CVE-2026-34732

Name of the Vulnerable Software and Affected Versions AVideo versions 26.0 and prior

Description The AVideo platform, an open source video platform, has an issue in the CreatePlugin template for list.json.php in versions 26.0 and prior. This template lacks authentication and authorization checks. While other templates, add.json.php and delete.json.php, require admin privileges, list.json.php does not. This omission affects plugins using the CreatePlugin code generator, resulting in 21 unauthenticated data listing endpoints. These endpoints expose sensitive data including user PII, payment transaction logs, IP addresses, user agents, and internal system records.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.