プラットフォーム
php
コンポーネント
wwbn/avideo
修正版
25.0.1
25.0
CVE-2026-30885 is an Information Disclosure vulnerability affecting AVideo, a video management platform. This vulnerability allows unauthenticated attackers to enumerate user IDs and retrieve sensitive playlist information, including video IDs and playlist status. The vulnerability impacts versions of AVideo up to and including 24.0, and a fix is available in version 25.0.
The primary impact of CVE-2026-30885 is the exposure of sensitive playlist data. An attacker can leverage this vulnerability to discover user IDs and access details about their playlists, including the videos they contain and their status. While the vulnerability does not directly lead to data modification or system compromise, the enumeration of user accounts can be a precursor to further attacks, such as social engineering or targeted phishing campaigns. The lack of authentication requirements significantly broadens the attack surface, making it accessible to a wide range of threat actors.
This vulnerability was publicly disclosed on 2026-03-07. No known exploitation campaigns or proof-of-concept exploits are currently available, but the ease of exploitation due to the lack of authentication suggests a potential for rapid exploitation if a PoC is released. The vulnerability is not currently listed on CISA KEV.
Organizations utilizing AVideo for video management, particularly those with publicly accessible instances or those lacking robust access controls, are at risk. Shared hosting environments where multiple users share the same AVideo instance are especially vulnerable, as an attacker could potentially enumerate the playlists of other users.
• generic web: Use curl to test endpoint exposure:
curl http://<avideo_server>/objects/playlistsFromUser.json.phpIf the endpoint returns playlist data without authentication, the vulnerability is likely present.
• php: Examine the /objects/playlistsFromUser.json.php file for insecure direct object reference logic. Look for code that directly uses the users_id parameter without proper validation or authorization checks.
• generic web: Review access/error logs for requests to /objects/playlistsFromUser.json.php originating from unexpected IP addresses.
disclosure
エクスプロイト状況
EPSS
0.08% (23% パーセンタイル)
CISA SSVC
The primary mitigation for CVE-2026-30885 is to upgrade AVideo to version 25.0 or later, which includes the necessary fix. As a temporary workaround, access to the /objects/playlistsFromUser.json.php endpoint can be restricted using web application firewall (WAF) rules or proxy configurations to require authentication. Carefully review and restrict access to all endpoints handling user data to prevent similar vulnerabilities in the future. After upgrading, confirm the fix by attempting to access the /objects/playlistsFromUser.json.php endpoint without authentication; access should be denied.
AVideo をバージョン 25.0 以降にアップデートしてください。 このバージョンは、/objects/playlistsFromUser.json.php エンドポイントへのアクセスに認証を要求することで、プレイリスト情報漏洩の脆弱性を修正します。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-30885 is an Information Disclosure vulnerability in AVideo versions up to 24.0, allowing unauthenticated access to playlist data.
If you are running AVideo version 24.0 or earlier, you are potentially affected by this vulnerability.
Upgrade AVideo to version 25.0 or later to remediate the vulnerability. As a temporary workaround, restrict access to the /objects/playlistsFromUser.json.php endpoint.
Currently, there are no confirmed reports of active exploitation, but the ease of exploitation warrants caution.
Refer to the AVideo GitHub repository for updates and advisories: https://github.com/WWBN/AVideo
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。