| CVE-2026-45578 |
high |
8.8 |
8.8 |
|
|
|
19d ago |
WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a classic shell-metacharacter injection. The YPTSocket notification branch in plugin/Live/on_publish.php builds an execAsyn… |
| CVE-2026-43885 |
high |
— |
8.0 |
|
|
|
29d ago |
AVideo Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor and Missing Authorization |
| CVE-2026-40926 |
high |
— |
8.0 |
|
|
|
2mo ago |
WWBN AVideo has Multiple CSRF Vulnerabilities in Admin JSON Endpoints (Category CRUD, Plugin Update Script) |
| CVE-2026-33492 |
high |
— |
8.0 |
|
|
|
3mo ago |
AVideo has Session Fixation via GET PHPSESSID Parameter With Disabled Login Session Regeneration |
| CVE-2026-33485 |
high |
— |
8.0 |
|
|
|
3mo ago |
AVideo has an Unauthenticated Blind SQL Injection in RTMP on_publish Callback via Stream Name Parameter |
| CVE-2026-43884 |
high |
7.7 |
7.7 |
|
|
|
29d ago |
AVideo has SSRF Protection Bypass via HTTP Redirect and DNS Rebinding in isSSRFSafeURL() |
| CVE-2026-43873 |
high |
7.5 |
7.5 |
|
|
|
29d ago |
AVideo: Unauthenticated Disclosure of CloneSite `myKey` via Error Echo in `cloneClient.json.php` Enables Cross-Site DB Dump of the Configured Clone Server |
| CVE-2026-43874 |
high |
7.2 |
7.2 |
|
|
|
29d ago |
AVideo has an Incomplete Fix for YPTSocket autoEvalCodeOnHTML Strip: Unauthenticated Cross-User JavaScript Execution via `$msg['json']` Relay Bypass |
| CVE-2026-43875 |
medium |
6.8 |
6.8 |
|
|
|
29d ago |
AVideo: Password Hash Leak in MobileManager OAuth Redirect URL Enables Account Takeover |
| CVE-2026-45619 |
medium |
6.5 |
6.5 |
|
|
|
19d ago |
WWBN AVideo is an open source video platform. In 29.0 and earlier, EpgParser.php, plugin/AI/receiveAsync.json.php, and other locations do not use the $resolvedIP out-param of isSSRFSafeURL() for DNS … |
| CVE-2026-45610 |
medium |
6.5 |
6.5 |
|
|
|
19d ago |
WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a cross-site request forgery vulnerability on the 2FA toggle. plugin/LoginControl/set.json.php accepts POST type=set2FA val… |
| CVE-2026-43876 |
medium |
6.4 |
6.4 |
|
|
|
29d ago |
AVideo: HTML Injection in notifySubscribers.json.php Allows Platform-Branded Phishing Emails to Channel Subscribers |
| CVE-2026-43878 |
medium |
6.1 |
6.1 |
|
|
|
29d ago |
Video: Reflected XSS in plugin/Meet/iframe.php via Unescaped user and pass Parameters in JavaScript String Literal |
| CVE-2026-41062 |
medium |
— |
5.5 |
|
|
|
2mo ago |
WWBN AVideo has an Incomplete fix: Directory traversal bypass via query string in ReceiveImage downloadURL parameters |
| CVE-2026-34368 |
medium |
— |
5.5 |
|
|
|
2mo ago |
AVideo Vulnerable to Wallet Balance Double-Spend via TOCTOU Race Condition in transferBalance |
| CVE-2026-45580 |
medium |
5.4 |
5.4 |
|
|
|
19d ago |
WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a stored cross-site scripting vulnerability. The Live plugin's "YouTube-style" view renders the live transmission's stream … |
| CVE-2026-43879 |
medium |
5.4 |
5.4 |
|
|
|
29d ago |
AVideo has Blind SSRF in YPTWallet Donation Webhook via Missing isSSRFSafeURL() Check and CURLOPT_FOLLOWLOCATION Redirect Bypass |
| CVE-2026-43877 |
medium |
5.4 |
5.4 |
|
|
|
29d ago |
