Skip to content

AVideo's Meet plugin: `uploadRecordedVideo.json.php` derives `users_id` from the uploaded filename and calls passwordless `User->login()`, allowing any caller with the Meet shared secret to obtain a session as arbitrary users including admin

High severity GitHub Reviewed Published May 11, 2026 in WWBN/AVideo • Updated May 15, 2026

No open alerts for this advisory

Give feedback on Dependabot alerts