| CVE-2026-45578 |
high |
8.8 |
8.8 |
|
|
|
19d ago |
WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a classic shell-metacharacter injection. The YPTSocket notification branch in plugin/Live/on_publish.php builds an execAsyn… |
| CVE-2026-43885 |
high |
— |
8.0 |
|
|
|
29d ago |
AVideo Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor and Missing Authorization |
| CVE-2026-40926 |
high |
— |
8.0 |
|
|
|
2mo ago |
WWBN AVideo has Multiple CSRF Vulnerabilities in Admin JSON Endpoints (Category CRUD, Plugin Update Script) |
| CVE-2026-33492 |
high |
— |
8.0 |
|
|
|
3mo ago |
AVideo has Session Fixation via GET PHPSESSID Parameter With Disabled Login Session Regeneration |
| CVE-2026-33485 |
high |
— |
8.0 |
|
|
|
3mo ago |
AVideo has an Unauthenticated Blind SQL Injection in RTMP on_publish Callback via Stream Name Parameter |
| CVE-2026-43884 |
high |
7.7 |
7.7 |
|
|
|
29d ago |
AVideo has SSRF Protection Bypass via HTTP Redirect and DNS Rebinding in isSSRFSafeURL() |
| CVE-2026-43873 |
high |
7.5 |
7.5 |
|
|
|
29d ago |
AVideo: Unauthenticated Disclosure of CloneSite `myKey` via Error Echo in `cloneClient.json.php` Enables Cross-Site DB Dump of the Configured Clone Server |
| CVE-2026-43874 |
high |
7.2 |
7.2 |
|
|
|
29d ago |
AVideo has an Incomplete Fix for YPTSocket autoEvalCodeOnHTML Strip: Unauthenticated Cross-User JavaScript Execution via `$msg['json']` Relay Bypass |
