CVE-2026-35449 MEDIUM

CVE-2026-35449: WWBN AVideo has Unauthenticated Information Disclosure via Disabled CLI Guard in install/test.php

Vendor Wwbn

Product AVideo

Weakness CWE-200 · Info exposure

Published April 6, 2026

Last update April 7, 2026

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

Description

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the install/test.php diagnostic script has its CLI-only access guard disabled by commenting out the die() statement. The script remains accessible via HTTP after installation, exposing video viewer statistics including IP addresses, session IDs, and user agents to unauthenticated visitors.

Key dates

Disclosure timeline

April 6, 2026 CVE published

April 7, 2026 Record updated