WWBN AVideo: Nine Bugs Disclosed Together — From Wallet Fraud to RCE

Key findings

• CVE-2026-45578 is the most severe (CVSS 8.8) — pre-auth shell injection in the Live plugin's on_publish.php
• CVE-2026-47696 lets any authenticated user inflate their wallet balance; the payment code hardcodes $paymentSuccess = true
• CVE-2026-46337 allows unauthenticated attackers to read arbitrary image files off the server disk
• CVE-2026-45610 is a CSRF on the 2FA toggle — no token needed to disable a user's two-factor auth
• CVE-2026-45620 enables unauthenticated user enumeration via the mention autocomplete endpoint
• No patch is available yet; all nine CVEs affect AVideo 29.0 and earlier

On May 29, 2026, nine CVEs landed for WWBN AVideo, the open-source video platform. The batch — disclosed via the project's GitHub Security Advisories — spans a wide attack surface: from an unauthenticated wallet-credit bug that hardcodes payment success, to a pre-auth shell-metacharacter injection rated High (CVSS 8.8), to stored XSS, CSRF, arbitrary file read, and DNS-rebinding flaws. Every vulnerability affects AVideo 29.0 and earlier; no patches have been released at the time of disclosure.

Wallet Fraud via Hardcoded Payment Success

The most unusual bug in the batch is CVE-2026-47696 (High). The endpoint plugin/AuthorizeNet/processPayment.json.php credits the logged-in user's wallet based solely on an attacker-controlled amount POST parameter. The code contains a TODO for real Authorize.Net integration, hardcodes $paymentSuccess = true, and then calls Y — the description cuts off, but the implication is clear: any authenticated user can arbitrarily inflate their wallet balance with no actual payment.

Pre-Auth Shell Injection (CVSS 8.8)

CVE-2026-45578 (High, CVSS 8.8) is a classic shell-metacharacter injection in the Live plugin's on_publish.php hook. The YPTSocket notification branch builds an execAsync() command by string concatenation, single-quoting each argument but never calling escapeshellarg(). A single quote in any argument allows an attacker to break out of the quoted context and execute arbitrary OS commands. Because the on_publish hook fires during stream publishing — which can be triggered by unauthenticated or low-privilege users depending on the deployment — this bug is the batch's highest-severity item.

Stored XSS and CSRF

Three CVEs cover cross-site scripting and request forgery:

• CVE-2026-47694 (Medium, CVSS 5.4): Stored XSS via category descriptions. AVideo stores user-supplied category descriptions and later renders category_description as raw HTML in the Gallery view. Any user who can create or edit categories can inject JavaScript that executes when another user views the gallery.
• CVE-2026-45580 (Medium, CVSS 5.4): Stored XSS in the Live plugin's "YouTube-style" view. The stream key is echoed raw into an HTML class attribute without htmlspecialchars(). A user with canStream privileges can persist a malicious key containing a quote to break the attribute and inject scripts.
• CVE-2026-45610 (Medium, CVSS 5.7): A CSRF vulnerability on the 2FA toggle. The endpoint plugin/LoginControl/set.json.php accepts POST type=set2FA value=false and disables two-factor authentication for the session-authenticated user — with no CSRF token or confirmation. An attacker who tricks an admin into clicking a crafted link can silently disable their 2FA.

Arbitrary File Read and Path Traversal

CVE-2026-46337 (Medium) allows an unauthenticated remote attacker to read arbitrary image files anywhere on disk that the PHP user can open. This includes private user-profile photos normally gated behind ACLs, admin-uploaded thumbnails, and encrypted video previews. The endpoint serves image files without verifying that the requester is authorized to view them.

CVE-2026-45731 (Medium) is an authenticated path-traversal / arbitrary file read in view/update.php. The endpoint reads $_POST['updateFile'] as a relative path under updatedb/ and passes it to PHP's file() for line-by-line execution as part of a database migration. An authenticated administrator can abuse this to read arbitrary text files reachable from the application root.

Unauthenticated User Enumeration and DNS Rebinding

CVE-2026-45620 (Medium, CVSS 5.3): The endpoint objects/mention.json.php has no authentication gate — only a preg_match('/^@/', $_REQUEST['term']) entry guard and a hardcoded rowCount=10. This enables unauthenticated user enumeration, leaking valid usernames via the mention autocomplete feature.

CVE-2026-45619 (Medium, CVSS 6.5): Multiple locations — including EpgParser.php and plugin/AI/receiveAsync.json.php — call isSSRFSafeURL() but do not use the $resolvedIP out-parameter for DNS pinning via CURLOPT_RESOLVE. This opens a DNS-rebinding TOCTOU window where an attacker can switch the resolved IP between the safety check and the actual request.

Response and Patch Status

As of the May 29 disclosure, no patched version has been released. All nine CVEs affect AVideo 29.0 and earlier. Users of the platform are advised to monitor the WWBN AVideo GitHub repository for a security release. In the interim, administrators should restrict access to the affected endpoints — particularly plugin/Live/on_publish.php, plugin/AuthorizeNet/processPayment.json.php, and objects/mention.json.php — via web-server access controls or reverse-proxy rules.

Why This Batch Matters

The breadth of this disclosure is notable: a single open-source video platform ships with bugs ranging from a fake payment processor that gives away free wallet credit, to unauthenticated shell injection, to a 2FA toggle that any cross-site request can flip. Together, the nine CVEs paint a picture of an application where authentication, authorization, and input-validation checks are applied inconsistently — or not at all — across its plugin and API surface. For organizations running AVideo as a public-facing video portal, the pre-auth file-read and RCE bugs are the most urgent; for multi-tenant deployments, the wallet-fraud and user-enumeration flaws carry significant business risk.