{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40908", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-15T16:37:22.767Z", "datePublished": "2026-04-21T19:52:34.204Z", "dateUpdated": "2026-04-21T19:52:34.204Z"}, "containers": {"cna": {"title": "WWBN AVideo has an Unauthenticated Information Disclosure via git.json.php that Exposes Developer Emails and Deployed Version", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-52hf-63q4-r926", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-52hf-63q4-r926"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "<= 29.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T19:52:34.204Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 29.0 and prior, the file `git.json.php` at the web root executes `git log -1` and returns the full output as JSON to any unauthenticated user. This exposes the exact deployed commit hash (enabling version fingerprinting against known CVEs), developer names and email addresses (PII), and commit messages which may contain references to internal systems or security fixes. As of time of publication, no known patched versions are available."}], "source": {"advisory": "GHSA-52hf-63q4-r926", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 29.0 and prior, the file `git.json.php` at the web root executes `git log -1` and returns the full output as JSON to any unauthenticated user. This exposes the exact deployed commit hash (enabling version fingerprinting against known CVEs), developer names and email addresses (PII), and commit messages which may contain references to internal systems or security fixes. As of time of publication, no known patched versions are available."}], "id": "CVE-2026-40908", "lastModified": "2026-04-21T20:17:03.220", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T20:17:03.220", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-52hf-63q4-r926"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,29.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-04-22T05:25:23.433708+00:00", "value": {"mitigation_remediation": ["Remove or rename the git.json.php file from the public web root to eliminate the disclosure path.", "Configure web server access controls or firewall rules to deny HTTP requests to that path or to the application root for unauthenticated users.", "Continuously monitor web server logs for attempts to access git.json.php and investigate any suspicious activity."], "summary": {"action": "Mitigate Exposure", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The affected product is WWBN AVideo, versions 29.0 and earlier. Any installation that exposes the git.json.php file in the web root is susceptible.", "description_and_impact": "This vulnerability arises from the public git.json.php file in WWBN AVideo, which runs \"git log -1\" and returns the full output as JSON to any user. The output includes the exact deployed commit hash, developer names, developer email addresses, and commit messages. This exposure satisfies CWE\u2011200, leading to disclosure of sensitive internal information and potential for version fingerprinting against known CVEs.", "risk_and_exploitability": "The CVSS score is 5.3, indicating moderate severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, so the current exploitation likelihood is uncertain. The likely attack vector is unauthenticated HTTP requests to the exposed file, allowing remote attackers to retrieve internal data without authentication."}}}}, "created": "2026-04-22T04:15:07.394993+00:00", "updated": "2026-04-22T05:30:09.556930+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}