AVideo < 20.0 User Information Disclosure via Public API

Advisories

severity: medium
date: December 17, 2025
Affecting: AVideo < 20.0
CVE: CVE-2025-34441
CWE: CWE-359 Exposure of Private Personal Information to an Unauthorized Actor
CVSS: 6.9
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
References: AVideo Release Notes
AVideo Patch Commit
Credit: Valentin Lobstein (Chocapikk)
Description: AVideo versions prior to 20.0 expose sensitive user information through an unauthenticated public API endpoint. Responses include emails, usernames, administrative status, and last login times, enabling user enumeration and privacy violations.