CVE-2026-34733: CWE-284: Improper Access Control in WWBN AVideo
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo installation script install/deleteSystemdPrivate.php contains a PHP operator precedence bug in its CLI-only access guard. The script is intended to run exclusively from the command line, but the guard condition !php_sapi_name() === 'cli' never evaluates to true due to how PHP resolves operator precedence. The ! (logical NOT) operator binds more tightly than === (strict comparison), causing the expression to always evaluate to false, which means the die() statement never executes. As a result, the script is accessible via HTTP without authentication and will delete files from the server's temp directory while also disclosing the temp directory contents in its response. At time of publication, there are no publicly available patches.
AI Analysis
Technical Summary
The vulnerability in WWBN AVideo (<= 26.0) arises from a PHP operator precedence error in the install/deleteSystemdPrivate.php script's access guard. The condition !php_sapi_name() === 'cli' is intended to restrict script execution to the command line interface. However, because the logical NOT operator (!) binds more tightly than the strict equality operator (===), the expression always evaluates to false, preventing the intended die() call. Consequently, the script is accessible over HTTP without authentication, enabling attackers to delete files in the server's temporary directory and disclose its contents. There are no publicly available patches or fixes at this time.
Potential Impact
An attacker can remotely invoke the install/deleteSystemdPrivate.php script via HTTP without authentication, leading to unauthorized deletion of files in the server's temporary directory and disclosure of its contents. This can result in partial denial of service due to file deletion and potential information leakage about the server environment. The CVSS score of 6.5 reflects a medium severity impact with low complexity and no required privileges or user interaction.
Mitigation Recommendations
At the time of this report, no official patches or fixes are publicly available for this vulnerability. Users should monitor the vendor's advisory channels for updates and apply any future patches promptly. As a temporary mitigation, restricting HTTP access to the install/deleteSystemdPrivate.php script (e.g., via web server configuration or firewall rules) to prevent unauthorized access is recommended.
CVE-2026-34733: CWE-284: Improper Access Control in WWBN AVideo
Description
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo installation script install/deleteSystemdPrivate.php contains a PHP operator precedence bug in its CLI-only access guard. The script is intended to run exclusively from the command line, but the guard condition !php_sapi_name() === 'cli' never evaluates to true due to how PHP resolves operator precedence. The ! (logical NOT) operator binds more tightly than === (strict comparison), causing the expression to always evaluate to false, which means the die() statement never executes. As a result, the script is accessible via HTTP without authentication and will delete files from the server's temp directory while also disclosing the temp directory contents in its response. At time of publication, there are no publicly available patches.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in WWBN AVideo (<= 26.0) arises from a PHP operator precedence error in the install/deleteSystemdPrivate.php script's access guard. The condition !php_sapi_name() === 'cli' is intended to restrict script execution to the command line interface. However, because the logical NOT operator (!) binds more tightly than the strict equality operator (===), the expression always evaluates to false, preventing the intended die() call. Consequently, the script is accessible over HTTP without authentication, enabling attackers to delete files in the server's temporary directory and disclose its contents. There are no publicly available patches or fixes at this time.
Potential Impact
An attacker can remotely invoke the install/deleteSystemdPrivate.php script via HTTP without authentication, leading to unauthorized deletion of files in the server's temporary directory and disclosure of its contents. This can result in partial denial of service due to file deletion and potential information leakage about the server environment. The CVSS score of 6.5 reflects a medium severity impact with low complexity and no required privileges or user interaction.
Mitigation Recommendations
At the time of this report, no official patches or fixes are publicly available for this vulnerability. Users should monitor the vendor's advisory channels for updates and apply any future patches promptly. As a temporary mitigation, restricting HTTP access to the install/deleteSystemdPrivate.php script (e.g., via web server configuration or firewall rules) to prevent unauthorized access is recommended.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-30T18:41:20.754Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69cc37c1e6bfc5ba1d418a07
Added to database: 3/31/2026, 9:08:17 PM
Last enriched: 4/8/2026, 12:08:48 AM
Last updated: 5/15/2026, 5:45:59 PM
Views: 59
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.