AVideo: Unauthenticated User Enumeration in objects/users.json.php via isCompany Parameter Allows Bypass of the Admin-Only Listing Restriction — CVE-2026-43881
GitHub · GitHub · CVE-2026-43881
ID
CVE-2026-43881
CVE-2026-43881
Date
Updated
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
medium
medium
CVSS
5.3
5.3
EPSS
0.00028
0.00028
Summary
## Summary `objects/users.json.php` exposes two unauthenticated paths that disclose the full set of registered user accounts. The `isCompany` request parameter causes the handler to set `$ignoreAdmin = true` for any non-admin caller (including unauthenticated visitors), which defeats the admin-only guard inside `User::getAllUsers()`/`User::getTotalUsers()`. A second path accepts `users_id` and calls…
Product
composer: wwbn/avideo
What to do
General, cautious steps (verify details in the official source):
- Review exposure and plan remediation based on risk and environment.
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.