GHSA-52hf-63q4-r926: WWBN AVideo has an Unauthenticated Information Disclosure via git.json.php Exposes Developer Emails and Deployed Version

April 14, 2026

The file git.json.php at the web root executes git log -1 and returns the full output as JSON to any unauthenticated user. This exposes the exact deployed commit hash (enabling version fingerprinting against known CVEs), developer names and email addresses (PII), and commit messages which may contain references to internal systems or security fixes.

References

github.com/WWBN/AVideo
github.com/WWBN/AVideo/security/advisories/GHSA-52hf-63q4-r926
github.com/advisories/GHSA-52hf-63q4-r926

Code Behaviors & Features

Detect and mitigate GHSA-52hf-63q4-r926 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →