CVE-2026-40907

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions 29.0 and earlier

Description An Insecure Direct Object Reference (IDOR) exists in the endpoint 'plugin/Live/view/Live restreams/list.json.php'. This allows any authenticated user with streaming permissions to retrieve live restream configurations of other users. Exposed data includes third-party platform stream keys and OAuth tokens, specifically access token and refresh token, for services such as YouTube Live, Facebook Live, and Twitch.

Recommendations Update to a version that includes commit d5992fff2811df4adad1d9fc7d0a5837b882aed7.