AVideo Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor and Missing Authorization — CVE-2026-43885
GitHub · GitHub · CVE-2026-43885
ID
CVE-2026-43885
CVE-2026-43885
Date
Updated
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
high
high
CVSS
7.7
7.7
EPSS
0.0005
0.0005
Summary
### Summary An unauthenticated user can read `APISecret` from `objects/plugins.json.php` and use it to call protected API endpoints (e.g. `users_list`) without logging in. ### Details `objects/plugins.json.php` is public and still exposes plugin `object_data` containing `APISecret`. That secret is accepted by `plugin/API/get.json.php` as authentication. ### PoC 1. Get plugin config (contains `APISecret`): ```bash…
Product
composer: wwbn/avideo
What to do
General, cautious steps (verify details in the official source):
- Prioritize patching or mitigation immediately (treat as actively risky).
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.