Description
WWBN AVideo is an open source video platform. In versions up to and including 29.0, an unauthenticated user can read APISecret from objects/plugins.json.php and use it to call protected API endpoints (e.g. users_list) without logging in. Commit 1c36f229d0a103528fb9f64d0a1cc0e1e8f5999b contains an updated fix.
Published: 2026-05-11
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an unauthenticated user to read the APISecret value from the objects/plugins.json.php endpoint and use that secret to call protected API endpoints such as users_list without logging in. This results in unauthorized disclosure of sensitive data and potentially further exploitation of privileged operations. The weakness originates from missing authorization checks on the API endpoint and inadequate protection of secret data.

Affected Systems

The flaw affects WWBN AVideo versions up to and including 29.0. Any deployment running these versions without applying the commit 1c36f229d0a103528fb9f64d0a1cc0e1e8f5999b introduces the vulnerability. The affected component is the public API exposed by the objects/plugins.json.php resource.

Risk and Exploitability

The CVSS score of 7.7 indicates a high severity, while the EPSS score is not reported, making it unclear how frequently this vulnerability is exploited in the wild. It is not listed in CISA’s KEV catalogue. Exploitation requires only the ability to send an HTTP request to the vulnerable endpoint, and no authentication is required, making it straightforward for an attacker with network access to read the secret and perform unauthorized API calls.

Generated by OpenCVE AI on May 11, 2026 at 22:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WWBN AVideo to a version that incorporates commit 1c36f229d0a103528fb9f64d0a1cc0e1e8f5999b or later.
  • Restrict access to the objects/plugins.json.php endpoint or require authentication before accessing it.
  • Remove or secure the exposed API secret so that it is never returned to clients, ensuring secrets are stored server‑side only.

Generated by OpenCVE AI on May 11, 2026 at 22:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xr49-f4rh-qcjf AVideo Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor and Missing Authorization
History

Mon, 11 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Mon, 11 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions up to and including 29.0, an unauthenticated user can read APISecret from objects/plugins.json.php and use it to call protected API endpoints (e.g. users_list) without logging in. Commit 1c36f229d0a103528fb9f64d0a1cc0e1e8f5999b contains an updated fix.
Title WWBN AVideo: Exposure of Sensitive Information to an Unauthorized Actor and Missing Authorization
Weaknesses CWE-200
CWE-862
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T20:45:21.425Z

Reserved: 2026-05-04T15:17:09.330Z

Link: CVE-2026-43885

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-11T22:22:13.213

Modified: 2026-05-12T15:13:21.560

Link: CVE-2026-43885

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T23:00:19Z

Weaknesses