CVE-2026-40908

CVSS Score & Metrics

Base Score

5.3 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N                                    

Vulnerability Description

WWBN AVideo is an open source video platform. In versions 29.0 and prior, the file `git.json.php` at the web root executes `git log -1` and returns the full output as JSON to any unauthenticated user. This exposes the exact deployed commit hash (enabling version fingerprinting against known CVEs), developer names and email addresses (PII), and commit messages which may contain references to internal systems or security fixes. As of time of publication, no known patched versions are available.

Vulnerability Details

Published Date

April 21, 2026

Last Modified

April 23, 2026

CWE ID

CWE-200

Source

NVD

Vendor

WWBN

Product

AVideo

External References

https://github.com/WWBN/AVideo/security/advisories/GHSA-52hf-63q4-r926

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment