Is CVE-2026-34362 actively exploited?

CVE-2026-34362 has no public evidence of in-the-wild exploitation as of 2026-03-31.

What is the CVSS score for CVE-2026-34362?

CVE-2026-34362 has a CVSS score of 5.4 (MEDIUM severity). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N.

How do I patch CVE-2026-34362?

Patch guidance is available from wwbn security advisories. CVEDatabase generates AI-assisted remediation guidance on demand for CVE-2026-34362.

CVE-2026-34362 - remediation guidance & executive summary

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `verifyTokenSocket()` function in `plugin/YPTSocket/functions.php` has its token timeout validation commented out, causing WebSocket tokens to never expire despite being generated with a 12-hour timeout. This allows captured or legitimately obtained tokens to provide permanent WebSocket access, even after user accounts are deleted, banned, or demoted from admin. Admin tokens grant access to real-time connection data for all online users including IP addresses, browser info, and page locations. Commit 5d5237121bf82c24e9e0fdd5bc1699f1157783c5 fixes the issue.

CVSS Metrics

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector: network
Complexity: low
Privileges: low
User Action: none
Scope: unchanged
Confidentiality: low
Integrity: low
Availability: none
Weaknesses: CWE-613

Metadata

Primary Vendor: WWBN
Published: 3/27/2026
Last Modified: 3/31/2026
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

Affected Products

wwbn : avideo

Remediation Guidance

Executive Summary

Cite this page

CVE-2026-34362. CVEDatabase.com. Retrieved 1 May 2026. https://cvedatabase.com/cve/CVE-2026-34362

View on NIST NVD

CVE-2026-34362 vulnerability