CVE-2025-34434

AVideo versions prior to 20.1 with the ImageGallery plugin enabled is vulnerable to unauthenticated file upload and deletion. Plugin endpoints responsible for managing gallery images fail to enforce authentication checks and do not validate ownership, allowing unauthenticated attackers to upload or delete images associated with any image-based video.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://chocapikk.com/posts/2025/avideo-security-vulnerabilities/
https://github.com/WWBN/AVideo/commit/4a53ab2056	Patch
https://github.com/WWBN/AVideo/commit/c279999cbd	Patch
https://www.vulncheck.com/advisories/avideo-imagegallery-plugin-unauthenticated-file-upload-and-deletion	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

History

19 Dec 2025, 19:15

Type	Values Removed	Values Added
References		() https://chocapikk.com/posts/2025/avideo-security-vulnerabilities/ -

19 Dec 2025, 16:15

Type	Values Removed	Values Added
Summary	(en) AVideo versions prior to 20.0 with the ImageGallery plugin enabled is vulnerable to unauthenticated file upload and deletion. Plugin endpoints responsible for managing gallery images fail to enforce authentication checks and do not validate ownership, allowing unauthenticated attackers to upload or delete images associated with any image-based video.	(en) AVideo versions prior to 20.1 with the ImageGallery plugin enabled is vulnerable to unauthenticated file upload and deletion. Plugin endpoints responsible for managing gallery images fail to enforce authentication checks and do not validate ownership, allowing unauthenticated attackers to upload or delete images associated with any image-based video.

18 Dec 2025, 19:51

Type	Values Removed	Values Added
References	~~() https://github.com/WWBN/AVideo/commit/4a53ab2056 -~~	() https://github.com/WWBN/AVideo/commit/4a53ab2056 - Patch
References	~~() https://github.com/WWBN/AVideo/commit/c279999cbd -~~	() https://github.com/WWBN/AVideo/commit/c279999cbd - Patch
References	~~() https://www.vulncheck.com/advisories/avideo-imagegallery-plugin-unauthenticated-file-upload-and-deletion -~~	() https://www.vulncheck.com/advisories/avideo-imagegallery-plugin-unauthenticated-file-upload-and-deletion - Third Party Advisory
First Time		Wwbn Wwbn avideo
CPE		cpe:2.3:a:wwbn:avideo::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.1

17 Dec 2025, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-12-17 20:15

Updated : 2025-12-19 19:15

NVD link : CVE-2025-34434

Mitre link : CVE-2025-34434

CVE.ORG link : CVE-2025-34434

JSON object : View

Products Affected

wwbn

avideo

CWE

CWE-306

Missing Authentication for Critical Function

9.1 /10