalysisAI
AVideo install/test.php diagnostic script exposes sensitive viewer statistics including IP addresses, session IDs, and user agents to unauthenticated remote attackers due to a disabled CLI-only access guard. The vulnerability allows any visitor to retrieve video viewer data via HTTP GET requests without authentication, combined with enabled error reporting that leaks internal filesystem paths. CVSS 5.3 reflects low confidentiality impact; no public exploit code identified at time of analysis.
Technical ContextAI
AVideo is a PHP-based video platform (CPE: pkg:composer/wwbn_avideo) that includes a diagnostic script at install/test.php intended for command-line use only. The script's access control relies on an isCommandLineInterface() check that has been disabled via comment on line 6, allowing HTTP requests to bypass the intended CLI-only restriction. The script invokes VideoStatistic::getLastStatistics() which queries a database table containing viewer metadata: IP addresses, PHP session identifiers, user agents, user IDs, and JSON metadata. The vulnerability stems from CWE-200 (Exposure of Sensitive Information) combined with improper access control; the install/ directory .htaccess only disables directory listing (Options -Indexes) but does not restrict access to individual PHP files. Verbose error reporting (error_reporting(E_ALL) and display_errors=1) compounds the issue by leaking filesystem paths in PHP warnings.
RemediationAI
Uncomment the CLI-only access guard in install/test.php at lines 5-7 to restore the intended restriction: change //return die('Command Line only'); to return die('Command Line only');. Additionally, remove or disable the install/ directory after installation by deleting the directory entirely or restricting HTTP access via .htaccess (e.g., Deny from all) or web server configuration. Disable verbose error reporting in production by setting display_errors to 0 or removing the ini_set() call. Refer to the vendor advisory at https://github.com/WWBN/AVideo/security/advisories/GHSA-hg8q-8wqr-35xx for the patched version and release date.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-hg8q-8wqr-35xx