AVideo: CSRF in userSavePhoto.php Allows Cross-Origin Overwrite of Authenticated Users' Profile Photos with Arbitrary Content |
| CVE-2026-46337 |
medium |
5.3 |
5.3 |
|
|
|
15d ago |
AVideo: Unauthenticated Arbitrary Image Read via Path Traversal in `view/img/image404Raw.php` |
| CVE-2026-45620 |
medium |
5.3 |
5.3 |
|
|
|
17d ago |
WWBN AVideo is an open source video platform. In 29.0 and earlier, objects/mention.json.php has no User::loginCheck() or admin gate. It only has an entry guard: preg_match('/^@/', $_REQUEST['term']) … |
| CVE-2026-43881 |
medium |
5.3 |
5.3 |
|
|
|
29d ago |
AVideo: Unauthenticated User Enumeration in objects/users.json.php via isCompany Parameter Allows Bypass of the Admin-Only Listing Restriction |
| CVE-2026-43880 |
medium |
5.3 |
5.3 |
|
|
|
29d ago |
AVideo: Unauthenticated Arbitrary Email Sending via sendEmail.json.php Enables Phishing from the Site’s Legitimate From Address |
| CVE-2026-45731 |
medium |
4.9 |
4.9 |
|
|
|
16d ago |
WWBN AVideo is an open source video platform. In 29.0 and earlier, view/update.php reads $_POST['updateFile'] as a relative path under updatedb/ and passes it to PHP's file() for line-by-line executi… |
| CVE-2026-43882 |
medium |
4.3 |
4.3 |
|
|
|
29d ago |
AVideo: Unauthenticated CRLF/ICS Injection in Scheduler downloadICS.php Allows Calendar Event Spoofing |
| CVE-2026-43883 |
medium |
4.2 |
4.2 |
|
|
|
29d ago |
AVideo: IDOR in PayPalYPT Plugin Allows Any Authenticated User to Cancel Arbitrary PayPal Subscription Agreements |
| CVE-2026-29058 |
unknown |
— |
1.0 |
|
|
|
3mo ago |
WWBN AVideo is vulnerable to unauthenticated OS Command Injection via base64Url in objects/getImage.php |
| CVE-2026-28501 |
unknown |
— |
1.0 |
|
|
|
3mo ago |
AVideo has Unauthenticated SQL Injection via JSON Request Bypass in objects/videos.json.php |
| CVE-2024-31819 |
unknown |
— |
1.0 |
|
|
|
2y ago |
WWBN AVideo Remote Code Execution |
| CVE-2026-41304 |
unknown |
— |
— |
|
|
|
2mo ago |
WWBN AVideo: RCE cause by clonesite plugin |
| CVE-2026-41064 |
unknown |
— |
— |
|
|
|
2mo ago |
WWBN AVideo has an incomplete fix for CVE-2026-33502: Command Injection |
| CVE-2026-41063 |
unknown |
— |
— |
|
|
|
2mo ago |
WWBN AVideo has an incomplete fix for CVE-2026-33500: XSS |
| CVE-2026-41061 |
unknown |
— |
— |
|
|
|
2mo ago |
WWBN AVideo has Stored XSS via Unanchored Duration Regex in Video Encoder Receiver |
| CVE-2026-41060 |
unknown |
— |
— |
|
|
|
2mo ago |
WWBN AVideo has a SSRF via same-domain hostname with alternate port bypasses isSSRFSafeURL |
| CVE-2026-41058 |
unknown |
— |
— |
|
|
|
2mo ago |
WWBN AVideo has an incomplete fix for CVE-2026-33293: Path Traversal |
| CVE-2026-41057 |
unknown |
— |
— |
|
|
|
2mo ago |
WWBN AVideo has a CORS Origin Reflection Bypass via plugin/API/router.php and allowOrigin(true) Exposes Authenticated API Responses |
| CVE-2026-41056 |
unknown |
— |
— |
|
|
|
2mo ago |
WWBN AVideo has CORS Origin Reflection with Credentials on Sensitive API Endpoints Enables Cross-Origin Account Takeover |
| CVE-2026-41055 |
unknown |
— |
— |
|
|
|
2mo ago |
WWBN AVideo has an incomplete fix for CVE-2026-33039: SSRF |
| CVE-2026-40935 |
unknown |
— |
— |
|
|
|
2mo ago |
CAPTCHA Bypass in WWBN/AVideo via Attacker-Controlled Length Parameter and Missing Token Invalidation on Failure |
