Deploy autonomous AI agents that reason, exploit, and validate complex vulnerability chains — not another scanner, an agentic system that thinks like a senior pentester.
CVE-2026-35450 is a low severity vulnerability with a CVSS score of 0.0. No known public exploits at this time.
Very low probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
The plugin/API/check.ffmpeg.json.php endpoint probes the FFmpeg remote server configuration and returns connectivity status without any authentication. All sibling FFmpeg management endpoints (kill.ffmpeg.json.php, list.ffmpeg.json.php, ffmpeg.php) require User::isAdmin().
The entire file at plugin/API/check.ffmpeg.json.php:
<?php
$configFile = __DIR__.'/../../videos/configuration.php';
require_once $configFile;
header('Content-Type: application/json');
$obj = testFFMPEGRemote();
die(json_encode($obj));
No User::isAdmin(), User::isLogged(), or any access control check exists.
Compare with sibling endpoints in the same directory:
kill.ffmpeg.json.php checks User::isAdmin()list.ffmpeg.json.php checks User::isAdmin()curl "https://your-avideo-instance.com/plugin/API/check.ffmpeg.json.php"
Returns information about whether the platform uses a standalone FFmpeg server and its current reachability.
Infrastructure reconnaissance revealing the encoding architecture. Limited direct impact but aids targeted attack planning.
Add an admin authentication check at plugin/API/check.ffmpeg.json.php:3, after require_once $configFile;:
if (!User::isAdmin()) {
forbiddenPage('Admin only');
}
Found by aisafe.io
Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.