CVE-2026-40908

MEDIUM

AVideo <=29.0 git.json.php - Unauthenticated Information Disclosure

Title source: manual

Description

WWBN AVideo is an open source video platform. In versions 29.0 and prior, the file `git.json.php` at the web root executes `git log -1` and returns the full output as JSON to any unauthenticated user. This exposes the exact deployed commit hash (enabling version fingerprinting against known CVEs), developer names and email addresses (PII), and commit messages which may contain references to internal systems or security fixes. As of time of publication, no known patched versions are available.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/WWBN/AVideo/security/advisories/GHSA-52hf-63q4-r926

Scores

CVSS v3 5.3

EPSS 0.0025

EPSS Percentile 16.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-200

Status published

Products (3)

wwbn/avideo < 29.0

wwbn/avideo 0Packagist

WWBN/AVideo <= 29.0

Published Apr 21, 2026

Tracked Since Apr 22, 2026