{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35450", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-02T19:25:52.192Z", "datePublished": "2026-04-06T21:46:54.779Z", "dateUpdated": "2026-04-07T16:21:46.027Z"}, "containers": {"cna": {"title": "WWBN AVideo has Unauthenticated FFmpeg Remote Server Status Disclosure via check.ffmpeg.json.php", "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "lang": "en", "description": "CWE-306: Missing Authentication for Critical Function", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-2vg4-rrx4-qcpq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-2vg4-rrx4-qcpq"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "<= 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T21:46:54.779Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/API/check.ffmpeg.json.php endpoint probes the FFmpeg remote server configuration and returns connectivity status without any authentication. All sibling FFmpeg management endpoints (kill.ffmpeg.json.php, list.ffmpeg.json.php, ffmpeg.php) require User::isAdmin()."}], "source": {"advisory": "GHSA-2vg4-rrx4-qcpq", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T16:21:36.804995Z", "id": "CVE-2026-35450", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T16:21:46.027Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35450", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-07T16:21:36.804995Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T16:21:40.314Z"}}], "cna": {"title": "WWBN AVideo has Unauthenticated FFmpeg Remote Server Status Disclosure via check.ffmpeg.json.php", "source": {"advisory": "GHSA-2vg4-rrx4-qcpq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"status": "affected", "version": "<= 26.0"}]}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-2vg4-rrx4-qcpq", "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-2vg4-rrx4-qcpq", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/API/check.ffmpeg.json.php endpoint probes the FFmpeg remote server configuration and returns connectivity status without any authentication. All sibling FFmpeg management endpoints (kill.ffmpeg.json.php, list.ffmpeg.json.php, ffmpeg.php) require User::isAdmin()."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306: Missing Authentication for Critical Function"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T21:46:54.779Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35450", "state": "PUBLISHED", "dateUpdated": "2026-04-07T16:21:46.027Z", "dateReserved": "2026-04-02T19:25:52.192Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-06T21:46:54.779Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588", "versionEndIncluding": "26.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/API/check.ffmpeg.json.php endpoint probes the FFmpeg remote server configuration and returns connectivity status without any authentication. All sibling FFmpeg management endpoints (kill.ffmpeg.json.php, list.ffmpeg.json.php, ffmpeg.php) require User::isAdmin()."}], "id": "CVE-2026-35450", "lastModified": "2026-04-14T15:37:29.017", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T22:16:23.463", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-2vg4-rrx4-qcpq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-04-14T16:53:58.648877+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest AVideo release that addresses the missing authentication on the check.ffmpeg.json.php endpoint.", "If upgrading is not an option, modify the check.ffmpeg.json.php script to require User::isAdmin() or otherwise authenticate the requester.", "Confirm that the remaining FFmpeg management endpoints continue to enforce the appropriate administrative checks.", "Monitor the web server access logs for frequent unauthenticated accesses to check.ffmpeg.json.php and investigate any suspicious activity."], "summary": {"action": "Apply Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "WWBN AVideo, the open\u2011source video platform, is affected in all releases from the beginning up to and including v26.0. The vulnerability resides solely in the check.ffmpeg.json.php API file; other FFmpeg\u2011management scripts such as kill.ffmpeg.json.php, list.ffmpeg.json.php, and ffmpeg.php correctly enforce an administrative check and remain secure.", "description_and_impact": "The vulnerability exists in a diagnostic API endpoint that reports the status of a remote FFmpeg server without requiring any authentication. As a result, anyone able to reach the endpoint can observe whether the platform is able to communicate with its FFmpeg instance, revealing details about the remote server configuration. This lack of authentication is a classic example of CWE\u2011306, missing authentication on an operation that could divulge sensitive information. The impact is purely at the level of confidentiality, enabling an attacker to gather reconnaissance data about the FFmpeg setup.", "risk_and_exploitability": "The CVSS v3 score of 5.3 indicates a moderate risk. With an EPSS score below 1\u202f% and no listing in the CISA KEV catalog, the probability of exploitation in the wild appears low. The likely attack vector is a direct HTTP request to the vulnerable endpoint, which can be performed from any network that can reach the AVideo instance. Because the information disclosed is limited to connectivity status, the threat is primarily to confidentiality and may aid in further reconnaissance rather than enabling a full system compromise."}}}}, "created": "2026-04-07T06:53:39.307410+00:00", "updated": "2026-04-15T16:30:09.735532+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}