CVE-2026-45620 — AVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unaut

Description

CVE-2026-43881 fix `d9cdc7024` patched `users.json.php` only. The same anti-pattern survives at master HEAD in: ``` objects/mention.json.php:17 $ignoreAdmin = true; objects/mention.json.php:18 $users = User::getAllUsers($ignoreAdmin, ['name', 'email', 'user', 'channelName'], 'a'); ``` No `User::loginCheck()`, no admin gate. Only entry guard: `preg_match('/^@/', $_REQUEST['term'])` and hard-coded `rowCount=10`.

How to fix CVE-2026-45620

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2026-45620 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 29.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References (4)

ADVISORYgithub.com/advisories/GHSA-6rvw-7p8v-mjfq
ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-45620
PATCHgithub.com/WWBN/AVideo
WEBgithub.com/WWBN/AVideo/security/advisories/GHSA-vpfx-pxqw-2w79