Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the get_api_video_file and get_api_video API endpoints in AVideo return full video playback sources (direct MP4 URLs, HLS manifests) for password-protected videos without verifying the video password. While the normal web playback flow enforces password checks via the CustomizeUser::getModeYouTube() hook, this enforcement is completely absent from the API code path. An unauthenticated attacker can retrieve direct playback URLs for any password-protected video by calling the API directly. Commit be344206f2f461c034ad2f1c5d8212dd8a52b8c7 fixes the issue.
AnalysisAI
WWBN AVideo up to version 26.0 fails to enforce password verification on API endpoints get_api_video_file and get_api_video, allowing unauthenticated remote attackers to retrieve direct playback URLs (MP4 files and HLS manifests) for password-protected videos by directly invoking the API. The web interface enforces password checks through the CustomizeUser::getModeYouTube() hook, but this validation is entirely absent from the API code path, creating a complete authentication bypass. Upstream fix available via commit be344206f2f461c034ad2f1c5d8212dd8a52b8c7; no public exploit or active exploitation confirmed at time of analysis.
Technical ContextAI
WWBN AVideo is an open-source video streaming platform (CPE: cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*). The vulnerability is rooted in CWE-862 (Missing Authorization), a root cause class describing insufficient validation of user privileges before granting access to protected resources. The affected API endpoints (get_api_video_file and get_api_video) return playback sources-direct MP4 URLs and HLS streaming manifests-without enforcing the password verification logic that the web UI implements via the CustomizeUser::getModeYouTube() hook. This represents a classic authentication/authorization enforcement gap between two code paths (web vs. API) serving the same protected resource. The attacker surface is the HTTP API layer itself, which processes requests over the network without authentication or privilege checks.
RemediationAI
Upgrade WWBN AVideo to a version patched after commit be344206f2f461c034ad2f1c5d8212dd8a52b8c7 (exact released version number not provided in available data; consult the vendor advisory at https://github.com/WWBN/AVideo/security/advisories/GHSA-q6jj-r49p-94fh for the next stable release containing this fix). Until patching is completed, implement network-level access controls to restrict the API endpoints (get_api_video_file and get_api_video) to trusted internal networks or authenticated users only, using a reverse proxy with IP whitelisting or API key validation. Additionally, review any password-protected videos that may have been accessed via the API without authorization and consider rotating or resetting video passwords as a precaution.
A cross-site scripting (xss) vulnerability exists in the functiongetOpenGraph videoName functionality of WWBN AVideo 11.
An issue in WWBN AVideo v.12.4 through v.14.2 allows a remote attacker to execute arbitrary code via the systemRootPath
A directory traversal vulnerability exists in the unzipDirectory functionality of WWBN AVideo 11.6 and dev master commit
An insufficient entropy vulnerability exists in the salt generation functionality of WWBN AVideo dev master commit 15fed
Unauthenticated SQL injection in AVideo before 24.0.
OS injection vulnerability in World Wide Broadcast Network AVideo version before 12.4, allows attackers to execute arbit
A reflected cross-site scripting (xss) vulnerability exists in the charts tab selection functionality of WWBN AVideo 11.
A cross-site scripting (xss) vulnerability exists in the channelBody.php user name functionality of WWBN AVideo 11.6 and
A cross-site scripting (xss) vulnerability exists in the videoAddNew functionality of WWBN AVideo 11.6 and dev master co
An insufficient entropy vulnerability exists in the userRecoverPass.php recoverPass generation functionality of WWBN AVi
WWBN AVideo is an open source video platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable
AVideo is an open source video platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16748
GHSA-q6jj-r49p-94fh