What is GHSA-vpfx-pxqw-2w79?

GHSA-vpfx-pxqw-2w79 is a security advisory published by GitHub Security Advisories with Medium severity. AVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unauthenticated user enumeration sibling that survives `d9cdc7024`

Which CVE IDs does GHSA-vpfx-pxqw-2w79 cover?

GHSA-vpfx-pxqw-2w79 covers the following CVE IDs: CVE-2026-45620. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-vpfx-pxqw-2w79?

GHSA-vpfx-pxqw-2w79 has a CVSS v3 base score of 5.3, published by GitHub Security Advisories.

Which products are affected by GHSA-vpfx-pxqw-2w79?

GHSA-vpfx-pxqw-2w79 affects 1 product, including: composer/WWBN/AVideo:\u003c= 29.0.

GHSA-vpfx-pxqw-2w79MediumCVSS 5.3

AVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unauthenticated user enumeration sibling that survives `d9cdc7024`

Vendor

GitHub Security Advisories

Published

May 18, 2026

Last Modified

May 18, 2026

🔗 CVE IDs covered (1)

CVE-2026-45620 →

📋 Description

CVE-2026-43881 fix `d9cdc7024` patched `users.json.php` only. The same anti-pattern survives at master HEAD in: ``` objects/mention.json.php:17 $ignoreAdmin = true; objects/mention.json.php:18 $users = User::getAllUsers($ignoreAdmin, ['name', 'email', 'user', 'channelName'], 'a'); ``` No `User::loginCheck()`, no admin gate. Only entry guard: `preg_match('/^@/', $_REQUEST['term'])` and hard-coded `rowCount=10`.

🎯 Affected products1

composer/WWBN/AVideo:<= 29.0

🔗 References (3)

https://github.com/WWBN/AVideo/security/advisories/GHSA-vpfx-pxqw-2w79
https://github.com/advisories/GHSA-6rvw-7p8v-mjfq
https://github.com/advisories/GHSA-vpfx-pxqw-2w79