| CVE-2026-40929 |
unknown |
— |
— |
|
|
|
2mo ago |
WWBN AVideo is missing CSRF protection in objects/commentDelete.json.php enables mass comment deletion against moderators and content creators |
| CVE-2026-40928 |
unknown |
— |
— |
|
|
|
2mo ago |
WWBN AVideo: Missing CSRF Protection on State-Changing JSON Endpoints Enables Forced Comment Creation, Vote Manipulation, and Category Asset Deletion |
| CVE-2026-40925 |
unknown |
— |
— |
|
|
|
2mo ago |
WWBN AVideo has CSRF in configurationUpdate.json.php Enables Full Site Configuration Takeover Including Encoder URL and SMTP Credentials |
| CVE-2026-40911 |
unknown |
— |
— |
|
|
|
2mo ago |
WWBN AVideo YPTSocket WebSocket Broadcast Relay Leads to Unauthenticated Cross-User JavaScript Execution via Client-Side eval() Sinks |
| CVE-2026-40909 |
unknown |
— |
— |
|
|
|
2mo ago |
WWBN AVideo has a Path Traversal in Locale Save Endpoint Enables Arbitrary PHP File Write to Any Web-Accessible Directory (RCE) |
| CVE-2026-40908 |
unknown |
— |
— |
|
|
|
2mo ago |
WWBN AVideo has an Unauthenticated Information Disclosure via git.json.php Exposes Developer Emails and Deployed Version |
| CVE-2026-40907 |
unknown |
— |
— |
|
|
|
2mo ago |
WWBN AVideo has an IDOR in Live Restreams list.json.php Exposes Other Users' Stream Keys and OAuth Tokens |
| CVE-2026-39367 |
unknown |
— |
— |
|
|
|
2mo ago |
WWBN AVideo has Stored XSS via Malicious EPG XML Program Titles in AVideo EPG Page |
| CVE-2026-39366 |
unknown |
— |
— |
|
|
|
2mo ago |
WWBN AVideo Affected by a PayPal IPN Replay Attack Enabling Wallet Balance Inflation via Missing Transaction Deduplication in ipn.php |
| CVE-2026-35452 |
unknown |
— |
— |
|
|
|
2mo ago |
AVideo: Unauthenticated Information Disclosure via Missing Auth on CloneSite client.log.php |
| CVE-2026-35450 |
unknown |
— |
— |
|
|
|
2mo ago |
AVideo: Unauthenticated FFmpeg Remote Server Status Disclosure via check.ffmpeg.json.php |
| CVE-2026-35449 |
unknown |
— |
— |
|
|
|
2mo ago |
AVideo: Unauthenticated Information Disclosure via Disabled CLI Guard in install/test.php |
| CVE-2026-35448 |
unknown |
— |
— |
|
|
|
2mo ago |
AVideo: Unauthenticated Access to Payment Order Data via BlockonomicsYPT check.php |
| CVE-2026-35181 |
unknown |
— |
— |
|
|
|
2mo ago |
AVideo: CSRF on Player Skin Configuration via admin/playerUpdate.json.php |
| CVE-2026-35179 |
unknown |
— |
— |
|
|
|
2mo ago |
AVideo: Unauthenticated Instagram Graph API Proxy via publishInstagram.json.php |
| CVE-2026-34740 |
unknown |
— |
— |
|
|
|
2mo ago |
AVideo: Stored SSRF via Video EPG Link Missing isSSRFSafeURL() Validation |
| CVE-2026-34739 |
unknown |
— |
— |
|
|
|
2mo ago |
AVideo: Reflected XSS via Unescaped ip Parameter in User_Location testIP.php |
| CVE-2026-34738 |
unknown |
— |
— |
|
|
|
2mo ago |
AVideo: Video Publishing Workflow Bypass via Unauthorized overrideStatus Request Parameter |
| CVE-2026-34737 |
unknown |
— |
— |
|
|
|
2mo ago |
AVideo: Arbitrary Stripe Subscription Cancellation via Debug Endpoint and retrieveSubscriptions() Bug |
| CVE-2026-34733 |
unknown |
— |
— |
|
|
|
2mo ago |
AVideo: Unauthenticated File Deletion via PHP Operator Precedence Bug in CLI Guard |
