CVE-2026-30885

Name of the Vulnerable Software and Affected Versions AVideo versions prior to 25.0

Description The /objects/playlistsFromUser.json.php endpoint does not require authentication or authorization, allowing an unauthenticated attacker to enumerate user IDs and retrieve playlist information, including playlist names, video IDs, and playlist status, for any user on the platform. The endpoint accepts a users id parameter and directly queries the database without any authentication or authorization checks. This can lead to privacy violations, user enumeration, information gathering, and potential targeted attacks. The vulnerable file is objects/playlistsFromUser.json.php. The getAllFromUser() function is used to retrieve playlist data without verifying user access.

Recommendations Versions prior to 25.0 should be updated to version 25.0 or later. Implement authentication and authorization checks before returning playlist data. As an option, require authentication and only allow access to a user's own playlists, or filter playlists by visibility if public playlists are intended.