Executive Summary

CVE-2026-40908 is an unauthenticated information disclosure vulnerability in the WWBN AVideo platform, affecting versions 29.0 and prior.

The vulnerability exists because a PHP script named `git.json.php` located at the web root executes the command `git log -1` and returns its full output as JSON to any user without requiring authentication.

This output includes sensitive information such as the exact deployed commit hash, developer names and email addresses (personally identifiable information), and commit messages that may reference internal systems or security fixes.

Because the script is standalone and lacks any authentication or protection, anyone can access this information remotely.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by exposing sensitive information to unauthorized users.

• Attackers can identify the exact software version deployed, allowing them to find and exploit known unpatched vulnerabilities.
• Developer personally identifiable information such as names and email addresses can be obtained, which could be used for targeted phishing or social engineering attacks.
• Commit messages may reveal internal project details, references to bug trackers, security fixes, or infrastructure information, potentially aiding attackers in planning further attacks.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the file `git.json.php` is accessible at the web root of the WWBN AVideo installation and if it returns git commit information without authentication.

A simple way to detect this is to send an HTTP request to the URL path `/git.json.php` on the server hosting the AVideo platform and observe the response.

For example, you can use the following command to test this from a terminal:

• curl -i http://your-avideo-domain/git.json.php

If the response contains JSON output with git commit hashes, author names, email addresses, and commit messages without requiring authentication, the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

The recommended immediate mitigation is to delete the `git.json.php` file entirely from the web root, as it serves no user-facing purpose and is a leftover development/debug artifact.

If displaying version information is necessary, restrict access to this functionality behind proper authentication, such as requiring admin privileges before executing the git command and returning the output.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability exposes developer personally identifiable information (PII), such as author names and email addresses, to any unauthenticated user. Such exposure of PII can lead to non-compliance with data protection regulations like GDPR, which require protection of personal data against unauthorized access.

Additionally, the exposure of internal commit messages that may reference security fixes or internal systems could increase the risk of targeted attacks, potentially impacting the confidentiality requirements of standards like HIPAA.

Therefore, this vulnerability can negatively affect compliance with common standards and regulations by leaking sensitive personal and internal information without authorization.

Useful 0 Not Useful 0