Vulnerability Description
WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/users.json.php exposes two unauthenticated paths that disclose the full set of registered user accounts. The isCompany request parameter causes the handler to set $ignoreAdmin = true for any non-admin caller (including unauthenticated visitors), which defeats the admin-only guard inside User::getAllUsers()/User::getTotalUsers(). A second path accepts users_id and calls User::getUserFromID() directly with no permission check, producing a single-user oracle. Both paths return id, identification (display name), channel URL, photo, background, and status, plus the total account count. Commit d9cdc702481a626b15f814f6093f1e2a9c20d375 contains an updated fix.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://github.com/WWBN/AVideo/commit/d9cdc702481a626b15f814f6093f1e2a9c20d375
- https://github.com/WWBN/AVideo/security/advisories/GHSA-6rvw-7p8v-mjfq
- https://github.com/WWBN/AVideo/security/advisories/GHSA-6rvw-7p8v-mjfq
FAQ
What is CVE-2026-43881?
CVE-2026-43881 is a vulnerability with a CVSS score of 5.3 (MEDIUM). WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/users.json.php exposes two unauthenticated paths that disclose the full set of registered user accounts. The...
How severe is CVE-2026-43881?
CVE-2026-43881 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-43881?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.