CVE-2026-40908
Last modified
CVE-2026-40908 is a medium-severity vulnerability rated 5.3/10 on the CVSS scale. WWBN AVideo is an open source video platform. In versions 29.0 and prior, the file `git.json.php` at the web root executes `git log -1` and returns the full output as JSON to any unauthenticated user. EPSS estimates a 0.25% chance of exploitation in the next 30 days.
Description
WWBN AVideo is an open source video platform. In versions 29.0 and prior, the file `git.json.php` at the web root executes `git log -1` and returns the full output as JSON to any unauthenticated user. This exposes the exact deployed commit hash (enabling version fingerprinting against known CVEs), developer names and email addresses (PII), and commit messages which may contain references to internal systems or security fixes. As of time of publication, no known patched versions are available.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Wwbn | Avideo | <= 29.0 |
References
- https://github.com/WWBN/AVideo/security/advisories/GHSA-52hf-63q4-r926Exploit, Vendor Advisory
- https://github.com/WWBN/AVideo/security/advisories/GHSA-52hf-63q4-r926Exploit, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-40908?
How severe is CVE-2026-40908?
How do I fix CVE-2026-40908?
Are you affected by CVE-2026-40908?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST