Main Vulnerability Database SB2026042392

SB2026042392 - Information disclosure in Opencast

Published: April 23, 2026

Security Bulletin ID SB2026042392

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Information disclosure (CVE-ID: CVE-2025-54380)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to exposure of sensitive information in mediapackage element fetching when processing a mediapackage XML file. A remote user can supply a URL of their choosing to disclose sensitive information.

The exposed information consists of the hashed global system account credentials, and exploitation requires ingest permissions.

Remediation

Install update from vendor's website.

References

https://github.com/opencast/opencast/security/advisories/GHSA-j63h-hmgw-x4j7