CVE-2026-34364

Name of the Vulnerable Software and Affected Versions AVideo versions up to and including 26.0

Description AVideo is an open source video platform. The categories.json.php endpoint, which serves the category listing API, does not properly enforce user group-based access controls on categories. Without the ?user= parameter, user group filtering is bypassed, exposing all non-private categories. When the ?user= parameter is used, a type confusion issue causes the filter to use the admin user's (user id=1) group memberships instead of the current user's, also bypassing the filter. The API endpoint is categories.json.php.

Recommendations Versions prior to 26.0 should be updated to version 26.0 or later.