CVE-2026-30885 is an Information Disclosure vulnerability affecting AVideo, a video management platform. This vulnerability allows unauthenticated attackers to enumerate user IDs and retrieve sensitive playlist information, including video IDs and playlist status. The vulnerability impacts versions of AVideo up to and including 24.0, and a fix is available in version 25.0.
影响与攻击场景翻译中…
The primary impact of CVE-2026-30885 is the exposure of sensitive playlist data. An attacker can leverage this vulnerability to discover user IDs and access details about their playlists, including the videos they contain and their status. While the vulnerability does not directly lead to data modification or system compromise, the enumeration of user accounts can be a precursor to further attacks, such as social engineering or targeted phishing campaigns. The lack of authentication requirements significantly broadens the attack surface, making it accessible to a wide range of threat actors.
利用背景翻译中…
This vulnerability was publicly disclosed on 2026-03-07. No known exploitation campaigns or proof-of-concept exploits are currently available, but the ease of exploitation due to the lack of authentication suggests a potential for rapid exploitation if a PoC is released. The vulnerability is not currently listed on CISA KEV.
哪些人处于风险中翻译中…
Organizations utilizing AVideo for video management, particularly those with publicly accessible instances or those lacking robust access controls, are at risk. Shared hosting environments where multiple users share the same AVideo instance are especially vulnerable, as an attacker could potentially enumerate the playlists of other users.
检测步骤翻译中…
• generic web: Use curl to test endpoint exposure:
curl http://<avideo_server>/objects/playlistsFromUser.json.phpIf the endpoint returns playlist data without authentication, the vulnerability is likely present.
• php: Examine the /objects/playlistsFromUser.json.php file for insecure direct object reference logic. Look for code that directly uses the users_id parameter without proper validation or authorization checks.
• generic web: Review access/error logs for requests to /objects/playlistsFromUser.json.php originating from unexpected IP addresses.
攻击时间线
- Disclosure
disclosure
威胁情报
漏洞利用状态
EPSS
0.08% (23% 百分位)
CISA SSVC
受影响的软件
软件包信息
- 最后更新
- 29.0最近
弱点分类 (CWE)
时间线
- 已保留
- 发布日期
- 修改日期
- EPSS 更新日期
缓解措施和替代方案翻译中…
The primary mitigation for CVE-2026-30885 is to upgrade AVideo to version 25.0 or later, which includes the necessary fix. As a temporary workaround, access to the /objects/playlistsFromUser.json.php endpoint can be restricted using web application firewall (WAF) rules or proxy configurations to require authentication. Carefully review and restrict access to all endpoints handling user data to prevent similar vulnerabilities in the future. After upgrading, confirm the fix by attempting to access the /objects/playlistsFromUser.json.php endpoint without authentication; access should be denied.
修复方法
升级 AVideo 到 25.0 版本或更高版本。此版本通过要求对 `/objects/playlistsFromUser.json.php` 端点进行身份验证来修复播放列表信息泄露漏洞。
CVE 安全通讯
漏洞分析和关键警报直接发送到您的邮箱。
常见问题翻译中…
What is CVE-2026-30885 — Information Disclosure in AVideo?
CVE-2026-30885 is an Information Disclosure vulnerability in AVideo versions up to 24.0, allowing unauthenticated access to playlist data.
Am I affected by CVE-2026-30885 in AVideo?
If you are running AVideo version 24.0 or earlier, you are potentially affected by this vulnerability.
How do I fix CVE-2026-30885 in AVideo?
Upgrade AVideo to version 25.0 or later to remediate the vulnerability. As a temporary workaround, restrict access to the /objects/playlistsFromUser.json.php endpoint.
Is CVE-2026-30885 being actively exploited?
Currently, there are no confirmed reports of active exploitation, but the ease of exploitation warrants caution.
Where can I find the official AVideo advisory for CVE-2026-30885?
Refer to the AVideo GitHub repository for updates and advisories: https://github.com/WWBN/AVideo