CVE-2025-34434

AVideo < 20.1 ImageGallery Plugin Unauthenticated File Upload and Deletion

CVSS 9.3 CRITICALEPSS 0.4%CWE-306

Vexday Risk Score

28Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 9.3EPSS 0.4%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Lifecycle

17 Dec 2025Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

AVideo versions prior to 20.1 with the ImageGallery plugin enabled is vulnerable to unauthenticated file upload and deletion. Plugin endpoints responsible for managing gallery images fail to enforce authentication checks and do not validate ownership, allowing unauthenticated attackers to upload or delete images associated with any image-based video.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

World Wide Broadcast Network · AVideo

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://chocapikk.com/posts/2025/avideo-security-vulnerabilities/https://github.com/WWBN/AVideo/commit/4a53ab2056 https://github.com/WWBN/AVideo/commit/c279999cbd https://www.vulncheck.com/advisories/avideo-imagegallery-plugin-unauthenticated-file-upload-and-deletion