Zero Day MonitorZDM

← Back to list

5.3

CVE-2026-35179EXPLOITED

composer · wwbn/avideo

WWBN AVideo Unauthenticated Instagram Graph API Proxy via publishInstagram.json.php

Description

A vulnerability classified as problematic has been found in WWBN AVideo up to 26.0. Affected by this vulnerability is the function InstagramUploader::publishMediaIfIsReady of the file publishInstagram.json.php of the component Endpoint. Performing a manipulation of the argument access token/container ID/Instagram account ID results in missing authorization. This vulnerability is identified as CVE-2026-35179. The attack can be initiated remotely.

Affected Products

Vendor	Product	Versions
composer	wwbn/avideo	composer/wwbn/avideo: <= 26.0

References

https://github.com/WWBN/AVideo/security/advisories/GHSA-x9w5-xccw-5h9w(x_refsource_CONFIRM)

Related News (1 articles)

Tier C

VulDB4h ago

CVE-2026-35179 | WWBN AVideo up to 26.0 Endpoint publishInstagram.json.php publishMediaIfIsReady access token/container ID/Instagram account ID authorization

→ No new info (linked only)

CVSS 3.15.3 MEDIUM

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA KEV❌ No

Actively exploited✅ Yes

CWECWE-862

PublishedApr 3, 2026

Last enriched3h agov2

Tags

GHSA-x9w5-xccw-5h9wcomposerCVE-2026-35179

Trending Score46

Source articles1

Independent1

Info Completeness8/14

Missing: epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-35470EXP

OpenSTAManager has a SQL Injection via righe Parameter in confronta_righe Modals

MEDIUMCVE-2026-35181EXP

WWBN AVideo Affected by CSRF on Player Skin Configuration via admin/playerUpdate.json.php

HIGHCVE-2026-29782

OpenSTAManager: Remote Code Execution via Insecure Deserialization in OAuth2

CRITICALCVE-2026-34989

CI4MS affected by Profile & User Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

HIGHCVE-2026-34236

Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. From version 8.0.0 to before version 8.19.0, in applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 3, 2026

Discovered by ZDM

Apr 3, 2026

Actively Exploited

Apr 6, 2026

Updated: description, severity, cvssEstimate, activelyExploited, tags

Apr 6, 2026

Version History

v2

Last enriched 3h ago

v2Tier C3h ago

Updated description with new technical details, changed severity to HIGH, and added CVE-2026-35179 as a new tag.

descriptionseveritycvssEstimateactivelyExploitedtags

via VulDB

v13d ago

Initial creation