logo

Database

User enumeration In wwbn/avideo

Description

AVideo CVE-2026-43881 incomplete fix - objects/mention.json.php:17 is an unauthenticated user enumeration sibling that survives d9cdc7024 CVE-2026-43881 fix d9cdc7024 patched users.json.php only. The same anti-pattern survives at master HEAD in:

objects/mention.json.php:17     $ignoreAdmin = true;
objects/mention.json.php:18     $users = User::getAllUsers($ignoreAdmin,
                                    ['name', 'email', 'user', 'channelName'], 'a');

No User::loginCheck(), no admin gate. Only entry guard: preg_match('/^@/', $_REQUEST['term']) and hard-coded rowCount=10.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version

Aliases

1. CVE-2026-456202. NVD-2026-456203. OSV-2026-456204. GHSA-vpfx-pxqw-2w795. GHSA-6rvw-7p8v-mjfq6. GCVE-2026-45620

References

1. https://github.com/WWBN/AVideo/security/advisories/GHSA-vpfx-pxqw-2w79

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.

FLAT-NPB2Y – Vulnerability | Fluid Attacks Database