CVE-2025-34434CRITICAL 9.1EPSS p33.0%

CVE-2025-34434CVE-2025-34434

Description

AVideo versions prior to 20.1 with the ImageGallery plugin enabled is vulnerable to unauthenticated file upload and deletion. Plugin endpoints responsible for managing gallery images fail to enforce authentication checks and do not validate ownership, allowing unauthenticated attackers to upload or delete images associated with any image-based video.

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS0.41% probability of exploitation · percentile 33.0% · 2026-06-18T12:00:27Z
Published2025-12-17
Last modified2025-12-19

Underlying weaknesses· 1

CWE-306

References

  1. https://chocapikk.com/posts/2025/avideo-security-vulnerabilities/
  2. https://github.com/WWBN/AVideo/commit/4a53ab2056
  3. https://github.com/WWBN/AVideo/commit/c279999cbd
  4. https://www.vulncheck.com/advisories/avideo-imagegallery-plugin-unauthenticated-file-upload-and-deletion

1

TypeTargetConfidenceTier
WeaknessMissing Authentication for Critical Functioncwe-3060%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-34437
CVE
CVE-2025-34436
CVE
CVE-2025-34438
CVE
CVE-2026-46337
CVE
CVE-2025-12966
CVE
CVE-2026-33024
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.