GHSA-2vg4-rrx4-qcpq

Suggest an improvement
Source
https://github.com/advisories/GHSA-2vg4-rrx4-qcpq
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-2vg4-rrx4-qcpq/GHSA-2vg4-rrx4-qcpq.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-2vg4-rrx4-qcpq
Aliases
  • CVE-2026-35450
Published
2026-04-04T06:16:49Z
Modified
2026-04-07T14:37:56.613553Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
AVideo: Unauthenticated FFmpeg Remote Server Status Disclosure via check.ffmpeg.json.php
Details

Summary

The plugin/API/check.ffmpeg.json.php endpoint probes the FFmpeg remote server configuration and returns connectivity status without any authentication. All sibling FFmpeg management endpoints (kill.ffmpeg.json.php, list.ffmpeg.json.php, ffmpeg.php) require User::isAdmin().

Details

The entire file at plugin/API/check.ffmpeg.json.php:

<?php
$configFile = __DIR__.'/../../videos/configuration.php';
require_once $configFile;
header('Content-Type: application/json');

$obj = testFFMPEGRemote();

die(json_encode($obj));

No User::isAdmin(), User::isLogged(), or any access control check exists.

Compare with sibling endpoints in the same directory: - kill.ffmpeg.json.php checks User::isAdmin() - list.ffmpeg.json.php checks User::isAdmin()

Proof of Concept

curl "https://your-avideo-instance.com/plugin/API/check.ffmpeg.json.php"

Returns information about whether the platform uses a standalone FFmpeg server and its current reachability.

Impact

Infrastructure reconnaissance revealing the encoding architecture. Limited direct impact but aids targeted attack planning.

Recommended Fix

Add an admin authentication check at plugin/API/check.ffmpeg.json.php:3, after require_once $configFile;:

if (!User::isAdmin()) {
    forbiddenPage('Admin only');
}

Found by aisafe.io

Database specific 
{
    "github_reviewed_at": "2026-04-04T06:16:49Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-306"
    ],
    "github_reviewed": true,
    "nvd_published_at": "2026-04-06T22:16:23Z"
}
References

Affected packages

Packagist / wwbn/avideo

Package

Name
wwbn/avideo
Purl
pkg:composer/wwbn/avideo

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
26.0

Affected versions

10.*
10.4
10.8
Other
11
11.*
11.1
11.1.1
11.5
11.6
12.*
12.4
14.*
14.3
14.3.1
14.4
18.*
18.0
21.*
21.0
22.*
22.0
24.*
24.0
25.*
25.0
26.*
26.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-2vg4-rrx4-qcpq/GHSA-2vg4-rrx4-qcpq.json"