MEDIUM 5.3

GHSA-vpfx-pxqw-2w79

AVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unauthenticated user enumeration sibling that survives `d9cdc7024`

Details

CVE-2026-43881 fix `d9cdc7024` patched `users.json.php` only. The same anti-pattern survives at master HEAD in:

``` objects/mention.json.php:17 $ignoreAdmin = true; objects/mention.json.php:18 $users = User::getAllUsers($ignoreAdmin, ['name', 'email', 'user', 'channelName'], 'a'); ```

No `User::loginCheck()`, no admin gate. Only entry guard: `preg_match('/^@/', $_REQUEST['term'])` and hard-coded `rowCount=10`.

Are you affected?

Enter the version of the package you're using.

Affected packages

Packagist / WWBN/AVideo

Introduced in: 0

No fixed version published yet for WWBN/AVideo (composer). Pin to a known-safe version or switch to an alternative.

References

https://github.com/WWBN/AVideo/security/advisories/GHSA-vpfx-pxqw-2w79 [WEB]
https://github.com/WWBN/AVideo [PACKAGE]
https://github.com/advisories/GHSA-6rvw-7p8v-mjfq [ADVISORY]