CVE-2026-30885

WWBN AVideo is an open source video platform. Prior to 25.0, the /objects/playlistsFromUser.json.php endpoint returns all playlists for any user without requiring authentication or authorization. An unauthenticated attacker can enumerate user IDs and retrieve playlist information including playli...

WWBN AVideo 安全漏洞

WWBN AVideo is a video platform building system written in PHP, developed by the WWBN team. Versions of WWBN AVideo prior to 25.0 contained security vulnerabilities. These vulnerabilities stemmed from the /objects/playlistsFromUser.json.php endpoint, which returned playlists for all users without...

EUVD-2026-10419

WWBN AVideo is an open source video platform. Prior to 25.0, the /objects/playlistsFromUser.json.php endpoint returns all playlists for any user without requiring authentication or authorization. An unauthenticated attacker can enumerate user IDs and retrieve playlist information including playli...

EUVD-2026-10418

WWBN AVideo is an open source video platform. Prior to 25.0, the /objects/playlistsFromUser.json.php endpoint returns all playlists for any user without requiring authentication or authorization. An unauthenticated attacker can enumerate user IDs and retrieve playlist information including playli...

CVE-2026-30885 WWBN AVideo - Unauthenticated IDOR - Playlist Information Disclosure

WWBN AVideo is an open source video platform. Prior to 25.0, the /objects/playlistsFromUser.json.php endpoint returns all playlists for any user without requiring authentication or authorization. An unauthenticated attacker can enumerate user IDs and retrieve playlist information including playli...

AVideo has Unauthenticated IDOR - Playlist Information Disclosure

Product: AVideo https://github.com/WWBN/AVideo Version: Latest tested March 2026 Type: Insecure Direct Object Reference IDOR Auth Required: No User Interaction: None Summary The /objects/playlistsFromUser.json.php endpoint returns all playlists for any user without requiring authentication or...

Missing Authorization

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Missing Authorization via the playlistsFromUser.json.php. An attacker can access and enumerate sensitive playlist information belonging to any user by sending...

CVE-2025-32945

The vulnerability allows an existing user to add playlists to a different user’s channel using the PeerTube REST API. The vulnerable code sets the owner of the new playlist to be the user who performed the request, and then sets the associated channel to the channel ID supplied by the request,...

Pornhub: Private videos can be added to our playlists

The researcher discovered a way to add a user's private videos to a different user's playlist by way of a specially crafted request. Note that it is not possible to view another user's private video using this method IDOR/application logic flaw...