CVE-2026-35450

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions AVideo versions 26.0 and prior

Description The plugin/API/check.ffmpeg.json.php endpoint allows probing the FFmpeg remote server configuration and retrieving connectivity status without authentication. The sibling endpoints kill.ffmpeg.json.php, list.ffmpeg.json.php, and ffmpeg.php require User::isAdmin() access control. The file plugin/API/check.ffmpeg.json.php lacks any access control checks. A simple curl request to the ''/plugin/API/check.ffmpeg.json.php'' endpoint reveals information about the encoding architecture, aiding in targeted attack planning.

Recommendations Add an admin authentication check at plugin/API/check.ffmpeg.json.php:3 after require once $configFile;:

if (!User::isAdmin()) {
  forbiddenPage('Admin only');
}

Fix

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-306

Related Identifiers

CVE-2026-35450

GHSA-2VG4-RRX4-QCPQ

Affected Products

Avideo

Ffmpeg

CVE-2026-35450

Weakness Enumeration

Related Identifiers

Affected Products

References · 6