| CVE-2026-34732 |
unknown |
— |
— |
|
|
|
2mo ago |
AVideo: Missing Authentication in CreatePlugin list.json.php Template Affects 21 Endpoints |
| CVE-2026-34731 |
unknown |
— |
— |
|
|
|
2mo ago |
AVideo: Unauthenticated Live Stream Termination via RTMP Callback on_publish_done.php |
| CVE-2026-34716 |
unknown |
— |
— |
|
|
|
2mo ago |
AVideo: DOM XSS via Unsanitized Display Name in WebSocket Call Notification |
| CVE-2026-34613 |
unknown |
— |
— |
|
|
|
2mo ago |
AVideo: CSRF on Plugin Enable/Disable Endpoint Allows Disabling Security Plugins |
| CVE-2026-34611 |
unknown |
— |
— |
|
|
|
2mo ago |
AVideo: CSRF on emailAllUsers.json.php Enables Mass Phishing Email to All Users |
| CVE-2026-34396 |
unknown |
— |
— |
|
|
|
2mo ago |
AVideo has Stored XSS via Unescaped Plugin Configuration Values in Admin Panel |
| CVE-2026-34395 |
unknown |
— |
— |
|
|
|
2mo ago |
AVideo vulnerable to Mass User PII Disclosure via Missing Authorization in YPTWallet users.json.php |
| CVE-2026-34394 |
unknown |
— |
— |
|
|
|
2mo ago |
AVideo's CSRF on Admin Plugin Configuration Enables Payment Credential Hijacking |
| CVE-2026-34375 |
unknown |
— |
— |
|
|
|
2mo ago |
AVideo Vulnerable to Reflected XSS via Unsanitized plugin Parameter in YPTWallet Stripe Payment Page |
| CVE-2026-34369 |
unknown |
— |
— |
|
|
|
2mo ago |
AVideo has Video Password Protection Bypass via API Endpoints Returning Full Playback Sources Without Password Verification |
| CVE-2026-34364 |
unknown |
— |
— |
|
|
|
2mo ago |
AVideo has User Group-Based Category Access Control Bypass via Missing and Broken Group Filtering in categories.json.php |
| CVE-2026-34362 |
unknown |
— |
— |
|
|
|
2mo ago |
AVideo's WebSocket Token Never Expires Due to Commented-Out Timeout Validation in verifyTokenSocket() |
| CVE-2026-34247 |
unknown |
— |
— |
|
|
|
2mo ago |
AVideo: IDOR in uploadPoster.php Allows Any Authenticated User to Overwrite Scheduled Live Stream Posters and Trigger False Socket Notifications |
| CVE-2026-34245 |
unknown |
— |
— |
|
|
|
2mo ago |
AVideo: Missing Authorization in Playlist Schedule Creation Allows Cross-User Broadcast Hijacking |
| CVE-2026-33867 |
unknown |
— |
— |
|
|
|
2mo ago |
AVideo has Plaintext Video Password Storage |
| CVE-2026-33770 |
unknown |
— |
— |
|
|
|
2mo ago |
AVideo has SQL Injection in category.php fixCleanTitle() via Unparameterized clean_title and id Variables |
| CVE-2026-33767 |
unknown |
— |
— |
|
|
|
2mo ago |
AVideo has SQL Injection via Partial Prepared Statement — videos_id Concatenated Directly into Query |
| CVE-2026-33766 |
unknown |
— |
— |
|
|
|
2mo ago |
AVideo has SSRF Protection Bypass via HTTP Redirect in Image Download Endpoints |
| CVE-2026-33764 |
unknown |
— |
— |
|
|
|
2mo ago |
AVideo: IDOR in AI Plugin Allows Stealing Other Users' AI-Generated Metadata and Transcriptions |
| CVE-2026-33763 |
unknown |
— |
— |
|
|
|
2mo ago |
AVideo has an Unauthenticated Video Password Brute-Force Vulnerability via Unrate-Limited Boolean Oracle |
| CVE-2026-33761 |
unknown |
— |
— |
|
|
|
2mo ago |
AVideo: Unauthenticated Access to Scheduler Plugin Endpoints Leaks Scheduled Tasks, Email Content, and User Mappings |
| CVE-2026-33759 |
unknown |
— |
— |
|
|
|
2mo ago |
