CVE-2025-34441

AVideo versions prior to 20.1 expose sensitive user information through an unauthenticated public API endpoint. Responses include emails, usernames, administrative status, and last login times, enabling user enumeration and privacy violations.

high 7.5 CVSS 3.1

Published: Dec 17, 2025

Modified: Dec 19, 2025

Vendor: Wwbn

Product: Avideo

Description

AVideo versions prior to 20.1 expose sensitive user information through an unauthenticated public API endpoint. Responses include emails, usernames, administrative status, and last login times, enabling user enumeration and privacy violations.

References

https://chocapikk.com/posts/2025/avideo-security-vulnerabilities/
https://github.com/WWBN/AVideo/commit/1416c517e2
https://github.com/WWBN/AVideo/commit/4a53ab2056
https://www.vulncheck.com/advisories/avideo-user-information-disclosure-via-public-api

Related CVEs

CVSS Breakdown

Version	3.1
Score	7.5 / 10
Severity	high

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Weakness (CWE)

CWE-359

Affected Product

Vendor	Wwbn
Product	Avideo