CVE-2026-56345

HIGH 8.1

AVideo - Arbitrary User Session Hijacking via Meet Plugin uploadRecordedVideo Endpoint

CVSS Score

8.1

EPSS Score

0.0%

EPSS Percentile

0th

AVideo through 29.0 contains an authorization bypass vulnerability in the Meet plugin's uploadRecordedVideo.json.php endpoint that derives the target users_id from the uploaded filename without verification. An attacker with knowledge of the Meet shared secret can craft a malicious file upload with a filename containing an arbitrary users_id to invoke passwordless User->login() and establish an authenticated session as any user including admin. Attackers can obtain the Meet shared secret through path-traversal vulnerabilities or timing attacks against checkToken.json.php, then POST a crafted file to uploadRecordedVideo.json.php with a filename like '1-anything.mp4' to hijack admin sessions and gain full account takeover.

CWE	CWE-287
Vendor	avideo
Product	avideo
Published	Jun 20, 2026

Stay Ahead of the Next One

Get instant alerts for avideo avideo

Be the first to know when new high vulnerabilities affecting avideo avideo are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

AVideo / AVideo

0 ≤ 29.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/WWBN/AVideo/security/advisories/GHSA-qxvm-r42f-5p8j vulncheck.com: https://www.vulncheck.com/advisories/avideo-arbitrary-user-session-hijacking-via-meet-plugin-uploadrecordedvideo-endpoint

Credits

🔍 offset