CVE-2026-34733
Published: 31 March 2026
Summary
CVE-2026-34733 is a medium-severity Improper Access Control (CWE-284) vulnerability in Wwbn Avideo. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly enforces approved authorizations for access, mitigating the failed CLI-only guard that allows unauthorized HTTP execution of the script.
Controls access to and use of publicly accessible content, preventing exposure of the installation script meant for CLI-only access.
Restricts system to least functionality by prohibiting non-essential installation scripts like deleteSystemdPrivate.php in production environments.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an improper access control flaw in a public-facing web application script (exposed via HTTP due to a PHP operator precedence bug), directly enabling remote exploitation without authentication to perform file deletion and directory disclosure.
NVD Description
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo installation script install/deleteSystemdPrivate.php contains a PHP operator precedence bug in its CLI-only access guard. The script is intended to run exclusively from the command line,…
more
but the guard condition !php_sapi_name() === 'cli' never evaluates to true due to how PHP resolves operator precedence. The ! (logical NOT) operator binds more tightly than === (strict comparison), causing the expression to always evaluate to false, which means the die() statement never executes. As a result, the script is accessible via HTTP without authentication and will delete files from the server's temp directory while also disclosing the temp directory contents in its response. At time of publication, there are no publicly available patches.
Deeper analysisAI
CVE-2026-34733 affects WWBN AVideo, an open source video platform, in versions 26.0 and prior. The vulnerability resides in the installation script install/deleteSystemdPrivate.php, which includes a PHP operator precedence bug in its CLI-only access guard. The condition !php_sapi_name() === 'cli' is intended to restrict execution to the command line interface, but the logical NOT operator (!) binds more tightly than the strict equality operator (===), causing the expression to always evaluate to false. Consequently, the die() statement never triggers, exposing the script to HTTP access without authentication.
Remote attackers with network access can exploit this vulnerability without privileges or user interaction, as indicated by the CVSS vector AV:N/AC:L/PR:N/UI:N/S:U. By invoking the script via HTTP, attackers can delete arbitrary files from the server's temp directory and obtain a disclosure of the temp directory contents in the response, resulting in low-impact confidentiality and availability effects.
The GitHub security advisory (GHSA-wwpw-hrx8-79r5) confirms that, at the time of publication on 2026-03-31, no publicly available patches exist for this issue, classified under CWE-284 (Improper Access Control). Security practitioners should monitor the AVideo repository for updates and consider restricting HTTP access to the affected script via web server configurations or file permissions in the interim.
Details
- CWE(s)