AVideo: Unauthenticated IDOR in playlistsVideos.json.php Exposes Private Playlist Contents |
| CVE-2026-33723 |
unknown |
— |
— |
|
|
|
2mo ago |
AVideo is Vulnerable to SQL Injection through Subscribe Endpoint via Unsanitized user_id Parameter |
| CVE-2026-33719 |
unknown |
— |
— |
|
|
|
2mo ago |
AVideo: Unauthenticated CDN Configuration Takeover via Empty Default Key Bypass and Mass-Assignment |
| CVE-2026-33717 |
unknown |
— |
— |
|
|
|
2mo ago |
AVideo: Remote Code Execution via PHP Temp File in Encoder downloadURL |
| CVE-2026-33716 |
unknown |
— |
— |
|
|
|
2mo ago |
AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php |
| CVE-2026-33690 |
unknown |
— |
— |
|
|
|
2mo ago |
AVideo vulnerable to IP Address Spoofing via Untrusted HTTP Headers in getRealIpAddr() |
| CVE-2026-33688 |
unknown |
— |
— |
|
|
|
2mo ago |
AVideo has Pre-Captcha User Enumeration and Account Status Disclosure in Password Recovery Endpoint |
| CVE-2026-33685 |
unknown |
— |
— |
|
|
|
2mo ago |
AVideo Allows Unauthenticated Access to AD_Server reports.json.php that Exposes Ad Campaign Analytics and User Data |
| CVE-2026-33683 |
unknown |
— |
— |
|
|
|
2mo ago |
AVideo vulnerable to Stored XSS via html_entity_decode() Reversing xss_esc() Sanitization in Channel About Field |
| CVE-2026-33681 |
unknown |
— |
— |
|
|
|
2mo ago |
AVideo has Path Traversal in pluginRunDatabaseScript.json.php Enables Arbitrary SQL File Execution via Unsanitized Plugin Name |
| CVE-2026-33651 |
unknown |
— |
— |
|
|
|
2mo ago |
AVideo has a Blind SQL Injection in Live Schedule Reminder via Unsanitized live_schedule_id in Scheduler_commands::getAllActiveOrToRepeat() |
| CVE-2026-33650 |
unknown |
— |
— |
|
|
|
2mo ago |
AVideo: Video Moderator Privilege Escalation via Ownership Transfer Enables Arbitrary Video Deletion |
| CVE-2026-33649 |
unknown |
— |
— |
|
|
|
2mo ago |
AVideo's GET-Based CSRF in setPermission.json.php Enables Privilege Escalation via Arbitrary Permission Modification |
| CVE-2026-33648 |
unknown |
— |
— |
|
|
|
2mo ago |
AVideo Vulnerable to OS Command Injection via Unsanitized `users_id` and `liveTransmitionHistory_id` in Restreamer Log File Path |
| CVE-2026-33647 |
unknown |
— |
— |
|
|
|
2mo ago |
AVideo Vulnerable to Remote Code Execution via MIME/Extension Mismatch in ImageGallery File Upload |
| CVE-2026-33513 |
unknown |
— |
— |
|
|
|
3mo ago |
AVideo has an Unauthenticated Local File Inclusion in API locale (RCE possible with writable PHP) |
| CVE-2026-33512 |
unknown |
— |
— |
|
|
|
3mo ago |
AVideo has an unauthenticated decrypt oracle leaking any ciphertext |
| CVE-2026-33507 |
unknown |
— |
— |
|
|
|
3mo ago |
AVideo Affected by CSRF on Plugin Import Endpoint Enables Unauthenticated Remote Code Execution via Malicious Plugin Upload |
| CVE-2026-33502 |
unknown |
— |
— |
|
|
|
3mo ago |
AVideo has Unauthenticated SSRF via plugin/Live/test.php |
| CVE-2026-33501 |
unknown |
— |
— |
|
|
|
3mo ago |
AVideo has Unauthenticated Information Disclosure of User Group Permission Mappings via Permissions Plugin |
| CVE-2026-33500 |
unknown |
— |
— |
|
|
|
3mo ago |
AVideo - Incomplete Fix for CVE-2026-27568: Stored XSS via Markdown `javascript:` URI Bypasses ParsedownSafeWithLinks Sanitization |
