CVE-2026-30885

MEDIUM WAF: Low

CVSS 5.3 Published: 2026-03-10

CWE-862

WWBN AVideo is an open source video platform. Prior to 25.0, the /objects/playlistsFromUser.json.php endpoint returns all playlists for any user without requiring authentication or authorization. An unauthenticated attacker can enumerate user IDs and retrieve playlist information including playlist names, video IDs, and playlist status for any user on the platform. This vulnerability is fixed in 25.0.

WAF Coverage Analysis

Missing Authorization Low WAF Coverage

OWASP: A01:2021 Broken Access Control

Affected Software

Vendor	Product	Version
wwbn	avideo	up to 25.0

References

github.com (Patch)
github.com (Exploit, Mitigation, Vendor Advisory)

Back to CVE Database