CVE-2026-34732 affects WWBN AVideo, an open-source video platform widely used for video hosting and streaming. In versions 26.0 and prior, the CreatePlugin template for list.json.php does not enforce any authentication or authorization, unlike companion templates add.json.php and delete.json.php which require admin privileges. This omission means that any plugin created using the CreatePlugin code generator inherits this vulnerability, resulting in 21 unauthenticated data listing endpoints across the platform. These endpoints expose sensitive data including user PII, payment transaction logs, IP addresses, user agents, and internal system records, potentially allowing attackers to harvest confidential information without any credentials or user interaction. The vulnerability is classified under CWE-306, indicating missing authentication for critical functions. The CVSS v3.1 base score is 5.3 (medium), reflecting the lack of authentication but limited impact on integrity and availability. At the time of disclosure, no patches or fixes have been released, and no active exploitation has been observed. This vulnerability poses a significant privacy risk and could facilitate further attacks if combined with other weaknesses.

The primary impact of CVE-2026-34732 is unauthorized disclosure of sensitive information. Attackers can access user personally identifiable information, payment transaction logs, IP addresses, user agents, and internal system data without authentication. This data exposure can lead to privacy violations, regulatory non-compliance (e.g., GDPR, PCI DSS), and reputational damage. Organizations may face legal liabilities and loss of customer trust. Although the vulnerability does not allow modification or deletion of data, the exposed information could be leveraged for targeted phishing, social engineering, or further exploitation of the platform. The lack of authentication also increases the attack surface, making automated data scraping and reconnaissance trivial. Since no patches are currently available, affected organizations remain vulnerable until mitigations are applied. The scope includes all users of WWBN AVideo version 26.0 and earlier, which may be significant given the platform's open-source nature and adoption in various industries.

Until official patches are released, organizations should implement the following mitigations: 1) Restrict network access to the affected endpoints (list.json.php and related plugin endpoints) using web application firewalls (WAFs) or network ACLs to allow only trusted IPs or internal users. 2) Implement reverse proxy authentication or IP whitelisting to block unauthenticated external access to these endpoints. 3) Audit and monitor access logs for unusual or unauthorized requests targeting list.json.php endpoints to detect potential data scraping attempts. 4) If possible, modify the source code to add authentication and authorization checks to the list.json.php template and all plugins generated by CreatePlugin, enforcing admin or appropriate user privileges. 5) Educate development teams to review plugin templates for security controls before deployment. 6) Plan for rapid deployment of official patches once released by WWBN. 7) Conduct regular security assessments and penetration tests focusing on API endpoints to identify similar issues proactively.