CVE-2026-45620

Name of the Vulnerable Software and Affected Versions AVideo versions 29.0 and earlier

Description An issue exists in the open source video platform where the endpoint "objects/mention.json.php" lacks a User::loginCheck() or admin gate. The endpoint only implements an entry guard using preg match('/^@/', $ REQUEST['term']) and a hard-coded rowCount=10. This allows unauthenticated users to perform user enumeration by manipulating the term variable.

Recommendations Update AVideo to a version later than 29.0. As a temporary workaround, restrict access to the "objects/mention.json.php" endpoint to minimize the risk of user enumeration.