CVE-2025-34433
AVideo < 20.1 Unauthenticated RCE via Predictable Installation Salt
CVSS Score
0.0
EPSS Score
51.7%
EPSS Percentile
98th
AVideo versions 14.3.1 prior to 20.1 contain an unauthenticated remote code execution vulnerability caused by predictable generation of an installation salt using PHP uniqid(). The installation timestamp is exposed via a public endpoint, and a derived hash identifier is accessible through unauthenticated API responses, allowing attackers to brute-force the remaining entropy. The recovered salt can then be used to encrypt a malicious payload supplied to a notification API endpoint that evaluates attacker-controlled input, resulting in arbitrary code execution as the web server user.
| CWE | CWE-94 |
| Vendor | world wide broadcast network |
| Product | avideo |
| Published | Dec 19, 2025 |
| Last Updated | May 14, 2026 |
Stay Ahead of the Next One
Get instant alerts for world wide broadcast network avideo
Be the first to know when new unknown vulnerabilities affecting world wide broadcast network avideo are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
World Wide Broadcast Network / AVideo
14.3.1 < 20.1
References
github.com: https://github.com/WWBN/AVideo/commit/4a53ab2 github.com: https://github.com/WWBN/AVideo/commit/a2bdbff vulncheck.com: https://www.vulncheck.com/advisories/avideo-unauthenticated-rce-via-predictable-installation-salt chocapikk.com: https://chocapikk.com/posts/2025/avideo-security-vulnerabilities/
Credits
Valentin Lobstein (Chocapikk)