CVE-2026-40908 | THREATINT

Description

WWBN AVideo is an open source video platform. In versions 29.0 and prior, the file `git.json.php` at the web root executes `git log -1` and returns the full output as JSON to any unauthenticated user. This exposes the exact deployed commit hash (enabling version fingerprinting against known CVEs), developer names and email addresses (PII), and commit messages which may contain references to internal systems or security fixes. As of time of publication, no known patched versions are available.

PUBLISHED Reserved 2026-04-15 | Published 2026-04-21 | Updated 2026-04-22 | Assigner GitHub_M

MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Problem types

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Product status

<= 29.0

affected

References

github.com/...AVideo/security/advisories/GHSA-52hf-63q4-r926 exploit

github.com/...AVideo/security/advisories/GHSA-52hf-63q4-r926

cve.org (CVE-2026-40908)

nvd.nist.gov (CVE-2026-40908)

Download JSON