Plataforma
php
Componente
wwbn/avideo
Corrigido em
25.0.1
25.0
CVE-2026-30885 is an Information Disclosure vulnerability affecting AVideo, a video management platform. This vulnerability allows unauthenticated attackers to enumerate user IDs and retrieve sensitive playlist information, including video IDs and playlist status. The vulnerability impacts versions of AVideo up to and including 24.0, and a fix is available in version 25.0.
The primary impact of CVE-2026-30885 is the exposure of sensitive playlist data. An attacker can leverage this vulnerability to discover user IDs and access details about their playlists, including the videos they contain and their status. While the vulnerability does not directly lead to data modification or system compromise, the enumeration of user accounts can be a precursor to further attacks, such as social engineering or targeted phishing campaigns. The lack of authentication requirements significantly broadens the attack surface, making it accessible to a wide range of threat actors.
This vulnerability was publicly disclosed on 2026-03-07. No known exploitation campaigns or proof-of-concept exploits are currently available, but the ease of exploitation due to the lack of authentication suggests a potential for rapid exploitation if a PoC is released. The vulnerability is not currently listed on CISA KEV.
Organizations utilizing AVideo for video management, particularly those with publicly accessible instances or those lacking robust access controls, are at risk. Shared hosting environments where multiple users share the same AVideo instance are especially vulnerable, as an attacker could potentially enumerate the playlists of other users.
• generic web: Use curl to test endpoint exposure:
curl http://<avideo_server>/objects/playlistsFromUser.json.phpIf the endpoint returns playlist data without authentication, the vulnerability is likely present.
• php: Examine the /objects/playlistsFromUser.json.php file for insecure direct object reference logic. Look for code that directly uses the users_id parameter without proper validation or authorization checks.
• generic web: Review access/error logs for requests to /objects/playlistsFromUser.json.php originating from unexpected IP addresses.
disclosure
Status do Exploit
EPSS
0.08% (percentil 23%)
CISA SSVC
The primary mitigation for CVE-2026-30885 is to upgrade AVideo to version 25.0 or later, which includes the necessary fix. As a temporary workaround, access to the /objects/playlistsFromUser.json.php endpoint can be restricted using web application firewall (WAF) rules or proxy configurations to require authentication. Carefully review and restrict access to all endpoints handling user data to prevent similar vulnerabilities in the future. After upgrading, confirm the fix by attempting to access the /objects/playlistsFromUser.json.php endpoint without authentication; access should be denied.
Atualize AVideo para a versão 25.0 ou posterior. Esta versão corrige a vulnerabilidade de divulgação de informações da lista de reprodução ao exigir autenticação para acessar o endpoint /objects/playlistsFromUser.json.php.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-30885 is an Information Disclosure vulnerability in AVideo versions up to 24.0, allowing unauthenticated access to playlist data.
If you are running AVideo version 24.0 or earlier, you are potentially affected by this vulnerability.
Upgrade AVideo to version 25.0 or later to remediate the vulnerability. As a temporary workaround, restrict access to the /objects/playlistsFromUser.json.php endpoint.
Currently, there are no confirmed reports of active exploitation, but the ease of exploitation warrants caution.
Refer to the AVideo GitHub repository for updates and advisories: https://github.com/WWBN/AVideo
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.