{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35450", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-02T19:25:52.192Z", "datePublished": "2026-04-06T21:46:54.779Z", "dateUpdated": "2026-04-06T21:46:54.779Z"}, "containers": {"cna": {"title": "WWBN AVideo has Unauthenticated FFmpeg Remote Server Status Disclosure via check.ffmpeg.json.php", "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "lang": "en", "description": "CWE-306: Missing Authentication for Critical Function", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-2vg4-rrx4-qcpq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-2vg4-rrx4-qcpq"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "<= 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T21:46:54.779Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/API/check.ffmpeg.json.php endpoint probes the FFmpeg remote server configuration and returns connectivity status without any authentication. All sibling FFmpeg management endpoints (kill.ffmpeg.json.php, list.ffmpeg.json.php, ffmpeg.php) require User::isAdmin()."}], "source": {"advisory": "GHSA-2vg4-rrx4-qcpq", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/API/check.ffmpeg.json.php endpoint probes the FFmpeg remote server configuration and returns connectivity status without any authentication. All sibling FFmpeg management endpoints (kill.ffmpeg.json.php, list.ffmpeg.json.php, ffmpeg.php) require User::isAdmin()."}], "id": "CVE-2026-35450", "lastModified": "2026-04-06T22:16:23.463", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T22:16:23.463", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-2vg4-rrx4-qcpq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-04-07T01:55:15.458862+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest AVideo release that removes unauthenticated access to check.ffmpeg.json.php", "If upgrading is not immediately possible, block unauthenticated requests to /plugin/API/check.ffmpeg.json.php via firewall rules or web server configuration", "Verify that FFmpeg endpoint authentication is enforced after applying the patch or block"], "summary": {"action": "Apply Patch", "impact": "Information Disclosure of FFmpeg configuration"}, "threat_synthesis": {"affected_systems": "The flaw affects the WWBN AVideo platform, specifically the plugin/API/check.ffmpeg.json.php endpoint. All installations running version 26.0 or older are vulnerable. The endpoint is part of AVideo\u2019s FFmpeg management API group, which also includes kill.ffmpeg.json.php, list.ffmpeg.json.php, and ffmpeg.php\u2014but those other endpoints correctly restrict access to privileged users, so the issue is confined to the status check route alone.", "description_and_impact": "The vulnerability resides in the check.ffmpeg.json.php API endpoint of the WWBN AVideo open\u2011source video platform. In all releases up to and including version 26.0, the endpoint returns the reachability and configuration status of the remote FFmpeg server without rejecting unauthenticated requests. The insecure design doesn\u2019t enforce any authentication or authorization, so anyone who can reach the endpoint can discover whether FFmpeg is reachable and what configuration parameters it exposes, leading to a leakage of operational details. This information may aid an attacker in planning further attacks or identifying weaknesses in the host environment. The flaw aligns with CWE\u2011306, Unauthenticated Access.", "risk_and_exploitability": "The CVSS base score of 5.3 indicates a medium security impact, reflecting that the primary issue is the disclosure of technical details rather than a direct compromise of code or data integrity. The EPSS score is not reported, but the lack of authentication means any user with network visibility to the AVideo instance can make the HTTP request and obtain the FFmpeg status. The vulnerability is not listed in the CISA KEV catalog, suggesting there are no known widespread exploits, yet its simplicity allows automated discovery. Addressing it by upgrading or restricting endpoint access should mitigate the risk."}}}}, "created": "2026-04-07T06:53:39.307410+00:00", "updated": "2026-04-07T09:36:36.851225+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}