#VU125506 Information disclosure in AVideo - CVE-2026-35449
Published: April 8, 2026
Vulnerability identifier: #VU125506
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-35449
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
AVideo
AVideo
Software vendor:
World Wide Broadcast Network
World Wide Broadcast Network
Description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in install/test.php when handling HTTP requests to the diagnostic script. A remote attacker can send a specially crafted request with a video identifier to disclose sensitive information.
The issue can expose viewer IP addresses, session identifiers, user agents, and internal filesystem paths through PHP error output.
Remediation
Install security update from vendor's website.