Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.5
AVideo Platform Exposes User Playlists Without Login
GHSA-6w2r-cfpc-23r5
CVE-2026-30885
Summary
The AVideo platform's playlists endpoint allows anyone to view any user's playlists without needing a login, potentially exposing sensitive information. This could be used by an attacker to gather information about users. Users should update to version 25.0 or later to fix this issue.
What to do
- Update wwbn avideo to version 25.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| wwbn | avideo | <= 25.0 | 25.0 |
Original title
WWBN AVideo is an open source video platform. Prior to 25.0, the /objects/playlistsFromUser.json.php endpoint returns all playlists for any user without requiring authentication or authorization. A...
Original description
WWBN AVideo is an open source video platform. Prior to 25.0, the /objects/playlistsFromUser.json.php endpoint returns all playlists for any user without requiring authentication or authorization. An unauthenticated attacker can enumerate user IDs and retrieve playlist information including playlist names, video IDs, and playlist status for any user on the platform. This vulnerability is fixed in 25.0.
ghsa CVSS4.0
5.5
Vulnerability type
CWE-306
Missing Authentication for Critical Function
CWE-862
Missing Authorization
CWE-639
Authorization Bypass Through User-Controlled Key
Published: 10 Mar 2026 · Updated: 13 Mar 2026 · First seen: 7 Mar 2026