{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35179", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-01T17:26:21.133Z", "datePublished": "2026-04-06T19:05:49.325Z", "dateUpdated": "2026-04-06T19:05:49.325Z"}, "containers": {"cna": {"title": "WWBN AVideo Unauthenticated Instagram Graph API Proxy via publishInstagram.json.php", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-x9w5-xccw-5h9w", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-x9w5-xccw-5h9w"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "<= 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T19:05:49.325Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 26.0 and prior, the SocialMediaPublisher plugin exposes a publishInstagram.json.php endpoint that acts as an unauthenticated proxy to the Facebook/Instagram Graph API. The endpoint accepts user-controlled parameters including an access token, container ID, and Instagram account ID, and passes them directly to the Graph API via InstagramUploader::publishMediaIfIsReady(). This allows any unauthenticated user to make arbitrary Graph API calls through the server, potentially using stolen tokens or abusing the platform's own credentials."}], "source": {"advisory": "GHSA-x9w5-xccw-5h9w", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 26.0 and prior, the SocialMediaPublisher plugin exposes a publishInstagram.json.php endpoint that acts as an unauthenticated proxy to the Facebook/Instagram Graph API. The endpoint accepts user-controlled parameters including an access token, container ID, and Instagram account ID, and passes them directly to the Graph API via InstagramUploader::publishMediaIfIsReady(). This allows any unauthenticated user to make arbitrary Graph API calls through the server, potentially using stolen tokens or abusing the platform's own credentials."}], "id": "CVE-2026-35179", "lastModified": "2026-04-06T20:16:26.080", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T20:16:26.080", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-x9w5-xccw-5h9w"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-04-07T01:40:08.319412+00:00", "value": {"mitigation_remediation": ["Upgrade AVideo to version newer than 26.0 where the proxy endpoint is removed or secured.", "If an upgrade is not possible, uninstall or disable the SocialMediaPublisher plugin to eliminate the exposed API.", "Restrict access to publishInstagram.json.php by implementing HTTP authentication or IP whitelisting until a patch is applied.", "Monitor web server logs for unusual requests to the endpoint and verify that no unauthorized media is being posted to Instagram.", "As a temporary safeguard, enforce server-side validation of access tokens and refuse to forward requests that use external or unverified tokens."], "summary": {"action": "Apply Patch", "impact": "Unauthorized proxy to Instagram Graph API via unauthenticated endpoint"}, "threat_synthesis": {"affected_systems": "WWBN AVideo, versions 26.0 and earlier, have the vulnerable endpoint. Versions newer than 26.0 are presumed to have the vulnerability remedied.", "description_and_impact": "The SocialMediaPublisher plugin exposes a publishInstagram.json.php endpoint that forwards requests directly to the Instagram Graph API without validating the origin of the request. Parameters such as an access token, container ID, and Instagram account ID are accepted from untrusted users and passed to InstagramUploader::publishMediaIfIsReady(). This enables any internet user to trick the server into making arbitrary Graph API calls, potentially using stolen tokens or the platform\u2019s own credentials. The result can be unwanted posts, data exfiltration, or abuse of the account\u2019s messaging capabilities, reflecting a missing authentication flaw identified by CWE\u2011862.", "risk_and_exploitability": "The CVSS score of 5.3 denotes moderate severity. Because the endpoint accepts requests without authentication, an attacker only needs to issue a simple HTTP call to publishInstagram.json.php to exploit the flaw. The EPSS score is currently unavailable and the vulnerability is not listed in the CISA KEV catalog, indicating that widespread exploitation has not yet been documented, yet the low barrier to entry poses a real threat to systems that rely on this plugin."}}}}, "created": "2026-04-07T06:54:33.675355+00:00", "updated": "2026-04-07T09:37:36.723538+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}