CVE-2026-34733

Name of the Vulnerable Software and Affected Versions AVideo versions 26.0 and prior

Description AVideo is an open source video platform. The installation script, install/deleteSystemdPrivate.php, contains a PHP operator precedence bug in its command-line interface (CLI)-only access guard. The guard condition !php sapi name() === 'cli' incorrectly evaluates to false due to PHP’s operator precedence rules. Specifically, the ! (logical NOT) operator binds more tightly than === (strict comparison). This allows the script to be accessed via HTTP without authentication, leading to the deletion of files from the server’s temp directory and the disclosure of the temp directory contents in the response. The php sapi name() function returns the type of interface between PHP and the web server.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.