CVE-2026-34245

Name of the Vulnerable Software and Affected Versions AVideo versions up to and including 26.0

Description The plugin/PlayLists/View/Playlists schedules/add.json.php endpoint in AVideo allows authenticated users with streaming permission to create or modify broadcast schedules for any playlist, regardless of ownership. When a schedule executes, the rebroadcast runs under the victim playlist owner's identity, potentially leading to content hijacking and stream disruption. The endpoint performs a capability check to ensure the user can stream, but does not verify playlist ownership. The Playlists schedules::save() method only validates that the playlists id is not empty, without checking ownership. The run.php file uses the playlist owner's user ID when executing the rebroadcast. The API endpoint is ''plugin/PlayLists/View/Playlists schedules/add.json.php'' and utilizes the playlists id variable.

Recommendations Versions up to and including 26.0: Add ownership validation in add.json.php before saving. Specifically, after the capability check, verify ownership using PlayLists::canManagePlaylist($playlists id). When editing existing schedules, also verify ownership of the existing record.