CVE-2026-30885

MEDIUM EPSS 28.4%
Published Mar 10, 20263mo ago · Modified Jun 17, 20261w ago
5.5 CVSS 4.0
Medium
Find Similar
Published Mar 10, 2026 3mo ago
Last Modified Jun 17, 2026 1w ago

Description

WWBN AVideo is an open source video platform. Prior to 25.0, the /objects/playlistsFromUser.json.php endpoint returns all playlists for any user without requiring authentication or authorization. An unauthenticated attacker can enumerate user IDs and retrieve playlist information including playlist names, video IDs, and playlist status for any user on the platform. This vulnerability is fixed in 25.0.

CVSS Details

Base Score
5.5
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
28.4% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 3

CWE-306 Missing Authentication for Critical Function Authentication
CWE-639
CWE-862 Missing Authorization Authorization

Affected Products 1

VendorProductVersionRange
wwbnavideo* <25.0

References 2

  • github.com https://github.com/WWBN/AVideo/commit/12adc66913724736937a61130ae2779c299445ca
    Patch
  • github.com https://github.com/WWBN/AVideo/security/advisories/GHSA-6w2r-cfpc-23r5
    ExploitMitigationVendor Advisory

Remediation

  • github.com https://github.com/WWBN/AVideo/commit/12adc66913724736937a61130ae2779c299445ca
    Patch