Description
WWBN AVideo is an open source video platform. Prior to 25.0, the /objects/playlistsFromUser.json.php endpoint returns all playlists for any user without requiring authentication or authorization. An unauthenticated attacker can enumerate user IDs and retrieve playlist information including playlist names, video IDs, and playlist status for any user on the platform. This vulnerability is fixed in 25.0.
Published: 2026-03-09
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

A flaw in WWBN AVideo allows an unauthenticated attacker to retrieve playlist data for any user. By sending a request to /objects/playlistsFromUser.json.php, the application exposes playlist names, video identifiers, and status information without verifying the requester's identity. This lack of authentication creates an information disclosure vulnerability that could reveal sensitive user activity or provide a foothold for further attacks.

Affected Systems

The vulnerability affects the WWBN AVideo platform, versions prior to 25.0. Users running any release version lower than 25.0 are susceptible. The affected component is the public endpoint /objects/playlistsFromUser.json.php within the AVideo codebase.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. An attacker can exploit this IDOR by crafting simple HTTP GET requests to the vulnerable endpoint, requiring no special credentials or network access beyond the ability to reach the host. Because the data disclosed is limited to playlist metadata, the immediate impact is restricted to information leakage, but could enable social engineering or content discoverability attacks.

Generated by OpenCVE AI on April 16, 2026 at 10:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WWBN AVideo to version 25.0 or later.
  • Block unauthenticated access to /objects/playlistsFromUser.json.php using webserver authentication or firewall rules.
  • Implement rate limiting on the playlist endpoint to mitigate enumeration attempts.

Generated by OpenCVE AI on April 16, 2026 at 10:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6w2r-cfpc-23r5 AVideo has Unauthenticated IDOR - Playlist Information Disclosure
History

Fri, 13 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-639
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Tue, 10 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Mon, 09 Mar 2026 22:45:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. Prior to 25.0, the /objects/playlistsFromUser.json.php endpoint returns all playlists for any user without requiring authentication or authorization. An unauthenticated attacker can enumerate user IDs and retrieve playlist information including playlist names, video IDs, and playlist status for any user on the platform. This vulnerability is fixed in 25.0.
Title WWBN AVideo - Unauthenticated IDOR - Playlist Information Disclosure
Weaknesses CWE-306
CWE-862
References
Metrics cvssV4_0

{'score': 5.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T14:12:14.963Z

Reserved: 2026-03-06T00:04:56.700Z

Link: CVE-2026-30885

cve-icon Vulnrichment

Updated: 2026-03-10T14:12:02.724Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T17:40:14.730

Modified: 2026-03-13T15:20:47.880

Link: CVE-2026-30885

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T10:15:26Z

Weaknesses