HIGH SeverityCVSS 4.07.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

CVE-2026-43885

Last updated May 11, 2026 · Published May 11, 2026

Description

WWBN AVideo is an open source video platform. In versions up to and including 29.0, an unauthenticated user can read APISecret from objects/plugins.json.php and use it to call protected API endpoints (e.g. users_list) without logging in. Commit 1c36f229d0a103528fb9f64d0a1cc0e1e8f5999b contains an updated fix.

Affected products

1 listed

WWBN:AVideo

Mappings

CWE

CWE-200CWE-862

CAPEC

None listed.

Training

Logging and Detection EngineeringWriting logs that actually help you find attackers - structured, contextual, actionable.
Authorisation and Access ControlRBAC, ABAC, and privilege escalation patterns in real applications.

CVE-2026-43885

Description

Affected products

Mappings

Related