CVE-2026-43885

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions prior to 29.1

Description An unauthenticated user can access the public endpoint "objects/plugins.json.php" to read the APISecret from the plugin object data. This secret can then be used to authenticate requests to the protected API endpoint "plugin/API/get.json.php" by providing it via the APISecret parameter, allowing unauthorized access to protected data such as the users list via the APIName parameter.

Recommendations Update to the version containing commit 1c36f229d0a103528fb9f64d0a1cc0e1e8f5999b. Require administrator authentication for the full plugin inventory and configuration endpoint.