AVideo: Five Unpatched Flaws Disclosed — Auth Bypass, SSRF, Payment Data Leak, and XSS
Five unpatched vulnerabilities in WWBN's AVideo platform expose PGP decryption, session hijacking, payment data, SSRF, and stored XSS — several exploitable without authentication.
Key findings
- CVE-2026-56346 allows unauthenticated PGP message decryption via decryptMessage.json.php
- CVE-2026-56345 enables arbitrary user session hijacking through the Meet plugin
- CVE-2026-56341 exposes PayPal tokens and Bitcoin records without authentication
- CVE-2026-56342 is an SSRF in Live/test.php targeting cloud metadata endpoints
- CVE-2026-56347 is a stored XSS in the TopMenu plugin through unescaped fields
- No patches have been released for any of the five CVEs as of disclosure
Five vulnerabilities were disclosed together on June 20, 2026, in WWBN's AVideo platform, spanning authentication bypass, session hijacking, server-side request forgery, stored cross-site scripting, and unauthenticated payment data exposure. The batch, which affects versions through 29.0, includes flaws that could allow remote attackers to decrypt PGP messages, hijack user sessions, exfiltrate payment records, and more — without requiring authentication in several cases.
Authentication & Authorization Flaws
Two of the most severe issues involve missing authentication checks. CVE-2026-56346 is an authentication bypass in the decryptMessage.json.php endpoint that lets unauthenticated attackers submit private keys, ciphertext, and passphrases to decrypt PGP messages server-side, exposing both the decrypted content and the key material itself. CVE-2026-56345 targets the Meet plugin's uploadRecordedVideo.json.php endpoint, where the target user ID is derived from the uploaded filename without verification. An attacker who knows the Meet shared secret can craft a malicious upload to hijack any user's session.
Payment Data Exposure
CVE-2026-56341 exposes multiple list.json.php endpoints in payment plugins that lack any authorization checks. Unauthenticated attackers can retrieve PayPal tokens, Authorize.Net webhooks, and Bitcoin transaction records — including agreement IDs and user financial details — from the payment log DataTables endpoints.
Server-Side Request Forgery
CVE-2026-56342 is an SSRF vulnerability in plugin/Live/test.php that allows authenticated administrators to read arbitrary URLs via the statsURL parameter. The endpoint lacks isSSRFSafeURL() validation, meaning attackers can target private IP ranges and cloud metadata endpoints, potentially exfiltrating cloud instance credentials.
Stored Cross-Site Scripting
CVE-2026-56347 affects the TopMenu plugin through version 26.0. Menu item fields — icon classes, URLs, and text labels — are rendered without output encoding, enabling stored XSS. An attacker can inject malicious JavaScript that executes for every site visitor.
Response & Patch Status
WWBN has not yet released patches for any of the five CVEs. The affected version ranges vary: CVE-2026-56346 impacts AVideo through 25.0, CVE-2026-56341 and CVE-2026-56347 through 26.0, CVE-2026-56342 through 27.0, and CVE-2026-56345 through 29.0. Administrators are advised to restrict access to the vulnerable endpoints via web server rules or firewall policies until official updates are available.
Bottom Line
This batch of disclosures highlights a recurring pattern in AVideo's codebase: missing or insufficient authorization checks across multiple plugins and core endpoints. With no patches yet available, organizations running AVideo should audit their deployments for exposure of the vulnerable endpoints and apply network-level access controls as a stopgap.