CVE-2026-34733 in WWBN AVideo
요약 (영어)
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo installation script install/deleteSystemdPrivate.php contains a PHP operator precedence bug in its CLI-only access guard. The script is intended to run exclusively from the command line, but the guard condition !php_sapi_name() === 'cli' never evaluates to true due to how PHP resolves operator precedence. The ! (logical NOT) operator binds more tightly than === (strict comparison), causing the expression to always evaluate to false, which means the die() statement never executes. As a result, the script is accessible via HTTP without authentication and will delete files from the server's temp directory while also disclosing the temp directory contents in its response. At time of publication, there are no publicly available patches.
책임이 있는
GitHub_M
예약하다
2026. 03. 30.
공개
2026. 04. 01.
엔트리
VulDB provides additional information and datapoints for this CVE:
| 아이디 | 취약성 | CWE | 악용 | 대책 | CVE |
|---|---|---|---|---|---|
| 354542 | WWBN AVideo php_sapi_name 권한 상승 | 284 | 정의되지 않음 | 정의되지 않음 | CVE-2026-34733 |