CVE-2026-45620

MEDIUM5.3EPSS 0.05%

AVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unauthenticated user enumeration sibling that survives `d9cdc7024`

發布日:2026/5/18修改日:2026/5/26

也稱為:GHSA-vpfx-pxqw-2w79

描述

CVE-2026-43881 fix `d9cdc7024` patched `users.json.php` only. The same anti-pattern survives at master HEAD in: ``` objects/mention.json.php:17 $ignoreAdmin = true; objects/mention.json.php:18 $users = User::getAllUsers($ignoreAdmin, ['name', 'email', 'user', 'channelName'], 'a'); ``` No `User::loginCheck()`, no admin gate. Only entry guard: `preg_match('/^@/', $_REQUEST['term'])` and hard-coded `rowCount=10`.

受影響套件(1)

Packagist/WWBN/AVideofrom 0, <= 29.0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

參考連結(3)

ADVISORYhttps://github.com/advisories/GHSA-6rvw-7p8v-mjfq
PATCHhttps://github.com/WWBN/AVideo
WEBhttps://github.com/WWBN/AVideo/security/advisories/GHSA-vpfx-pxqw-2w79