CVE-2026-35452

Name of the Vulnerable Software and Affected Versions AVideo versions 26.0 and prior

Description The plugin/CloneSite/client.log.php endpoint serves the clone operation log file without authentication. Other endpoints in the CloneSite plugin directory enforce User::isAdmin(). The log contains internal filesystem paths, remote server URLs, and SSH connection metadata. The log file is populated by cloneClient.json.php, which writes operational details during clone operations. The $cmd variable within cloneClient.json.php contains wget commands with internal filesystem paths and rsync command templates with SSH connection details (username, IP, port).

Recommendations Add an admin authentication check at plugin/CloneSite/client.log.php before the include statement. For example: require once '../../videos/configuration.php'; if (!User::isAdmin()) { http response code(403); die('Access denied'); }