CVE-2026-35450

MEDIUM
2026-04-04 https://github.com/WWBN/AVideo GHSA-2vg4-rrx4-qcpq
5.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 04, 2026 - 06:30 vuln.today
CVE Published
Apr 04, 2026 - 06:16 nvd
MEDIUM 5.3

Tags

PHP Authentication Bypass

Description

## Summary The `plugin/API/check.ffmpeg.json.php` endpoint probes the FFmpeg remote server configuration and returns connectivity status without any authentication. All sibling FFmpeg management endpoints (`kill.ffmpeg.json.php`, `list.ffmpeg.json.php`, `ffmpeg.php`) require `User::isAdmin()`. ## Details The entire file at `plugin/API/check.ffmpeg.json.php`: ```php <?php $configFile = __DIR__.'/../../videos/configuration.php'; require_once $configFile; header('Content-Type: application/json'); $obj = testFFMPEGRemote(); die(json_encode($obj)); ``` No `User::isAdmin()`, `User::isLogged()`, or any access control check exists. Compare with sibling endpoints in the same directory: - `kill.ffmpeg.json.php` checks `User::isAdmin()` - `list.ffmpeg.json.php` checks `User::isAdmin()` ## Proof of Concept ```bash curl "https://your-avideo-instance.com/plugin/API/check.ffmpeg.json.php" ``` Returns information about whether the platform uses a standalone FFmpeg server and its current reachability. ## Impact Infrastructure reconnaissance revealing the encoding architecture. Limited direct impact but aids targeted attack planning. ## Recommended Fix Add an admin authentication check at `plugin/API/check.ffmpeg.json.php:3`, after `require_once $configFile;`: ```php if (!User::isAdmin()) { forbiddenPage('Admin only'); } ``` --- *Found by [aisafe.io](https://aisafe.io)*

Analysis

Unauthenticated access to FFmpeg server configuration endpoint in AVideo allows remote attackers to probe infrastructure details and determine encoding architecture without authentication, while sibling management endpoints properly enforce admin-only access. This information disclosure aids reconnaissance for targeted attacks against video encoding infrastructure. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

26
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +26
POC: 0

Share

CVE-2026-35450 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy