CVE-2026-35450

CVSS v3.1

5.3

Medium

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Summary

The plugin/API/check.ffmpeg.json.php endpoint probes the FFmpeg remote server configuration and returns connectivity status without any authentication. All sibling FFmpeg management endpoints (kill.ffmpeg.json.php, list.ffmpeg.json.php, ffmpeg.php) require User::isAdmin().

Details

The entire file at plugin/API/check.ffmpeg.json.php:

<?php
$configFile =  DIR .'/../../videos/configuration.php';
require once $configFile;
header('Content-Type: application/json');

$obj = testFFMPEGRemote();

die(json encode($obj));

No User::isAdmin(), User::isLogged(), or any access control check exists.

Compare with sibling endpoints in the same directory:

kill.ffmpeg.json.php checks User::isAdmin()
list.ffmpeg.json.php checks User::isAdmin()

Proof of Concept

curl "https://your-avideo-instance.com/plugin/API/check.ffmpeg.json.php"

Returns information about whether the platform uses a standalone FFmpeg server and its current reachability.

Impact

Infrastructure reconnaissance revealing the encoding architecture. Limited direct impact but aids targeted attack planning.

Recommended Fix

Add an admin authentication check at plugin/API/check.ffmpeg.json.php:3, after require once $configFile;:

if (!User::isAdmin()) {
  forbiddenPage('Admin only');
}

Found by aisafe.io

Fix

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-306

Related Identifiers

CVE-2026-35450

GHSA-2VG4-RRX4-QCPQ

Affected Products

Wwbn Avideo

CVE-2026-35450

Summary

Details

Proof of Concept

Impact

Recommended Fix

Weakness Enumeration

Related Identifiers

Affected Products

References · 3