CVE-2026-43881

WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/users.json.php exposes two unauthenticated paths that disclose the full set of registered user accounts. The isCompany request parameter causes the handler to set $ignoreAdmin = true for any non-admin caller (including unauthenticated visitors), which defeats the admin-only guard inside User::getAllUsers()/User::getTotalUsers(). A second path accepts users_id and calls User::getUserFromID() directly with no permission check, producing a single-user oracle. Both paths return id, identification (display name), channel URL, photo, background, and status, plus the total account count. Commit d9cdc702481a626b15f814f6093f1e2a9c20d375 contains an updated fix.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/WWBN/AVideo/commit/d9cdc702481a626b15f814f6093f1e2a9c20d375
https://github.com/WWBN/AVideo/security/advisories/GHSA-6rvw-7p8v-mjfq
https://github.com/WWBN/AVideo/security/advisories/GHSA-6rvw-7p8v-mjfq

Configurations

No configuration.

History

12 May 2026, 14:17

Type	Values Removed	Values Added
References	~~() https://github.com/WWBN/AVideo/security/advisories/GHSA-6rvw-7p8v-mjfq -~~	() https://github.com/WWBN/AVideo/security/advisories/GHSA-6rvw-7p8v-mjfq -

11 May 2026, 22:22

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-11 22:22

Updated : 2026-05-12 14:50

NVD link : CVE-2026-43881

Mitre link : CVE-2026-43881

CVE.ORG link : CVE-2026-43881

JSON object : View

Products Affected

No product.

CWE

CWE-306

Missing Authentication for Critical Function

5.3 /10