CVE-2026-40908: WWBN AVideo has an Unauthenticated Information Disclosure via git.json.php Exposes Developer Emails and Deployed Version

April 14, 2026 (updated April 24, 2026)

The file git.json.php at the web root executes git log -1 and returns the full output as JSON to any unauthenticated user. This exposes the exact deployed commit hash (enabling version fingerprinting against known CVEs), developer names and email addresses (PII), and commit messages which may contain references to internal systems or security fixes.

References

github.com/WWBN/AVideo
github.com/WWBN/AVideo/security/advisories/GHSA-52hf-63q4-r926
github.com/advisories/GHSA-52hf-63q4-r926
nvd.nist.gov/vuln/detail/CVE-2026-40908

Code Behaviors & Features

Detect and mitigate CVE-2026-40908 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →