Summary
The file git.json.php at the web root executes git log -1 and returns the full output as JSON to any unauthenticated user. This exposes the exact deployed commit hash (enabling version fingerprinting against known CVEs), developer names and email addresses (PII), and commit messages which may contain references to internal systems or security fixes.
Details
git.json.php is a standalone PHP script with no authentication, no session validation, and no framework bootstrap. It directly executes a shell command and returns the result:
// git.json.php, complete file
<?php
header('Content-Type: application/json');
$cmd = "git log -1";
exec($cmd . " 2>&1", $output, $return_val);
$obj = new stdClass();
$obj->output = $output;
foreach ($output as $value) {
preg_match("/Date:(.*)/i", $value, $match);
if (!empty($match[1])) {
$obj->date = strtotime($match[1]);
$obj->dateString = trim($match[1]);
$obj->dateMySQL = date("Y-m-d H:i:s", $obj->date);
}
}
echo json_encode($obj);
The file does not require any configuration or authentication module. It is not protected by .htaccess rules. The endpoint is directly accessible to any network client.
The exposed data enables:
- Version fingerprinting: The commit hash identifies the exact deployed version, allowing attackers to cross-reference the project's public git history against known CVEs (AVideo has 22 published GHSAs) to determine which vulnerabilities remain unpatched on a given instance.
- Developer PII leakage: Author name and email from the git commit are exposed. On self-hosted instances, this may reveal internal/corporate email addresses not otherwise publicly available.
- Commit message intelligence: Commit messages may reference internal bug trackers, security fixes in progress, or infrastructure details.
PoC
# Single unauthenticated request, no cookies, no headers needed
curl -s https://target.example/git.json.php | python3 -m json.tool
Verified response from test instance:
{
"output": [
"commit 80a8af96e861cff45cd80fdd2478d00b2c07749e",
"Author: Daniel Neto <[email protected]>",
"Date: Wed Apr 8 16:07:23 2026 -0300",
"",
" fix: Update payment response handling to include transaction token and URL"
],
"date": 1775675243,
"dateString": "Wed Apr 8 16:07:23 2026 -0300",
"dateMySQL": "2026-04-08 19:07:23"
}
Impact
- Any unauthenticated remote attacker can determine the exact deployed version and identify which known CVEs (22 published GHSAs for AVideo) apply to the target instance.
- Developer email addresses are leaked, enabling targeted phishing or social engineering against project maintainers and contributors.
- Commit messages may disclose internal project details, security fix status, or infrastructure information.
CVE-2026-40908 has a CVSS score of 5.3 (Medium). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. No fixed version is listed yet, so configuration controls and monitoring matter more in the interim.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Delete git.json.php entirely, it serves no user-facing purpose and exists only as a development/debug artifact:
rm git.json.php
If version display is needed for administrators, gate it behind authentication:
<?php
require_once 'videos/configuration.php';
if (!User::isAdmin()) {
header('HTTP/1.1 403 Forbidden');
die(json_encode(['error' => 'Forbidden']));
}
header('Content-Type: application/json');
$cmd = "git log -1";
exec($cmd . " 2>&1", $output, $return_val);
$obj = new stdClass();
$obj->output = $output;
foreach ($output as $value) {
preg_match("/Date:(.*)/i", $value, $match);
if (!empty($match[1])) {
$obj->date = strtotime($match[1]);
$obj->dateString = trim($match[1]);
$obj->dateMySQL = date("Y-m-d H:i:s", $obj->date);
}
}
echo json_encode($obj);
Frequently Asked Questions
- What is CVE-2026-40908? CVE-2026-40908 is a medium-severity security vulnerability in wwbn/avideo (composer), affecting versions <= 29.0. No fixed version is listed yet.
- How severe is CVE-2026-40908? CVE-2026-40908 has a CVSS score of 5.3 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of wwbn/avideo are affected by CVE-2026-40908? wwbn/avideo (composer) versions <= 29.0 is affected.
- Is there a fix for CVE-2026-40908? No fixed version is listed for CVE-2026-40908 yet. Monitor the advisory for updates and apply mitigations in the interim.
- Is CVE-2026-40908 exploitable, and should I be worried? Whether CVE-2026-40908 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-40908 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.