AVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unauthenticated user enumeration sibling that survives `d9cdc7024`

Vulnerability

The vulnerability exists in objects/mention.json.php in AVideo platform versions up to and including 29.0. The file sets $ignoreAdmin = true on line 17 and calls User::getAllUsers() with no prior authentication check (User::loginCheck()) or admin gate. The only entry guard is a preg_match('/^@/', $_REQUEST['term']) and a hard-coded rowCount=10. This is the same anti-pattern that was partially fixed in users.json.php for CVE-2026-43881, but mention.json.php remains unpatched [1][2][3][4].

Exploitation

An unauthenticated attacker can send a request to objects/mention.json.php with a term parameter starting with @ (e.g., term=@). The script will return up to 10 user records containing name, email, user, and channelName fields. No authentication, session, or special privileges are required; the attacker only needs network access to the AVideo instance [3][4].

Impact

Successful exploitation allows an unauthenticated attacker to enumerate registered users, obtaining their display names, email addresses, usernames, and channel names. This information disclosure can be used for targeted phishing, social engineering, or further attacks against the platform. The confidentiality of user data is compromised, but integrity and availability are not directly affected [2][3][4].

Mitigation

As of the publication date (May 18, 2026), no official patch has been released for this vulnerability. The fix for the related CVE-2026-43881 only addressed users.json.php and did not cover mention.json.php. Users should monitor the AVideo repository for updates and consider applying a custom patch that adds User::loginCheck() and proper admin authorization before the vulnerable code path. Until a fix is available, restricting network access to the AVideo instance or disabling the mention functionality may reduce exposure [1][3][4].