Plateforme
php
Composant
wwbn/avideo
Corrigé dans
25.0.1
25.0
CVE-2026-30885 is an Information Disclosure vulnerability affecting AVideo, a video management platform. This vulnerability allows unauthenticated attackers to enumerate user IDs and retrieve sensitive playlist information, including video IDs and playlist status. The vulnerability impacts versions of AVideo up to and including 24.0, and a fix is available in version 25.0.
The primary impact of CVE-2026-30885 is the exposure of sensitive playlist data. An attacker can leverage this vulnerability to discover user IDs and access details about their playlists, including the videos they contain and their status. While the vulnerability does not directly lead to data modification or system compromise, the enumeration of user accounts can be a precursor to further attacks, such as social engineering or targeted phishing campaigns. The lack of authentication requirements significantly broadens the attack surface, making it accessible to a wide range of threat actors.
This vulnerability was publicly disclosed on 2026-03-07. No known exploitation campaigns or proof-of-concept exploits are currently available, but the ease of exploitation due to the lack of authentication suggests a potential for rapid exploitation if a PoC is released. The vulnerability is not currently listed on CISA KEV.
Organizations utilizing AVideo for video management, particularly those with publicly accessible instances or those lacking robust access controls, are at risk. Shared hosting environments where multiple users share the same AVideo instance are especially vulnerable, as an attacker could potentially enumerate the playlists of other users.
• generic web: Use curl to test endpoint exposure:
curl http://<avideo_server>/objects/playlistsFromUser.json.phpIf the endpoint returns playlist data without authentication, the vulnerability is likely present.
• php: Examine the /objects/playlistsFromUser.json.php file for insecure direct object reference logic. Look for code that directly uses the users_id parameter without proper validation or authorization checks.
• generic web: Review access/error logs for requests to /objects/playlistsFromUser.json.php originating from unexpected IP addresses.
disclosure
Statut de l'Exploit
EPSS
0.08% (percentile 23%)
CISA SSVC
The primary mitigation for CVE-2026-30885 is to upgrade AVideo to version 25.0 or later, which includes the necessary fix. As a temporary workaround, access to the /objects/playlistsFromUser.json.php endpoint can be restricted using web application firewall (WAF) rules or proxy configurations to require authentication. Carefully review and restrict access to all endpoints handling user data to prevent similar vulnerabilities in the future. After upgrading, confirm the fix by attempting to access the /objects/playlistsFromUser.json.php endpoint without authentication; access should be denied.
Mettez à jour AVideo à la version 25.0 ou ultérieure. Cette version corrige la vulnérabilité de divulgation d'informations de la liste de lecture en exigeant une authentification pour accéder au point de terminaison /objects/playlistsFromUser.json.php.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-30885 is an Information Disclosure vulnerability in AVideo versions up to 24.0, allowing unauthenticated access to playlist data.
If you are running AVideo version 24.0 or earlier, you are potentially affected by this vulnerability.
Upgrade AVideo to version 25.0 or later to remediate the vulnerability. As a temporary workaround, restrict access to the /objects/playlistsFromUser.json.php endpoint.
Currently, there are no confirmed reports of active exploitation, but the ease of exploitation warrants caution.
Refer to the AVideo GitHub repository for updates and advisories: https://github.com/WWBN/AVideo
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.