CVE-2026-45620

MEDIUM5.3EPSS 0.05%

AVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unauthenticated user enumeration sibling that survives `d9cdc7024`

Published: 5/18/2026Modified: 5/26/2026

Also known as:GHSA-vpfx-pxqw-2w79

Description

CVE-2026-43881 fix `d9cdc7024` patched `users.json.php` only. The same anti-pattern survives at master HEAD in: ``` objects/mention.json.php:17 $ignoreAdmin = true; objects/mention.json.php:18 $users = User::getAllUsers($ignoreAdmin, ['name', 'email', 'user', 'channelName'], 'a'); ``` No `User::loginCheck()`, no admin gate. Only entry guard: `preg_match('/^@/', $_REQUEST['term'])` and hard-coded `rowCount=10`.

Affected packages (1)

Packagist/WWBN/AVideofrom 0, <= 29.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References (3)

ADVISORYhttps://github.com/advisories/GHSA-6rvw-7p8v-mjfq
PATCHhttps://github.com/WWBN/AVideo
WEBhttps://github.com/WWBN/AVideo/security/advisories/GHSA-vpfx-pxqw-2w79