CVE-2026-34369

Name of the Vulnerable Software and Affected Versions AVideo versions up to and including 26.0

Description AVideo is an open source video platform. The get api video file and get api video API endpoints do not verify video passwords for password-protected videos. This allows an unauthenticated attacker to retrieve direct playback URLs for any password-protected video by directly calling the API. The normal web playback flow enforces password checks via the CustomizeUser::getModeYouTube() hook, but this enforcement is absent from the API code path. The issue is addressed by commit be344206f2f461c034ad2f1c5d8212dd8a52b8c7.

Recommendations Update AVideo to a version later than 26.0.