MEDIUMCVE-2026-30885

CVE-2026-30885: Information Disclosure in AVideo

Q: What is CVE-2026-30885 — Information Disclosure in AVideo?

CVE-2026-30885 is an Information Disclosure vulnerability in AVideo versions up to 24.0, allowing unauthenticated access to playlist data.

Q: Am I affected by CVE-2026-30885 in AVideo?

If you are running AVideo version 24.0 or earlier, you are potentially affected by this vulnerability.

Q: How do I fix CVE-2026-30885 in AVideo?

Upgrade AVideo to version 25.0 or later to remediate the vulnerability. As a temporary workaround, restrict access to the `/objects/playlistsFromUser.json.php` endpoint.

Q: Is CVE-2026-30885 being actively exploited?

Currently, there are no confirmed reports of active exploitation, but the ease of exploitation warrants caution.

Q: Where can I find the official AVideo advisory for CVE-2026-30885?

Refer to the AVideo GitHub repository for updates and advisories: https://github.com/WWBN/AVideo

Platform

php

Component

wwbn/avideo

Fixed in

25.0.1

25.0

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026

View on NVD

Save

CVE-2026-30885 is an Information Disclosure vulnerability affecting AVideo, a video management platform. This vulnerability allows unauthenticated attackers to enumerate user IDs and retrieve sensitive playlist information, including video IDs and playlist status. The vulnerability impacts versions of AVideo up to and including 24.0, and a fix is available in version 25.0.

Impact and Attack Scenarios

The primary impact of CVE-2026-30885 is the exposure of sensitive playlist data. An attacker can leverage this vulnerability to discover user IDs and access details about their playlists, including the videos they contain and their status. While the vulnerability does not directly lead to data modification or system compromise, the enumeration of user accounts can be a precursor to further attacks, such as social engineering or targeted phishing campaigns. The lack of authentication requirements significantly broadens the attack surface, making it accessible to a wide range of threat actors.

Exploitation Context

This vulnerability was publicly disclosed on 2026-03-07. No known exploitation campaigns or proof-of-concept exploits are currently available, but the ease of exploitation due to the lack of authentication suggests a potential for rapid exploitation if a PoC is released. The vulnerability is not currently listed on CISA KEV.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

EPSS

0.08% (23% percentile)

CISA SSVC

Exploitationpoc

Automatableyes

Technical Impactpartial

Affected Software

Componentwwbn/avideo

Vendorosv

Affected rangeFixed in

< 25.0 – < 25.025.0.1

—25.0

Weakness Classification (CWE)

CWE-306 CWE-862

Timeline

Reserved2026-03-06
Published2026-03-07
Modified2026-03-10
EPSS updated2026-03-23

Patched 0 days after disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2026-30885 is to upgrade AVideo to version 25.0 or later, which includes the necessary fix. As a temporary workaround, access to the /objects/playlistsFromUser.json.php endpoint can be restricted using web application firewall (WAF) rules or proxy configurations to require authentication. Carefully review and restrict access to all endpoints handling user data to prevent similar vulnerabilities in the future. After upgrading, confirm the fix by attempting to access the /objects/playlistsFromUser.json.php endpoint without authentication; access should be denied.

How to fix

Update AVideo to version 25.0 or later. This version fixes the playlist information disclosure vulnerability by requiring authentication to access the /objects/playlistsFromUser.json.php endpoint.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-30885 — Information Disclosure in AVideo?