Avideo

Source repositories

CVEs (188)

CVE	Sev	Risk	CVSS	EPSS	Published	Description
CVE-2026-33867	Hig	0.49	7.5	0.00	Mar 27, 2026	WWBN AVideo is an open source video platform. In versions up to and including 26.0, AVideo allows content owners to password-protect individual videos. The video password is stored in the database in plaintext — no hashing, salting, or encryption is applied. If an attacker gains read access to the database (via SQL injection, a database backup, or misconfigured access controls), they obtain all video passwords in cleartext. Commit f2d68d2adbf73588ea61be2b781d93120a819e36 contains a patch.
CVE-2026-43874	Hig	0.47	7.2	0.00	May 11, 2026	WWBN AVideo is an open source video platform. In versions up to and including 29.0, the server-side mitigation for the YPTSocket autoEvalCodeOnHTML eval sink (from CVE-2026-40911) only strips the payload when it sits under $json['msg'], but the relay function msgToResourceId() selects the outbound message from $msg['json'] before $msg['msg']. An unauthenticated attacker can obtain a WebSocket token from plugin/YPTSocket/getWebSocket.json.php, connect to the WebSocket server, and send a message with autoEvalCodeOnHTML nested under a top-level json field — the strip branch is skipped, the relay delivers the payload verbatim to any logged-in user identified by to_users_id, and the client script runs it through eval(). Commit 9f3006f9a89a34daa67a83c6ad35f450cb91fcce contains an updated fix.
CVE-2026-41057	Hig	0.46	7.1	0.00	Apr 21, 2026	WWBN AVideo is an open source video platform. In versions 29.0 and below, the CORS origin validation fix in commit `986e64aad` is incomplete. Two separate code paths still reflect arbitrary `Origin` headers with credentials allowed for all `/api/*` endpoints: (1) `plugin/API/router.php` lines 4-8 unconditionally reflect any origin before application code runs, and (2) `allowOrigin(true)` called by `get.json.php` and `set.json.php` reflects any origin with `Access-Control-Allow-Credentials: true`. An attacker can make cross-origin credentialed requests to any API endpoint and read authenticated responses containing user PII, email, admin status, and session-sensitive data. Commit 5e2b897ccac61eb6daca2dee4a6be3c4c2d93e13 contains a fix.
CVE-2026-40926	Hig	0.46	7.1	0.00	Apr 21, 2026	WWBN AVideo is an open source video platform. In versions 29.0 and prior, three admin-only JSON endpoints — `objects/categoryAddNew.json.php`, `objects/categoryDelete.json.php`, and `objects/pluginRunUpdateScript.json.php` — enforce only a role check (`Category::canCreateCategory()` / `User::isAdmin()`) and perform state-changing actions against the database without calling `isGlobalTokenValid()` or `forbidIfIsUntrustedRequest()`. Peer endpoints in the same directory (`pluginSwitch.json.php`, `pluginRunDatabaseScript.json.php`) do enforce the CSRF token, so the missing checks are an omission rather than a design choice. An attacker who lures a logged-in admin to a malicious page can create, update, or delete categories and force execution of any installed plugin's `updateScript()` method in the admin's session. Commit ee5615153c40628ab3ec6fe04962d1f92e67d3e2 contains a fix.
CVE-2026-39370	Hig	0.46	7.1	0.00	Apr 7, 2026	WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoder.json.php still allows attacker-controlled downloadURL values with common media or archive extensions such as .mp4, .mp3, .zip, .jpg, .png, .gif, and .webm to bypass SSRF validation. The server then fetches the response and stores it as media content. This allows an authenticated uploader to turn the upload-by-URL flow into a reliable SSRF response-exfiltration primitive. The vulnerability is caused by an incomplete fix for CVE-2026-27732.
CVE-2026-45578	hig	0.45	—	—	May 15, 2026	## Summary Type: Classic shell-metacharacter injection. The YPTSocket notification branch in `plugin/Live/on_publish.php` builds an `execAsync()` command line by string concatenation, single-quoting each argument but never calling `escapeshellarg()`. A `'` in any of the three interpolated values (`$users_id`, `$m3u8`, `$obj->liveTransmitionHistory_id`) closes the quoted token and lets the attacker append arbitrary commands. File: `plugin/Live/on_publish.php`, line 267. Root cause: the developer wrapped each variable in literal single quotes (`'$users_id'`, `'$m3u8'`, `'$obj->liveTransmitionHistory_id'`) believing this provides shell-quoting. PHP single-quoted-into-shell is not safe quoting; it is just two literal quote