{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34395", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-27T13:45:29.619Z", "datePublished": "2026-03-31T20:38:54.373Z", "dateUpdated": "2026-04-01T18:35:40.270Z"}, "containers": {"cna": {"title": "AVideo: Mass User PII Disclosure via Missing Authorization in YPTWallet users.json.php", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-77jp-mgcw-rfmr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-77jp-mgcw-rfmr"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "<= 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T20:38:54.373Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/YPTWallet/view/users.json.php endpoint returns all platform users with their personal information and wallet balances to any authenticated user. The endpoint checks User::isLogged() but does not check User::isAdmin(), so any registered user can dump the full user database. At time of publication, there are no publicly available patches."}], "source": {"advisory": "GHSA-77jp-mgcw-rfmr", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T18:35:32.284121Z", "id": "CVE-2026-34395", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T18:35:40.270Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34395", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-01T18:35:32.284121Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T18:35:36.563Z"}}], "cna": {"title": "AVideo: Mass User PII Disclosure via Missing Authorization in YPTWallet users.json.php", "source": {"advisory": "GHSA-77jp-mgcw-rfmr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"status": "affected", "version": "<= 26.0"}]}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-77jp-mgcw-rfmr", "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-77jp-mgcw-rfmr", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/YPTWallet/view/users.json.php endpoint returns all platform users with their personal information and wallet balances to any authenticated user. The endpoint checks User::isLogged() but does not check User::isAdmin(), so any registered user can dump the full user database. At time of publication, there are no publicly available patches."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T20:38:54.373Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34395", "state": "PUBLISHED", "dateUpdated": "2026-04-01T18:35:40.270Z", "dateReserved": "2026-03-27T13:45:29.619Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-31T20:38:54.373Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588", "versionEndIncluding": "26.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/YPTWallet/view/users.json.php endpoint returns all platform users with their personal information and wallet balances to any authenticated user. The endpoint checks User::isLogged() but does not check User::isAdmin(), so any registered user can dump the full user database. At time of publication, there are no publicly available patches."}], "id": "CVE-2026-34395", "lastModified": "2026-04-01T20:35:18.280", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-31T21:16:30.817", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-77jp-mgcw-rfmr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-04-02T03:53:40.437918+00:00", "value": {"mitigation_remediation": ["Apply an official patch or update to AVideo when it becomes available.", "If a patch is not yet released, disable or remove the YPTWallet plugin to eliminate the vulnerable endpoint.", "Alternatively, restrict access to the /YPTWallet/view/users.json.php endpoint so that only administrative users can invoke it.", "Verify that no other authenticated users have unnecessary access privileges in the platform.", "Regularly check the WWBN project page for new security releases."], "summary": {"action": "Assess Impact", "impact": "Mass disclosure of user PII and wallet balances"}, "threat_synthesis": {"affected_systems": "The issue affects the WWBN AVideo open\u2011source video platform, specifically versions 26.0 and earlier. The problematic endpoint resides in the YPTWallet plugin. Anyone running an affected instance, regardless of the underlying operating system, is potentially vulnerable if the plugin is installed.", "description_and_impact": "The flaw in the YPTWallet users.json.php endpoint allows any authenticated user to retrieve the complete list of platform users along with their personal information and wallet balances. Because the code only checks for generic authentication and never confirms administrative privileges, attackers can harvest sensitive data by simply logging into the system. The vulnerability is a classic example of missing authority checks, categorized as CWE-862, resulting in privacy compromise for all registered users.", "risk_and_exploitability": "The CVSS base score of 6.5 signals a medium\u2011severity risk. EPSS indicates less than 1% chance of exploitation in the wild, and the flaw is not listed in the CISA KEV catalog. Exploitation requires only that the user is authenticated; an attacker who creates a free account or compromises another user\u2019s credentials can trigger the data dump. No publicly available patch exists at publication, so the vulnerability remains exploitable until an update is released."}}}}, "created": "2026-04-02T07:52:31.528221+00:00", "updated": "2026-04-02T20:10:45.654111+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}