AVideo: Password Hash Leak in MobileManager OAuth Redirect URL Enables Account Takeover — CVE-2026-43875
GitHub · GitHub · CVE-2026-43875
ID
CVE-2026-43875
CVE-2026-43875
Date
Updated
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
medium
medium
CVSS
6.8
6.8
EPSS
0.00031
0.00031
Summary
## Summary `plugin/MobileManager/oauth2.php` completes an OAuth login by sending an HTTP 302 `Location: oauth2Success.php?user=<email>&pass=<HASH>` where `<HASH>` is the victim's stored password hash (`md5(hash("whirlpool", sha1(password)))`) read directly from the `users` table. AVideo's own login endpoint (`objects/login.json.php`) accepts an `encodedPass=1` flag that bypasses hashing and performs a direct string…
Product
composer: wwbn/avideo
What to do
General, cautious steps (verify details in the official source):
- Review exposure and plan remediation based on risk and environment.
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.