CVE-2026-43881

Published: May 11, 2026

Modified: May 12, 2026

PUBLISHED

CVSS v3.1

5.3

MEDIUM

Description

WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/users.json.php exposes two unauthenticated paths that disclose the full set of registered user accounts. The isCompany request parameter causes the handler to set $ignoreAdmin = true for any non-admin caller (including unauthenticated visitors), which defeats the admin-only guard inside User::getAllUsers()/User::getTotalUsers(). A second path accepts users_id and calls User::getUserFromID() directly with no permission check, producing a single-user oracle. Both paths return id, identification (display name), channel URL, photo, background, and status, plus the total account count. Commit d9cdc702481a626b15f814f6093f1e2a9c20d375 contains an updated fix.

Vendor	Product	Versions
WWBN	AVideo	affected `<= 29.0`

Weaknesses (CWE)

CWE-306

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

References

https://github.com/WWBN/AVideo/security/advisories/GHSA-6rvw-7p8v-mjfq

x_refsource_CONFIRM

https://github.com/WWBN/AVideo/commit/d9cdc702481a626b15f814f6093f1e2a9c20d375

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-43881

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References