{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35452", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-02T19:25:52.192Z", "datePublished": "2026-04-06T21:47:45.511Z", "dateUpdated": "2026-04-06T21:47:45.511Z"}, "containers": {"cna": {"title": "WWBN AVideo has Unauthenticated Information Disclosure via Missing Auth on CloneSite client.log.php", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-99j6-hj87-6fcf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-99j6-hj87-6fcf"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "<= 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T21:47:45.511Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/CloneSite/client.log.php endpoint serves the clone operation log file without any authentication. Every other endpoint in the CloneSite plugin directory enforces User::isAdmin(). The log contains internal filesystem paths, remote server URLs, and SSH connection metadata."}], "source": {"advisory": "GHSA-99j6-hj87-6fcf", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/CloneSite/client.log.php endpoint serves the clone operation log file without any authentication. Every other endpoint in the CloneSite plugin directory enforces User::isAdmin(). The log contains internal filesystem paths, remote server URLs, and SSH connection metadata."}], "id": "CVE-2026-35452", "lastModified": "2026-04-06T22:16:23.610", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T22:16:23.610", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-99j6-hj87-6fcf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-04-07T01:54:57.905485+00:00", "value": {"mitigation_remediation": ["Update to the latest WWBN AVideo release where the authentication check is restored on client.log.php", "If immediate upgrade is not possible, configure the web server to deny access to /plugin/CloneSite/client.log.php for non-admin users", "Verify that User::isAdmin() is enforced on all CloneSite endpoints to prevent accidental exposure"], "summary": {"action": "Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the WWBN AVideo platform, specifically the CloneSite plugin. Systems running versions 26.0 or earlier are impacted; later releases have removed the unauthenticated access to this endpoint.", "description_and_impact": "WWBN AVideo versions up to 26.0 expose a log file through the CloneSite plugin endpoint client.log.php without any authentication enforcement. The log captures filesystem paths, remote server URLs and SSH connection details, giving an attacker full visibility into the internal environment and potential credentials. This breach primarily undermines confidentiality by revealing sensitive configuration and connection information.", "risk_and_exploitability": "The CVSS base score of 5.3 indicates moderate severity. The exploit does not require any prior authentication, so any external user who discovers the endpoint can retrieve the log file. The lack of an EPSS rating means we cannot quantify exact likelihood, and the issue is not currently listed in CISA's KEV catalog, suggesting no known public exploitation yet. Nonetheless, the easy discovery and retrieval could allow an attacker to gather information necessary for further attacks."}}}}, "created": "2026-04-07T06:53:38.343246+00:00", "updated": "2026-04-07T09:36:35.893416+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}