CVE-2026-34738
Last modified
CVE-2026-34738 is a medium-severity vulnerability rated 4.3/10 on the CVSS scale. WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's video processing pipeline accepts an overrideStatus request parameter that allows any uploader to set a video's status to any valid state, including "active" (a). EPSS estimates a 0.24% chance of exploitation in the next 30 days.
Description
WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's video processing pipeline accepts an overrideStatus request parameter that allows any uploader to set a video's status to any valid state, including "active" (a). This bypasses the admin-controlled moderation and draft workflows. The setStatus() method validates the status code against a list of known values but does not verify that the caller has permission to set that particular status. As a result, any user with upload permissions can publish videos directly, circumventing content review processes. At time of publication, there are no publicly available patches.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Wwbn | Avideo | <= 26.0 |
References
- https://github.com/WWBN/AVideo/security/advisories/GHSA-m577-w9j8-ch7jExploit, Vendor Advisory
- https://github.com/WWBN/AVideo/security/advisories/GHSA-m577-w9j8-ch7jExploit, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-34738?
How severe is CVE-2026-34738?
How do I fix CVE-2026-34738?
Are you affected by CVE-2026-34738?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST