CVE-2025-34434
AVideo < 20.1 ImageGallery Plugin Unauthenticated File Upload and Deletion
CVSS Score
0.0
EPSS Score
0.3%
EPSS Percentile
50th
AVideo versions prior to 20.1 with the ImageGallery plugin enabled is vulnerable to unauthenticated file upload and deletion. Plugin endpoints responsible for managing gallery images fail to enforce authentication checks and do not validate ownership, allowing unauthenticated attackers to upload or delete images associated with any image-based video.
| CWE | CWE-306 |
| Vendor | world wide broadcast network |
| Product | avideo |
| Published | Dec 17, 2025 |
| Last Updated | May 14, 2026 |
Stay Ahead of the Next One
Get instant alerts for world wide broadcast network avideo
Be the first to know when new unknown vulnerabilities affecting world wide broadcast network avideo are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
World Wide Broadcast Network / AVideo
0 < 20.1
References
github.com: https://github.com/WWBN/AVideo/commit/4a53ab2056 github.com: https://github.com/WWBN/AVideo/commit/c279999cbd vulncheck.com: https://www.vulncheck.com/advisories/avideo-imagegallery-plugin-unauthenticated-file-upload-and-deletion chocapikk.com: https://chocapikk.com/posts/2025/avideo-security-vulnerabilities/
Credits
Valentin Lobstein (Chocapikk)