CVE-2026-30885

UNKNOWN 0.0

WWBN AVideo - Unauthenticated IDOR - Playlist Information Disclosure

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

WWBN AVideo is an open source video platform. Prior to 25.0, the /objects/playlistsFromUser.json.php endpoint returns all playlists for any user without requiring authentication or authorization. An unauthenticated attacker can enumerate user IDs and retrieve playlist information including playlist names, video IDs, and playlist status for any user on the platform. This vulnerability is fixed in 25.0.

CWE	CWE-306 CWE-862
Vendor	wwbn
Product	avideo
Published	Mar 9, 2026
Last Updated	Mar 10, 2026

Stay Ahead of the Next One

Get instant alerts for wwbn avideo

Be the first to know when new unknown vulnerabilities affecting wwbn avideo are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

WWBN / AVideo

< 25.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/WWBN/AVideo/security/advisories/GHSA-6w2r-cfpc-23r5 github.com: https://github.com/WWBN/AVideo/commit/12adc66913724736937a61130ae2779c299445ca