Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2026-40908— WWBN AVideo has an Unauthenticated Information Disclosure via git.json.php that Exposes Developer Emails and Deployed Version

CVSS 5.3 · Medium EPSS 0.06% · P19
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-40908

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
WWBN AVideo has an Unauthenticated Information Disclosure via git.json.php that Exposes Developer Emails and Deployed Version
Source: NVD (National Vulnerability Database)
Vulnerability Description
WWBN AVideo is an open source video platform. In versions 29.0 and prior, the file `git.json.php` at the web root executes `git log -1` and returns the full output as JSON to any unauthenticated user. This exposes the exact deployed commit hash (enabling version fingerprinting against known CVEs), developer names and email addresses (PII), and commit messages which may contain references to internal systems or security fixes. As of time of publication, no known patched versions are available.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
信息暴露
Source: NVD (National Vulnerability Database)
Vulnerability Title
WWBN AVideo 信息泄露漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
WWBN AVideo是WWBN团队的一个由PHP编写的视频平台建站系统。 WWBN AVideo 29.0及之前版本存在信息泄露漏洞,该漏洞源于根目录下的git.json.php文件向任何未经身份验证的用户执行并返回git log -1的完整输出,可能导致泄露部署的提交哈希、开发者个人信息和提交消息。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
WWBNAVideo <= 29.0 -

II. Public POCs for CVE-2026-40908

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-40908

登录查看更多情报信息。

Same Patch Batch · WWBN · 2026-04-21 · 19 CVEs total

CVE-2026-4091110.0 CRITICALWWBN AVideo YPTSocket WebSocket Broadcast Relay Leads to Unauthenticated Cross-User JavaSc
CVE-2026-410649.3 CRITICALAVideo has an incomplete fix for CVE-2026-33502 (Command Injection)
CVE-2026-409098.7 HIGHWWBN AVideo has a Path Traversal in Locale Save Endpoint that Enables Arbitrary PHP File W
CVE-2026-410558.6 HIGHAVideo has an incomplete fix for CVE-2026-33039 (SSRF)
CVE-2026-409258.3 HIGHWWBN AVideo has CSRF in configurationUpdate.json.php Enables Full Site Configuration Takeo
CVE-2026-410588.1 HIGHAVideo has an incomplete fix for CVE-2026-33293 (Path Traversal) in AVideo
CVE-2026-410568.1 HIGHAVideos has CORS Origin Reflection with Credentials on Sensitive API Endpoints that Enable
CVE-2026-410607.7 HIGHAVideo's SSRF via same-domain hostname with alternate port bypasses isSSRFSafeURL
CVE-2026-410577.1 HIGHAVideo has CORS Origin Reflection Bypass via plugin/API/router.php and allowOrigin(true) t
CVE-2026-409267.1 HIGHWWBN AVideo Vulnerable to CSRF in Admin JSON Endpoints (Category CRUD, Plugin Update Scrip
CVE-2026-409076.5 MEDIUMWWBN AVideo has IDOR in Live Restreams list.json.php that Exposes Other Users' Stream Keys
CVE-2026-410626.5 MEDIUMWWBN/AVideo has an incomplete fix for a directory traversal bypass via query string in Rec
CVE-2026-409295.4 MEDIUMWWBN AVideo's missing CSRF protection in objects/commentDelete.json.php enables mass comme
CVE-2026-409285.4 MEDIUMAVideo: Missing CSRF Protection on State-Changing JSON Endpoints Enables Forced Comment Cr
CVE-2026-410635.4 MEDIUMWWBN AVideo has incomplete fix for CVE-2026-33500 (XSS)
CVE-2026-410615.4 MEDIUMWWBN AVideo Vulnerable to stored XSS via Unanchored Duration Regex in Video Encoder Receiv
CVE-2026-409355.3 MEDIUMWWBN/AVideo has CAPTCHA Bypass via Attacker-Controlled Length Parameter and Missing Token
CVE-2026-41304WWBN AVideo vulnerable to RCE caused by clonesite plugin

IV. Related Vulnerabilities

Same product: AVideo
Same vendor: WWBN
Same weakness: CWE-200

V. Comments for CVE-2026-40908

No comments yet

Leave a comment