{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34364", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-27T13:43:14.369Z", "datePublished": "2026-03-27T18:11:05.866Z", "dateUpdated": "2026-03-27T19:56:56.507Z"}, "containers": {"cna": {"title": "AVideo has User Group-Based Category Access Control Bypass via Missing and Broken Group Filtering in categories.json.php", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-73gr-r64q-7jh4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-73gr-r64q-7jh4"}, {"name": "https://github.com/WWBN/AVideo/commit/6e8a673eed07be5628d0b60fbfabd171f3ce74c9", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/6e8a673eed07be5628d0b60fbfabd171f3ce74c9"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "<= 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T18:11:05.866Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `categories.json.php` endpoint, which serves the category listing API, fails to enforce user group-based access controls on categories. In the default request path (no `?user=` parameter), user group filtering is entirely skipped, exposing all non-private categories including those restricted to specific user groups. When the `?user=` parameter is supplied, a type confusion bug causes the filter to use the admin user's (user_id=1) group memberships instead of the current user's, rendering the filter ineffective. Commit 6e8a673eed07be5628d0b60fbfabd171f3ce74c9 contains a fix."}], "source": {"advisory": "GHSA-73gr-r64q-7jh4", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-73gr-r64q-7jh4", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T18:31:28.325247Z", "id": "CVE-2026-34364", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T19:56:56.507Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34364", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T18:31:28.325247Z"}}}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-73gr-r64q-7jh4", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T18:43:03.947Z"}}], "cna": {"title": "AVideo has User Group-Based Category Access Control Bypass via Missing and Broken Group Filtering in categories.json.php", "source": {"advisory": "GHSA-73gr-r64q-7jh4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"status": "affected", "version": "<= 26.0"}]}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-73gr-r64q-7jh4", "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-73gr-r64q-7jh4", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/WWBN/AVideo/commit/6e8a673eed07be5628d0b60fbfabd171f3ce74c9", "name": "https://github.com/WWBN/AVideo/commit/6e8a673eed07be5628d0b60fbfabd171f3ce74c9", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `categories.json.php` endpoint, which serves the category listing API, fails to enforce user group-based access controls on categories. In the default request path (no `?user=` parameter), user group filtering is entirely skipped, exposing all non-private categories including those restricted to specific user groups. When the `?user=` parameter is supplied, a type confusion bug causes the filter to use the admin user's (user_id=1) group memberships instead of the current user's, rendering the filter ineffective. Commit 6e8a673eed07be5628d0b60fbfabd171f3ce74c9 contains a fix."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T18:11:05.866Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34364", "state": "PUBLISHED", "dateUpdated": "2026-03-27T19:56:56.507Z", "dateReserved": "2026-03-27T13:43:14.369Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-27T18:11:05.866Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588", "versionEndIncluding": "26.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `categories.json.php` endpoint, which serves the category listing API, fails to enforce user group-based access controls on categories. In the default request path (no `?user=` parameter), user group filtering is entirely skipped, exposing all non-private categories including those restricted to specific user groups. When the `?user=` parameter is supplied, a type confusion bug causes the filter to use the admin user's (user_id=1) group memberships instead of the current user's, rendering the filter ineffective. Commit 6e8a673eed07be5628d0b60fbfabd171f3ce74c9 contains a fix."}], "id": "CVE-2026-34364", "lastModified": "2026-04-14T01:22:38.370", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T18:16:05.570", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/WWBN/AVideo/commit/6e8a673eed07be5628d0b60fbfabd171f3ce74c9"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-73gr-r64q-7jh4"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-73gr-r64q-7jh4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-04-14T02:51:57.713081+00:00", "value": {"mitigation_remediation": ["Upgrade AVideo to any version newer than 26.0 or apply the patch from commit 6e8a673e.", "If an upgrade is not possible, restrict access to categories.json.php behind authentication and enforce group checks manually at the application level.", "Verify that the group filtering operates correctly by testing category visibility for different user roles after applying the fix.", "Monitor web logs for suspicious category requests that may indicate exploitation attempts."], "summary": {"action": "Patch Now", "impact": "Unauthorized Category Disclosure"}, "threat_synthesis": {"affected_systems": "This flaw affects all released versions of WWBN AVideo up to and including 26.0. The affected component is the categories.json.php API, which serves the category listing data for the application.", "description_and_impact": "The vulnerability resides in the categories.json.php endpoint of the WWBN AVideo platform, which is responsible for providing a list of video categories. The code fails to enforce user group\u2011based access controls: with no user parameter the filter is entirely omitted, returning all non\u2011private categories, including those intended for specific groups. When a ?user= parameter is supplied a type\u2011confusion bug causes the filter to use the administrator\u2019s group membership (user_id=1) instead of the requested user\u2019s, rendering the restriction ineffective. In either case the end result is that categories that should be hidden from certain users become publicly listed, thereby permitting the disclosure of restricted grouping information. The description does not explicitly state whether authenticated or unauthenticated requests are required to reach the endpoint; based on the wording it is inferred that the API may be reachable without authentication, but the exact authentication model is not documented.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate severity, while the EPSS score of less than 1% suggests low likelihood of exploitation observed in the wild. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote HTTP requests directed at the categories.json.php endpoint; the attacker does not need to compromise the host or execute arbitrary code. The impact is confined to unauthorized information disclosure of categories and does not provide privilege escalation or further system compromise."}}}}, "created": "2026-03-27T20:27:52.368015+00:00", "updated": "2026-04-14T16:42:38.916750+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}