CVE-2026-40908
Information Disclosure in WWBN AVideo git.json.php Component
Publication date: 2026-04-21
Last updated on: 2026-04-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 29.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40908 is an unauthenticated information disclosure vulnerability in the WWBN AVideo platform, affecting versions 29.0 and prior.
The vulnerability exists because a PHP script named `git.json.php` located at the web root executes the command `git log -1` and returns its full output as JSON to any user without requiring authentication.
This output includes sensitive information such as the exact deployed commit hash, developer names and email addresses (personally identifiable information), and commit messages that may reference internal systems or security fixes.
Because the script is standalone and lacks any authentication or protection, anyone can access this information remotely.
How can this vulnerability impact me? :
This vulnerability can impact you by exposing sensitive information to unauthorized users.
- Attackers can identify the exact software version deployed, allowing them to find and exploit known unpatched vulnerabilities.
- Developer personally identifiable information such as names and email addresses can be obtained, which could be used for targeted phishing or social engineering attacks.
- Commit messages may reveal internal project details, references to bug trackers, security fixes, or infrastructure information, potentially aiding attackers in planning further attacks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the file `git.json.php` is accessible at the web root of the WWBN AVideo installation and if it returns git commit information without authentication.
A simple way to detect this is to send an HTTP request to the URL path `/git.json.php` on the server hosting the AVideo platform and observe the response.
For example, you can use the following command to test this from a terminal:
- curl -i http://your-avideo-domain/git.json.php
If the response contains JSON output with git commit hashes, author names, email addresses, and commit messages without requiring authentication, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate mitigation is to delete the `git.json.php` file entirely from the web root, as it serves no user-facing purpose and is a leftover development/debug artifact.
If displaying version information is necessary, restrict access to this functionality behind proper authentication, such as requiring admin privileges before executing the git command and returning the output.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability exposes developer personally identifiable information (PII), such as author names and email addresses, to any unauthenticated user. Such exposure of PII can lead to non-compliance with data protection regulations like GDPR, which require protection of personal data against unauthorized access.
Additionally, the exposure of internal commit messages that may reference security fixes or internal systems could increase the risk of targeted attacks, potentially impacting the confidentiality requirements of standards like HIPAA.
Therefore, this vulnerability can negatively affect compliance with common standards and regulations by leaking sensitive personal and internal information without authorization.