Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the password recovery endpoint at objects/userRecoverPass.php performs user existence and account status checks before validating the captcha. This allows an unauthenticated attacker to enumerate valid usernames and determine whether accounts are active, inactive, or banned - at scale and without solving any captcha - by observing three distinct JSON error responses. Commit e42f54123b460fd1b2ee01f2ce3d4a386e88d157 contains a patch.
AnalysisAI
WWBN AVideo versions up to and including 26.0 contain an information disclosure vulnerability in the password recovery endpoint (objects/userRecoverPass.php) that allows unauthenticated attackers to enumerate valid usernames and determine account status (active, inactive, or banned) without solving any captcha. The vulnerability exists because user existence and account status validation occurs before captcha verification, enabling attackers to distinguish three different JSON error responses at scale. No evidence of active exploitation in the wild has been reported, but a patch is available in commit e42f54123b460fd1b2ee01f2ce3d4a386e88d157.
Technical ContextAI
WWBN AVideo is an open-source PHP-based video platform (CPE: cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*) affected in all versions through 26.0. The vulnerability is rooted in CWE-204 (Observable Timing Discrepancy), though more accurately it represents a logic-flow flaw in password recovery functionality. The vulnerable code path in objects/userRecoverPass.php performs database queries to check username existence and retrieve account status information before executing captcha validation. This sequencing violates security best practices by allowing an attacker to infer user account details through differential error handling—the endpoint leaks timing and response differentiation that reveals whether a username exists and its associated account state, circumventing captcha rate-limiting that would normally protect against such enumeration attacks.
RemediationAI
Upgrade WWBN AVideo to a version newer than 26.0 that includes commit e42f54123b460fd1b2ee01f2ce3d4a386e88d157 or later. Consult the vendor advisory at https://github.com/WWBN/AVideo/security/advisories/GHSA-m99f-mmvg-3xmx for the exact patched version number and upgrade instructions. As an interim mitigation prior to patching, administrators should implement rate-limiting on the objects/userRecoverPass.php endpoint at the web server or reverse proxy level (using mod_ratelimit, fail2ban, or equivalent), configure CORS restrictions to prevent cross-origin enumeration, and consider temporarily disabling the password recovery feature if it is not actively needed. Monitor access logs for suspicious patterns of repeated failed password recovery attempts from single IP addresses.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-204 – Observable Response Discrepancy
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14498
GHSA-m99f-mmvg-3xmx