Description
WWBN AVideo is an open source video platform. In versions 29.0 and prior, the file `git.json.php` at the web root executes `git log -1` and returns the full output as JSON to any unauthenticated user. This exposes the exact deployed commit hash (enabling version fingerprinting against known CVEs), developer names and email addresses (PII), and commit messages which may contain references to internal systems or security fixes. As of time of publication, no known patched versions are available.
Published: 2026-04-21
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Mitigate Exposure
AI Analysis

Impact

This vulnerability arises from the public git.json.php file in WWBN AVideo, which runs "git log -1" and returns the full output as JSON to any user. The output includes the exact deployed commit hash, developer names, developer email addresses, and commit messages. This exposure satisfies CWE‑200, leading to disclosure of sensitive internal information and potential for version fingerprinting against known CVEs.

Affected Systems

The affected product is WWBN AVideo, versions 29.0 and earlier. Any installation that exposes the git.json.php file in the web root is susceptible.

Risk and Exploitability

The CVSS score is 5.3, indicating moderate severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, so the current exploitation likelihood is uncertain. The likely attack vector is unauthenticated HTTP requests to the exposed file, allowing remote attackers to retrieve internal data without authentication.

Generated by OpenCVE AI on April 22, 2026 at 05:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Remove or rename the git.json.php file from the public web root to eliminate the disclosure path.
  • Configure web server access controls or firewall rules to deny HTTP requests to that path or to the application root for unauthenticated users.
  • Continuously monitor web server logs for attempts to access git.json.php and investigate any suspicious activity.

Generated by OpenCVE AI on April 22, 2026 at 05:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 04:30:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions 29.0 and prior, the file `git.json.php` at the web root executes `git log -1` and returns the full output as JSON to any unauthenticated user. This exposes the exact deployed commit hash (enabling version fingerprinting against known CVEs), developer names and email addresses (PII), and commit messages which may contain references to internal systems or security fixes. As of time of publication, no known patched versions are available.
Title WWBN AVideo has an Unauthenticated Information Disclosure via git.json.php that Exposes Developer Emails and Deployed Version
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-22T13:25:57.077Z

Reserved: 2026-04-15T16:37:22.767Z

Link: CVE-2026-40908

cve-icon Vulnrichment

Updated: 2026-04-22T13:25:52.018Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-21T20:17:03.220

Modified: 2026-04-22T21:24:26.997

Link: CVE-2026-40908

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T05:30:09Z

Weaknesses