CVE-2026-34247: CVE-2026-34247: Insecure Direct Object Reference and Information Disclosure in WWBN AVideo

CVE-2026-34247: Insecure Direct Object Reference and Information Disclosure in WWBN AVideo Vulnerability ID: CVE-2026-34247 CVSS Score: 5.4 Published: 2026-03-29 WWBN AVideo versions up to and including 26.0 suffer from a Missing Authorization (IDOR) vulnerability in the plugin/Live/uploadPoster.php endpoint. An authenticated attacker can overwrite the poster image of any scheduled live stream. Furthermore, the exploitation triggers a WebSocket broadcast that leaks the victim's private broadcast key and user ID to all connected clients. TL;DR An IDOR flaw in WWBN AVideo's uploadPoster.php allows low-privileged authenticated users to overwrite stream posters and extract private broadcast keys of other users via WebSocket broadcasts. ⚠️ Exploit Status: POC Technical Details CWE ID : CWE-862 Attack Vector : Network CVSS Score : 5.4 EPSS Score : 0.00009 Impact : Information Disclosure & File Overwrite Exploit Status : PoC Available Privileges Required : Low Affected Systems WWBN AVideo AVi

CVE-2026-34247: CVE-2026-34247: Insecure Direct Object Reference and Information Disclosure in WWBN AVideo

Related Articles

telecheck and tyms past

What Organizations Know About Themselves

Making HNSW actually work with WHERE clauses

Stop Using Claude Code Like a Chat Window

The Pixel 10a doesn’t have a camera bump, and it’s great

Related Articles

News
telecheck and tyms past
Lobsters • 4h ago

News
What Organizations Know About Themselves
Medium Programming • 4h ago

News
Making HNSW actually work with WHERE clauses
Lobsters • 5h ago

News
Stop Using Claude Code Like a Chat Window
Medium Programming • 6h ago

News
The Pixel 10a doesn’t have a camera bump, and it’s great
TechCrunch • 7h ago