Vulnerability Description
WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/CloneSite/cloneClient.json.php echoes the local CloneSite shared secret ($objClone->myKey, a constant md5($global['systemRootPath'] . $global['salt'])) into the HTTP response body on every unauthenticated request. The unauthenticated error branch was intended to reject non-admin callers without a valid key, but the rejection message interpolates the expected key before die(). When the victim has CloneSite configured with a remote cloneSiteURL (standard federation/backup setup), the leaked myKey is exactly the credential that authenticates the victim to that remote server's cloneServer.json.php, allowing the attacker to impersonate the victim and trigger a full mysqldump of the remote's database to the remote's public videos/clones/ directory Commit e6566f56a28f4556b2a0a09d03717a719dcb49da contains an updated fix.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://github.com/WWBN/AVideo/commit/e6566f56a28f4556b2a0a09d03717a719dcb49da
- https://github.com/WWBN/AVideo/security/advisories/GHSA-qm9p-p5pw-jrx2
- https://github.com/WWBN/AVideo/security/advisories/GHSA-qm9p-p5pw-jrx2
FAQ
What is CVE-2026-43873?
CVE-2026-43873 is a vulnerability with a CVSS score of 7.5 (HIGH). WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/CloneSite/cloneClient.json.php echoes the local CloneSite shared secret ($objClone->myKey, a constant md5($gl...
How severe is CVE-2026-43873?
CVE-2026-43873 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-43873?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.