| CVE-2026-33499 |
unknown |
— |
— |
|
|
|
3mo ago |
AVideo has Reflected XSS via unlockPassword Parameter in forbiddenPage.php and warningPage.php |
| CVE-2026-33493 |
unknown |
— |
— |
|
|
|
3mo ago |
AVideo has a Path Traversal in import.json.php Allows Private Video Theft and Arbitrary File Read/Deletion via fileURI Parameter |
| CVE-2026-33488 |
unknown |
— |
— |
|
|
|
3mo ago |
AVideo has a PGP 2FA Bypass via Cryptographically Broken 512-bit RSA Key Generation in LoginControl Plugin |
| CVE-2026-33483 |
unknown |
— |
— |
|
|
|
3mo ago |
AVideo Affected by Unauthenticated Disk Space Exhaustion via Unlimited Temp File Creation in aVideoEncoderChunk.json.php |
| CVE-2026-33482 |
unknown |
— |
— |
|
|
|
3mo ago |
AVideo has an OS Command Injection via $() Shell Substitution Bypass in sanitizeFFmpegCommand() |
| CVE-2026-33480 |
unknown |
— |
— |
|
|
|
3mo ago |
AVideo has a SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in Unauthenticated LiveLinks Proxy |
| CVE-2026-33479 |
unknown |
— |
— |
|
|
|
3mo ago |
AVideo has PHP Code Injection via eval() in Gallery saveSort.json.php Exploitable Through CSRF Against Admin |
| CVE-2026-33478 |
unknown |
— |
— |
|
|
|
3mo ago |
AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection |
| CVE-2026-33354 |
unknown |
— |
— |
|
|
|
3mo ago |
AVideo has an authenticated arbitrary local file read via `chunkFile` path injection in `aVideoEncoder.json.php` |
| CVE-2026-33352 |
unknown |
— |
— |
|
|
|
3mo ago |
AVideo has an Unauthenticated SQL Injection via `doNotShowCats` Parameter (Backslash Escape Bypass) |
| CVE-2026-33351 |
unknown |
— |
— |
|
|
|
3mo ago |
AVideo has Unauthenticated SSRF via `webSiteRootURL` Parameter in saveDVR.json.php, Chaining to Verification Bypass |
| CVE-2026-33297 |
unknown |
— |
— |
|
|
|
3mo ago |
AVideo: IDOR - Any Admin Can Set Another User's Channel Password via setPassword.json.php |
| CVE-2026-33296 |
unknown |
— |
— |
|
|
|
3mo ago |
AVideo has an Open Redirect via Unvalidated redirectUri in userLogin.php |
| CVE-2026-33295 |
unknown |
— |
— |
|
|
|
3mo ago |
AVideo Affected by Stored XSS via Unescaped Video Title in CDN downloadButtons.php |
| CVE-2026-33294 |
unknown |
— |
— |
|
|
|
3mo ago |
AVideo Affected by SSRF in BulkEmbed Thumbnail Fetch Allows Reading Internal Network Resources |
| CVE-2026-33293 |
unknown |
— |
— |
|
|
|
3mo ago |
AVideo Affected by Arbitrary File Deletion via Path Traversal in CloneSite deleteDump Parameter |
| CVE-2026-33292 |
unknown |
— |
— |
|
|
|
3mo ago |
AVideo has an Authorization Bypass via Path Traversal in HLS Endpoint Allows Streaming Private/Paid Videos |
| CVE-2026-33319 |
unknown |
— |
— |
|
|
|
3mo ago |
AVideo has an OS Command Injection via Unescaped URL in LinkedIn Video Upload Shell Command |
| CVE-2026-33238 |
unknown |
— |
— |
|
|
|
3mo ago |
AVideo has a Path Traversal in listFiles.json.php Enables Server Filesystem Enumeration |
| CVE-2026-33237 |
unknown |
— |
— |
|
|
|
3mo ago |
AVideo has SSRF in Scheduler Plugin via callbackURL Missing `isSSRFSafeURL()` Validation |
| CVE-2026-33039 |
unknown |
— |
— |
|
|
|
3mo ago |
AVideo vulnerable to unauthenticated SSRF via HTTP redirect bypass in LiveLinks proxy |
| CVE-2026-33035 |
unknown |
— |
— |
|
|
|
3mo ago |
Unauthenticated Reflected XSS via innerHTML in AVideo |
| CVE-2026-33043 |
unknown |
— |
— |
|
|
|
3mo ago |
AVideo affected by Session Hijacking via Unauthenticated Session ID Disclosure with Permissive CORS |
| CVE-2026-33041 |
unknown |
— |
— |
|
|
|
3mo ago |
AVideo has an Unauthenticated Password Hash Oracle via encryptPass.json.php |
| CVE-2026-33038 |
unknown |
— |
— |
|
|
|
3mo ago |
AVideo affected by unauthenticated application takeover via exposed web installer on uninitialized deployments |
| CVE-2026-30885 |
unknown |
— |
— |
|
|
|
3mo ago |
AVideo has Unauthenticated IDOR - Playlist Information Disclosure |
| CVE-2026-29093 |
unknown |
— |
— |
|
|
|
3mo ago |
AVideo: Unauthenticated PHP session store exposed to host network via published memcached port |
| CVE-2026-28502 |
unknown |
— |
— |
|
|
|
3mo ago |
AVideo has Authenticated Remote Code Execution via Unsafe Plugin ZIP Extraction |
| CVE-2026-27732 |
unknown |
— |
— |
|
|
|
3mo ago |
AVideo has Authenticated Server-Side Request Forgery via downloadURL in aVideoEncoder.json.php |
| CVE-2026-27568 |
unknown |
— |
— |
|
|
|
3mo ago |
AVideo has Stored Cross-Site Scripting via Markdown Comment Injection |
| CVE-2024-34899 |
unknown |
— |
— |
|
|
|
2y ago |
AVideo cross-site scripting vulnerability in the view/about.php page |
| CVE-2023-50172 |
unknown |
— |
— |
|
|
|
2y ago |
WWBN AVideo recovery notification bypass vulnerability |
| CVE-2023-49810 |
unknown |
— |
— |
|
|
|
2y ago |
WWBN AVideo Improper Restriction of Excessive Authentication Attempts vulnerability |
| CVE-2023-49599 |
unknown |
— |
— |
|
|
|
2y ago |
WWBN AVideo Insufficient Entropy vulnerbaility |
| CVE-2023-32073 |
unknown |
— |
— |
|
|
|
3y ago |
WWBN AVideo command injection vulnerability |
| CVE-2023-30860 |
unknown |
— |
— |
|
|
|
3y ago |
WWBN/AVideo stored XSS vulnerability leads to takeover of any user's account, including admin's account |
| CVE-2023-30854 |
unknown |
— |
— |
|
|
|
3y ago |
Remote code injection in wwbn/avideo |
| CVE-2023-25313 |
unknown |
— |
— |
|
|
|
3y ago |
AVideo contains Command injection when embedding a video link |
| CVE-2020-23489 |
unknown |
— |
— |
|
|
|
4y ago |
AVideo vulnerable to Improper Privilege Management |
| CVE-2022-27463 |
unknown |
— |
— |
|
|
|
4y ago |
Open redirect in wwbn/avideo |
