Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
🐘 Packagist

GHSA-6w2r-cfpc-23r5

AVideo has Unauthenticated IDOR - Playlist Information Disclosure

Also known asCVE-2026-30885
Published
Mar 7, 2026
Updated
Mar 10, 2026
Affected
1 pkg
Patched
1 / 1
Exploits
None indexed

EPSS Exploitation Probability

via FIRST.org ↗
0.4%probability of exploitation in next 30 days
Lower Risk28th percentile+0.25%
0.00%0.29%0.58%0.86%0.1%0.2%0.1%0.4%Apr 26Jun 26Jun 26

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected
🐘wwbn/avideo

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Packagist packages — download data is not available via public APIs for these ecosystems.

Description

Product: AVideo (https://github.com/WWBN/AVideo) Version: Latest (tested March 2026) Type: Insecure Direct Object Reference (IDOR) Auth Required: No User Interaction: None

Summary

The /objects/playlistsFromUser.json.php endpoint returns all playlists for any user without requiring authentication or authorization. An unauthenticated attacker can enumerate user IDs and retrieve playlist information including playlist names, video IDs, and playlist status for any user on the platform.

Root Cause

The endpoint accepts a users_id parameter and directly queries the database without any authentication or authorization check. File: objects/playlistsFromUser.json.php

if (empty($_GET['users_id'])) {
    die("You need a user");
}
// NO AUTHENTICATION CHECK
// NO AUTHORIZATION CHECK (does this user_id belong to the requester?)
$row = PlayList::getAllFromUser($_GET['users_id'], false);
echo json_encode($row);

There is no call to User::isLogged() or any comparison between the requesting user and the target users_id.

Affected Code

FileLineIssue
objects/playlistsFromUser.json.php10-21No authentication or authorization check before returning playlist data

Proof of Concept

Retrieve admin's playlists (user ID 1)

curl "https://TARGET/objects/playlistsFromUser.json.php?users_id=1"

Response:

[
  {"id":false,"name":"Watch Later","status":"watch_later","users_id":1},
  {"id":false,"name":"Favorite","status":"favorite","users_id":1}
]
<img width="1805" height="365" alt="image" src="https://github.com/user-attachments/assets/a13c9c2f-29be-4399-98d2-7570ca30465a" />

Impact

  • Privacy violation — any visitor can see all users' playlist names and contents
  • User enumeration — valid user IDs can be discovered by iterating through IDs
  • Information gathering — playlist names and video IDs reveal user interests and private content preferences
  • Targeted attacks — gathered information can be used for social engineering or further exploitation

Remediation

Add authentication and authorization checks:

// Option 1: Require authentication + only own playlists
if (!User::isLogged()) {
    die(json_encode(['error' => 'Authentication required']));
}
if ($_GET['users_id'] != User::getId() && !User::isAdmin()) {
    die(json_encode(['error' => 'Access denied']));
}

// Option 2: If public playlists are intended, filter by visibility
$row = PlayList::getAllFromUser($_GET['users_id'], false, 'public');

Affected Packages

1 total 1 fixed
EcosystemPackageVulnerable rangeFix
🐘Packagistwwbn/avideoall versions25.0

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for wwbn/avideo. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update wwbn/avideo to 25.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-6w2r-cfpc-23r5 is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-6w2r-cfpc-23r5 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-6w2r-cfpc-23r5. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

**Product:** AVideo (https://github.com/WWBN/AVideo) **Version:** Latest (tested March 2026) **Type:** Insecure Direct Object Reference (IDOR) **Auth Required:** No **User Interaction:** None ## Summary The `/objects/playlistsFromUser.json.php` endpoint returns all playlists for any user without requiring authentication or authorization. An unauthenticated attacker can enumerate user IDs and retrieve playlist information including playlist names, video IDs, and playlist status for any user on the platform. ## Root Cause The endpoint accepts a `users_id` parameter and directly queries the d
O3 Security · Impact-Aware SCA

Is GHSA-6w2r-cfpc-23r5 in your dependencies?

O3 detects GHSA-6w2r-cfpc-23r5 across Packagist dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works