CVE-2026-43881

MEDIUM

WWBN AVideo <= 29.0 - Unauthenticated User Enumeration

Title source: manual

Description

WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/users.json.php exposes two unauthenticated paths that disclose the full set of registered user accounts. The isCompany request parameter causes the handler to set $ignoreAdmin = true for any non-admin caller (including unauthenticated visitors), which defeats the admin-only guard inside User::getAllUsers()/User::getTotalUsers(). A second path accepts users_id and calls User::getUserFromID() directly with no permission check, producing a single-user oracle. Both paths return id, identification (display name), channel URL, photo, background, and status, plus the total account count. Commit d9cdc702481a626b15f814f6093f1e2a9c20d375 contains an updated fix.

References (2)

Core 2

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/WWBN/AVideo/security/advisories/GHSA-6rvw-7p8v-mjfq

X_Refsource_Misc x_refsource_misc

https://github.com/WWBN/AVideo/commit/d9cdc702481a626b15f814f6093f1e2a9c20d375

View Writeup ZIP pw:eip

Scores

CVSS v3 5.3

EPSS 0.0001

EPSS Percentile 1.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-306

Status published

Products (2)

wwbn/avideo 0 - 29.0Packagist

WWBN/AVideo <= 29.0

Published May 11, 2026

Tracked Since May 12, 2026