CVE-2026-45620 - Vulnerability Details

- AVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unauthenticated user enumeration

Description

WWBN AVideo is an open source video platform. In 29.0 and earlier, objects/mention.json.php has no User::loginCheck() or admin gate. It only has an entry guard: preg_match('/^@/', $_REQUEST['term']) and hard-coded rowCount=10. This enables unauthenticated user enumeration.

Published: 2026-05-29

Score: 5.3 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

WWBN AVideo is a free video platform. In version 29.0 and earlier, the script objects/mention.json.php does not enforce user authentication or administrative gating. The only checks are a very loose regular expression on the request term and a hard‑coded row count of 10. This omission allows an unauthenticated user to query the endpoint and receive up to ten matching usernames, thereby enumerating valid users without any login. The effect is a clear information disclosure that could aid attackers in subsequent phishing or credential‑guessing attacks.

Affected Systems

The vulnerability affects WWBN AVideo versions 29.0 and earlier. The issue is tied to the mention endpoint found in objects/mention.json.php. Users running any of these versions should consider themselves potentially exposed.

Risk and Exploitability

The CVSS score of 5.3 classifies the flaw as a moderate severity vulnerability. Although the EPSS score is not provided, the absence of authentication means an attacker can exploit the flaw with minimal effort, provided the endpoint is network reachable. It is not currently listed in the CISA KEV catalog, but the impact of knowing valid user accounts grants an attacker a foothold for further social‑engineering or credential‑based attacks. The most straightforward attack vector is an unauthenticated HTTP request to the mention endpoint, which may be especially dangerous if the platform is exposed to public traffic.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

WWBN

AVideo

affected

Version	Status	Constraints
`<= 29.0`	affected	—

No data.

Vendor Product Confidence Versions

Wwbn

Avideo

100%

Version	Status	Scheme	Platform
`[0,29.0]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest available AVideo release, which includes the authentication check for the mention endpoint.
If an upgrade is not immediately feasible, manually add an access control guard such as User::loginCheck() or an admission test before processing the request to objects/mention.json.php.
Restrict or rate‑limit the mention endpoint using web‑application firewall rules or server configuration to limit enumeration attempts.

Generated by OpenCVE AI on May 29, 2026 at 15:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-vpfx-pxqw-2w79	AVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unauthenticated user enumeration sibling that survives `d9cdc7024`

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/WWBN/AVideo/security/advisories/GHSA-vpfx-pxqw-2w79

History

Sat, 30 May 2026 03:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 29 May 2026 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wwbn Wwbn avideo
Vendors & Products		Wwbn Wwbn avideo

Fri, 29 May 2026 13:45:00 +0000

Type	Values Removed	Values Added
Description		WWBN AVideo is an open source video platform. In 29.0 and earlier, objects/mention.json.php has no User::loginCheck() or admin gate. It only has an entry guard: preg_match('/^@/', $_REQUEST['term']) and hard-coded rowCount=10. This enables unauthenticated user enumeration.
Title		AVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unauthenticated user enumeration
Weaknesses		CWE-204 CWE-285
References		https://github.com/WWBN/AVideo/security/advisories/GHSA-vpfx-pxqw-2w79
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

Wwbn Avideo

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-29T13:07:19.969Z

Updated: 2026-05-30T02:30:36.945Z

Reserved: 2026-05-12T20:31:43.449Z

Link: CVE-2026-45620

Vulnrichment

Updated: 2026-05-30T02:30:25.325Z

NVD

Status : Undergoing Analysis

Published: 2026-05-29T14:16:31.107

Modified: 2026-05-29T15:06:44.207

Link: CVE-2026-45620

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-29T16:00:15Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object