CVE-2026-34374

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions up to and including 26.0

Description WWBN AVideo is an open source video platform. In versions up to and including 26.0, the Live schedule::keyExists() method builds a SQL query by directly inserting a stream key into the query string without proper parameterization. This occurs as a fallback mechanism from LiveTransmition::keyExists() when the primary, parameterized lookup fails. This bypasses the security measures of the initial lookup. The issue targets the stream key lookup used during RTMP publish authentication. Attackers may be able to access the entire user database through live streams. The Live schedule::keyExists() function is vulnerable.

Recommendations Versions up to and including 26.0 should be updated when a patched version becomes available. As a temporary workaround, consider disabling the Live schedule::keyExists() function until a patch is available.