CVE-2026-35449

Name of the Vulnerable Software and Affected Versions AVideo versions 26.0 and prior

Description The install/test.php diagnostic script has its CLI-only access guard disabled, allowing access via HTTP after installation. This exposes video viewer statistics, including IP addresses, session IDs, and user agents, to unauthenticated visitors. The script queries VideoStatistic::getLastStatistics() and outputs the result using var dump(). The VideoStatistic object contains viewer IP addresses (ip), session IDs (session id), user agents (user agent), user IDs (users id), and JSON metadata. Verbose error reporting is enabled, potentially revealing internal filesystem paths. The API endpoint ''/install/test.php'' is vulnerable, accepting the videos id variable.

Recommendations Uncomment the CLI guard at install/test.php:6 to restore the intended access restriction.