PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45620 WWBN CVE debrief

WWBN AVideo versions 29.0 and earlier contain an unauthenticated user enumeration vulnerability in the objects/mention.json.php endpoint. The endpoint lacks authentication checks (no User::loginCheck() or admin gate) and only validates that the 'term' parameter begins with '@' via preg_match. With a hard-coded rowCount of 10, attackers can enumerate valid usernames without credentials. The vulnerability was disclosed via GitHub Security Advisory and is currently undergoing analysis in the NVD.

Vendor
WWBN
Product
AVideo
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-29
Original CVE updated
2026-05-29
Advisory published
2026-05-29
Advisory updated
2026-05-29

Who should care

Organizations running WWBN AVideo 29.0 or earlier; security teams monitoring for user enumeration attacks; administrators of open-source video platforms

Technical summary

The objects/mention.json.php endpoint in WWBN AVideo 29.0 and earlier fails to implement authentication checks, allowing unauthenticated attackers to enumerate valid usernames by submitting @-prefixed terms. The endpoint returns up to 10 matching user records without verifying the requester's identity or authorization.

Defensive priority

MEDIUM

Recommended defensive actions

  • Upgrade WWBN AVideo to a version newer than 29.0 once a patched release is available
  • Apply access controls to objects/mention.json.php requiring authentication before processing mention queries
  • Implement rate limiting on the mention.json.php endpoint to reduce enumeration risk
  • Monitor access logs for repeated @-prefixed queries to objects/mention.json.php as potential enumeration activity
  • Review other JSON endpoints in the objects/ directory for similar missing authentication checks

Evidence notes

Vulnerability confirmed through GitHub Security Advisory GHSA-vpfx-pxqw-2w79. NVD status: Undergoing Analysis. CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. Weaknesses: CWE-204 (Observable Response Discrepancy) and CWE-285 (Improper Authorization).

Official resources

2026-05-29