CVE-2026-34733 - Vulnerability Analysis
MediumCVSS: 6.5Last Updated: April 1, 2026
WWBN AVideo - Broken Access Control
Published: March 31, 2026Updated: April 1, 2026PoC AvailableRemote Exploitable
Overview
WWBN AVideo <= 26.0 contains a broken access control caused by a PHP operator precedence bug in install/deleteSystemdPrivate.php CLI-only guard, letting remote attackers delete temp files and disclose directory contents via HTTP, exploit requires no special privileges.
Severity & Score
Severity: Medium
CVSS Score: 6.5
Impact
Remote attackers can delete server temp files and disclose directory contents, potentially disrupting service and exposing sensitive information.
Mitigation
Update to the latest version once a patch is available or apply custom access control fixes.
Related Resources
Details
- CVE ID
- CVE-2026-34733
- Severity
- Medium
- CVSS Score
- 6.5
- Type
- broken_access_control
- Status
- confirmed
CWE
- CWE-284
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L