Vulnerability Description
WWBN AVideo is an open source video platform. Prior to 25.0, the /objects/playlistsFromUser.json.php endpoint returns all playlists for any user without requiring authentication or authorization. An unauthenticated attacker can enumerate user IDs and retrieve playlist information including playlist names, video IDs, and playlist status for any user on the platform. This vulnerability is fixed in 25.0.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wwbn | Avideo | < 25.0 |
Related Weaknesses (CWE)
References
- https://github.com/WWBN/AVideo/commit/12adc66913724736937a61130ae2779c299445caPatch
- https://github.com/WWBN/AVideo/security/advisories/GHSA-6w2r-cfpc-23r5ExploitMitigationVendor Advisory
- https://github.com/WWBN/AVideo/security/advisories/GHSA-6w2r-cfpc-23r5ExploitMitigationVendor Advisory
FAQ
What is CVE-2026-30885?
CVE-2026-30885 is a vulnerability with a CVSS score of 5.3 (MEDIUM). WWBN AVideo is an open source video platform. Prior to 25.0, the /objects/playlistsFromUser.json.php endpoint returns all playlists for any user without requiring authentication or authorization. An u...
How severe is CVE-2026-30885?
CVE-2026-30885 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-30885?
Check the references section above for vendor advisories and patch information. Affected products include: Wwbn Avideo.