CVE-2026-34732: AVideo: Missing Authentication in CreatePlugin list.json.php Template Affects 21 Endpoints

April 1, 2026

The AVideo CreatePlugin template for list.json.php does not include any authentication or authorization check. While the companion templates add.json.php and delete.json.php both require admin privileges, the list.json.php template was shipped without this guard. Every plugin that uses the CreatePlugin code generator inherits this omission, resulting in 21 unauthenticated data listing endpoints across the platform. These endpoints expose sensitive data including user PII, payment transaction logs, IP addresses, user agents, and internal system records.

References

github.com/WWBN/AVideo
github.com/WWBN/AVideo/commit/ea9f555850eb399126a103c1df2156b48734c990
github.com/WWBN/AVideo/security/advisories/GHSA-g2mg-cgr6-vmv7
github.com/advisories/GHSA-g2mg-cgr6-vmv7
nvd.nist.gov/vuln/detail/CVE-2026-34732

Code Behaviors & Features

Detect and mitigate CVE-2026-34732 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →