CVE-2026-34247

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/Live/uploadPoster.php` endpoint allows any authenticated user to overwrite the poster image for any scheduled live stream by supplying an arbitrary `live_schedule_id`. The endpoint only checks `User::isLogged()` but never verifies that the authenticated user owns the targeted schedule. After overwriting the poster, the endpoint broadcasts a `socketLiveOFFCallback` notification containing the victim's broadcast key and user ID to all connected WebSocket clients. Commit 5fcb3bdf59f26d65e203cfbc8a685356ba300b60 fixes the issue.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/WWBN/AVideo/commit/5fcb3bdf59f26d65e203cfbc8a685356ba300b60	Patch
https://github.com/WWBN/AVideo/security/advisories/GHSA-g3hj-mf85-679g	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

History

31 Mar 2026, 16:36

Type	Values Removed	Values Added
References	~~() https://github.com/WWBN/AVideo/commit/5fcb3bdf59f26d65e203cfbc8a685356ba300b60 -~~	() https://github.com/WWBN/AVideo/commit/5fcb3bdf59f26d65e203cfbc8a685356ba300b60 - Patch
References	~~() https://github.com/WWBN/AVideo/security/advisories/GHSA-g3hj-mf85-679g -~~	() https://github.com/WWBN/AVideo/security/advisories/GHSA-g3hj-mf85-679g - Exploit, Vendor Advisory
First Time		Wwbn Wwbn avideo
CPE		cpe:2.3:a:wwbn:avideo::::::::

27 Mar 2026, 17:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-27 17:16

Updated : 2026-03-31 16:36

NVD link : CVE-2026-34247

Mitre link : CVE-2026-34247

CVE.ORG link : CVE-2026-34247

JSON object : View

Products Affected

wwbn

avideo

CWE

CWE-862

Missing Authorization

5.4 /10