Auth bypass in Wwbn Avideo

CVE-2026-30885

WWBN AVideo is an open source video platform. Prior to 25.0, the /objects/playlistsFromUser.json.php endpoint returns all playlists for any user without requiring authentication or authorization. An unauthenticated attacker can enumerate u…

Vulnerability class: Broken Authentication

EPSS: 0.001 (30.2th percentile) — read the EPSS interpretation.

Affected products

Wwbn Avideo — versions < 25.0

Weakness classification (CWE)

References

https://github.com/WWBN/AVideo/security/advisories/GHSA-6w2r-cfpc-23r5 (x_refsource_CONFIRM)
https://github.com/WWBN/AVideo/commit/12adc66913724736937a61130ae2779c299445ca (x_refsource_MISC)