Unauthenticated Proxy Vulnerability in WWBN AVideo SocialMediaPublisher Plugin
CVE-2026-35179

5.3MEDIUM

Key Information:

Vendor: Wwbn
Status: Avideo
Vendor: CVE Published:; 6 April 2026

What is CVE-2026-35179?

The SocialMediaPublisher plugin in WWBN AVideo versions 26.0 and earlier contains a vulnerability that exposes an unauthenticated endpoint, publishInstagram.json.php. This endpoint allows any unauthenticated user to bypass access controls and perform arbitrary calls to the Facebook/Instagram Graph API. It accepts user-controlled parameters, including access tokens and account IDs, which are passed directly to the Graph API, potentially enabling attackers to exploit compromised tokens or misuse credentials. This raises significant security concerns regarding unauthorized access and actions on Instagram accounts.

Affected Version(s)

AVideo <= 26.0

References

https://github.com/WWBN/AVideo/security/advisories/GHSA-x...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
Vulnerability Reserved
Apr 1, 2026

CVE-2026-35179 Data

JSON

Wwbn

What is CVE-2026-35179?

Affected Version(s)

References

CVSS V3.1

Timeline