CVE-2026-30885 — Missing Authentication for Critical Function in Avideo

CWE-306 — Missing Authentication for Critical Function CWE-862 — Missing Authorization CWE-639 — Authorization Bypass Through User-Controlled Key4 documents4 sources

Severity

5.5MEDIUMNVD

EPSS

0.2%

top 64.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wwbn Avideo

Timeline

Latest updateMar 7

PublishedMar 10

Description

WWBN AVideo is an open source video platform. Prior to 25.0, the /objects/playlistsFromUser.json.php endpoint returns all playlists for any user without requiring authentication or authorization. An unauthenticated attacker can enumerate user IDs and retrieve playlist information including playlist names, video IDs, and playlist status for any user on the platform. This vulnerability is fixed in 25.0.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages2 packages

▶NVDwwbn/avideo< 25.0

▶Packagistwwbn/avideo< 25.0

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

AVideo has Unauthenticated IDOR - Playlist Information Disclosure↗2026-03-07

▶

GHSA

AVideo has Unauthenticated IDOR - Playlist Information Disclosure↗2026-03-07

▶

🕵️Threat Intelligence

Wiz

CVE-2026-30885 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