CVE-2026-34731

Name of the Vulnerable Software and Affected Versions AVideo versions 26.0 and prior

Description The AVideo platform, specifically the Live plugin, has an issue where the on publish done.php endpoint does not perform authentication or authorization checks. Unauthenticated users can terminate active live streams by sending crafted POST requests to this endpoint. Attackers can obtain active stream keys from the stats.json.php endpoint and use them to disrupt live broadcasts, leading to a denial-of-service against the live streaming functionality.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.