CVE-2026-35450
AVideo: Unauthenticated FFmpeg Remote Server Status Disclosure via check.ffmpeg.json.php
Description
## Summary The `plugin/API/check.ffmpeg.json.php` endpoint probes the FFmpeg remote server configuration and returns connectivity status without any authentication. All sibling FFmpeg management endpoints (`kill.ffmpeg.json.php`, `list.ffmpeg.json.php`, `ffmpeg.php`) require `User::isAdmin()`. ## Details The entire file at `plugin/API/check.ffmpeg.json.php`: ```php <?php $configFile = __DIR__.'/../../videos/configuration.php'; require_once $configFile; header('Content-Type: application/json'); $obj = testFFMPEGRemote(); die(json_encode($obj)); ``` No `User::isAdmin()`, `User::isLogged()`, or any access control check exists. Compare with sibling endpoints in the same directory: - `kill.ffmpeg.json.php` checks `User::isAdmin()` - `list.ffmpeg.json.php` checks `User::isAdmin()` ## Proof of Concept ```bash curl "https://your-avideo-instance.com/plugin/API/check.ffmpeg.json.php" ``` Returns information about whether the platform uses a standalone FFmpeg server and its current reachability. ## Impact Infrastructure reconnaissance revealing the encoding architecture. Limited direct impact but aids targeted attack planning. ## Recommended Fix Add an admin authentication check at `plugin/API/check.ffmpeg.json.php:3`, after `require_once $configFile;`: ```php if (!User::isAdmin()) { forbiddenPage('Admin only'); } ``` --- *Found by [aisafe.io](https://aisafe.io)*
How to fix CVE-2026-35450
No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.
- —no fix listed
Is CVE-2026-35450 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, <= 26.0