CVE-2026-45620: AVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unauthenticated user enumeration sibling that survives `d9cdc7024`

May 18, 2026 (updated June 9, 2026)

CVE-2026-43881 fix d9cdc7024 patched users.json.php only. The same anti-pattern survives at master HEAD in:

objects/mention.json.php:17     $ignoreAdmin = true;
objects/mention.json.php:18     $users = User::getAllUsers($ignoreAdmin,
['name', 'email', 'user', 'channelName'], 'a');

No User::loginCheck(), no admin gate. Only entry guard: preg_match('/^@/', $_REQUEST['term']) and hard-coded rowCount=10.

References

github.com/WWBN/AVideo/security/advisories/GHSA-vpfx-pxqw-2w79
github.com/advisories/GHSA-6rvw-7p8v-mjfq
github.com/advisories/GHSA-vpfx-pxqw-2w79
nvd.nist.gov/vuln/detail/CVE-2026-45620

Code Behaviors & Features

Detect and mitigate CVE-2026-45620 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →