Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
CVE-2026-43881 fix d9cdc7024 patched users.json.php only. The same anti-pattern survives at master HEAD in:
objects/mention.json.php:17 $ignoreAdmin = true;
objects/mention.json.php:18 $users = User::getAllUsers($ignoreAdmin,
['name', 'email', 'user', 'channelName'], 'a');No User::loginCheck(), no admin gate. Only entry guard: preg_match('/^@/', $_REQUEST['term']) and hard-coded rowCount=10.
AnalysisAI
User enumeration in AVideo (composer/WWBN/AVideo ≤ 29.0) exposes account metadata - names, email addresses, usernames, and channel names - to unauthenticated remote attackers through an incomplete patch for CVE-2026-43881. The original fix (commit d9cdc7024) hardened users.json.php but left an identical unauthenticated code path alive in objects/mention.json.php, which calls User::getAllUsers() with no loginCheck() or authorization gate. No public exploit is identified at time of analysis, though the trivial HTTP-based trigger and absence of authentication make this a realistic reconnaissance primitive for credential-stuffing or phishing campaigns.
Technical ContextAI
AVideo (formerly YouPHPTube) is a PHP-based open-source video platform distributed via Composer as wwbn/avideo. The vulnerability resides in objects/mention.json.php at lines 17-18, where User::getAllUsers($ignoreAdmin=true, ['name','email','user','channelName'], 'a') is called directly - with no preceding User::loginCheck() or any equivalent authorization enforcement. The sole input guard is a regex requiring the term request parameter to begin with @ (preg_match('/^@/', $_REQUEST['term'])), plus a hardcoded rowCount=10 cap per response. CWE-204 (Observable Response Discrepancy) captures the information leakage class: structured user data is returned to callers regardless of authentication state, making the discrepancy between authenticated and unauthenticated behavior exploitable. The root cause is an incomplete fix pattern - the same anti-pattern that was corrected in users.json.php was independently present in this sibling endpoint and overlooked during the CVE-2026-43881 remediation. The $ignoreAdmin=true flag indicates this endpoint was intentionally scoped to non-admin users for mention autocomplete, yet no session or login enforcement was added.
RemediationAI
No vendor-released patch is identified at time of analysis for this specific variant - the advisory lists fixed version as None. The following specific compensating controls should be applied in order of preference. First, manually patch objects/mention.json.php by adding a User::loginCheck() call at the top of the file, mirroring the fix applied to users.json.php in commit d9cdc7024; this preserves mention autocomplete functionality for authenticated users while closing the unauthenticated access path. Second, if manual patching is not feasible, restrict web access to objects/mention.json.php at the web server or WAF layer (e.g., Deny from all in Apache or a location block in nginx); trade-off: this disables mention autocomplete entirely for all users. Third, if the mention feature is unused, delete the file from the web root. Monitor https://github.com/WWBN/AVideo and the advisory at https://github.com/WWBN/AVideo/security/advisories/GHSA-vpfx-pxqw-2w79 for an official upstream patch.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-204 – Observable Response Discrepancy
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33307
GHSA-vpfx-pxqw-2w79