{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34245", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-26T16:22:29.034Z", "datePublished": "2026-03-27T16:32:35.615Z", "dateUpdated": "2026-03-27T16:32:35.615Z"}, "containers": {"cna": {"title": "AVideo's Missing Authorization in Playlist Schedule Creation Allows Cross-User Broadcast Hijacking", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-2rm7-j397-3fqg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-2rm7-j397-3fqg"}, {"name": "https://github.com/WWBN/AVideo/commit/1e6dc20172de986f60641eb4fdb4090f079ffdce", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/1e6dc20172de986f60641eb4fdb4090f079ffdce"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "<= 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T16:32:35.615Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/PlayLists/View/Playlists_schedules/add.json.php` endpoint allows any authenticated user with streaming permission to create or modify broadcast schedules targeting any playlist on the platform, regardless of ownership. When the schedule executes, the rebroadcast runs under the victim playlist owner's identity, allowing content hijacking and stream disruption. Commit 1e6dc20172de986f60641eb4fdb4090f079ffdce contains a patch."}], "source": {"advisory": "GHSA-2rm7-j397-3fqg", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/PlayLists/View/Playlists_schedules/add.json.php` endpoint allows any authenticated user with streaming permission to create or modify broadcast schedules targeting any playlist on the platform, regardless of ownership. When the schedule executes, the rebroadcast runs under the victim playlist owner's identity, allowing content hijacking and stream disruption. Commit 1e6dc20172de986f60641eb4fdb4090f079ffdce contains a patch."}], "id": "CVE-2026-34245", "lastModified": "2026-03-30T13:26:29.793", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T17:16:30.060", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo/commit/1e6dc20172de986f60641eb4fdb4090f079ffdce"}, {"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-2rm7-j397-3fqg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-03-27T18:22:17.203417+00:00", "value": {"mitigation_remediation": ["Apply the vendor patch that includes commit 1e6dc20172de986f60641eb4fdb4090f079ffdce to all AVideo installations 26.0 or earlier.", "Upgrade to the latest AVideo release that contains the authorization fix, or manually apply the patch if an official release is not yet available.", "Restrict streaming permissions to only those users who require them and review user roles for unnecessary privileges."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized broadcast hijacking and content disruption due to missing schedule authorization"}, "threat_synthesis": {"affected_systems": "WWBN AVideo, all releases up to and including version 26.0. The issue affects the plugin/PlayLists/View/Playlists_schedules/add.json.php endpoint and any associated playlist scheduling features.", "description_and_impact": "The vulnerability exists in the playlist scheduling endpoint, where any authenticated user with streaming permission can create or modify broadcast schedules that target any playlist, regardless of ownership. This allows the attacker to force the platform to rebroadcast a victim playlist under the victim\u2019s identity. The result is unauthorized content distribution or intentional disruption of the victim\u2019s stream, leading to loss of control over broadcast content.", "risk_and_exploitability": "The CVSS score of 6.3 indicates moderate severity. While no EPSS score is provided and the flaw is not listed in the KEV catalog, the vulnerability requires only an authenticated user with streaming permissions. An attacker can craft a schedule for another user\u2019s playlist, which executes automatically when the time triggers, allowing hijacking with no additional privilege escalation. Because the attack vector is internal to the platform, it is likely to be exploited by insiders or threat actors who have already compromised an account with streaming rights."}}}}, "created": "2026-03-27T20:28:03.079850+00:00", "updated": "2026-03-30T07:01:11.347283+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}