characters that the shell pairs greedily. Any embedded `'` closes the outer string and resumes interpretation in the shell. The rest of the AVideo codebase already calls `escapeshellarg()` (137 call sites across the project) for ffmpeg invocations, so the safe primitive is well-known to the project; it was simply omitted from this branch. The endpoint is web-reachable (no `.htaccess` rule restricts `on_publish.php`, no `REMOTE_ADDR` check), so the trigger is a direct HTTP POST without going through nginx-rtmp. ## Affected Code File: `plugin/Live/on_publish.php`, lines 256-271. ```php if (AVideoPlugin::isEnabledByName('YPTSocket')) { $array = setLiveKey($lth->getKey(), $lth->getLive_servers_id()); @ob_clean(); _ob_start(); $lth = new LiveTransmitionHistory($obj->liveTransmitionHistory_id); $m3u8 = Live::getM3U8File($lth->getKey(), false, true); // value-carrying URL: contains the stream key verbatim $users_id = $obj->row['users_id']; $liveTransmitionHistory_id = $obj->liveTransmitionHistory_id; if (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') { include "{$global['systemRootPath']}plugin/Live/on_publish_socket_notification.php"; } else { $command = get_php(). " {$global['systemRootPath']}plugin/Live/on_publish_socket_notification.php '$users_id' '$m3u8' '{$obj->liveTransmitionHistory_id}'"; // <-- BUG: literal quotes, no escapeshellarg $pid = execAsync($command); // sink: shell exec } } ``` `Live::getM3U8File($key, false, true)` (`Live.php:1337-1350` -> `Live.php:4845-4889`) returns `"{$playerServer}{$uuid}.m3u8"` (or `"{$playerServer}{$uuid}/index.m3u8"`) where `$uuid = $this->getKeyWithIndex(...)` is the stream key string read straight out of the `live_transmitions` table. There is no character normalisation between database read and command construction. Why it's wrong: `'$m3u8'` is not shell quoting. PHP interpolates `$m3u8` into the string between two literal `'` characters. The shell then tokenises the result. If `$m3u8` contains `'` itself, the shell sees `'…'` followed by `<attacker bytes>` followed by another `'`, which forms two adjacent quoted strings concatenated with whatever the attacker put between them. Embedded `;`, backticks, `$()`, `&&`, `\|`, or `\n` then run as shell commands. The fix is `escapeshellarg()`, which AVideo already uses 137 times in ffmpeg invocations (e.g. `getVideos.php:1069`, `videos.json.php`, `aVideoEncoder.json.php`); this branch simply forgot it. ## Exploit Chain 1. Attacker authenticates and arranges for one of the command variables to contain `'`. Under the current code the readily available primitive is a `canStream` user supplying a stream key via the persistence path (`saveLive.php`'s `$_REQUEST['key']` is written verbatim to `live_transmitions.key`). State: a row exists with `key = "evilkey';id>/tmp/pwn;#"`. 2. Attacker POSTs directly to `https://target/plugin/Live/on_publish.php` (the file is web-served, no IP restriction) with body: ``` name=evilkey';id>/tmp/pwn;# p=<md5(attacker_password)> tcurl=rtmp://target/live addr=1.2.3.4 ``` `on_publish.php:117` runs `preg_replace("/[&=]/", '', $_POST['name'])` — only `&`/`=` are stripped, so `';id>/tmp/pwn;#` survives. Lines 143-163 confirm `$_GET['p'] === $user->getPassword()` (the attacker is themself, knows their own MD5), persist a `LiveTransmitionHistory` row with the poisoned key, and set `$obj->error = false`. State: authorisation gate passed. 3. Line 261 calls `Live::getM3U8File($lth->getKey(), false, true)`, returning `"https://server/live/evilkey';id>/tmp/pwn;#.m3u8"`. State: `$m3u8` carries the injection payload. 4. Line 267 builds the command string by concatenation: ``` php /var/www/AVideo/plugin/Live/on_publish_socket_notification.php '7' 'https://server/live/evilkey';id>/tmp/pwn;#.m3u8' '42' ``` Shell tokenisation sees: `php`, `…/on_publish_socket_notification.php`, `'7'`, `'https://server/live/evilkey'` (the attacker's `'` closed the second quote), then operator `;`, then command-2 `id>/tmp/pwn`, then `;`, then `#.m3u8' '42'` (everything after `#` is a comment). State: the shell has parsed two real commands. 5. Line 269 `execAsync($command)` spawns the shell, which runs the secondary command `id>/tmp/pwn` as the AVideo PHP-FPM/Apache user. State: arbitrary OS command execution with the privileges of the web-server runtime user. 6. Final state: the attacker reads `/tmp/pwn`, swaps the payload for a reverse shell, exfiltrates `videos/configuration.php` (database password and root URL), drops a webshell into the upload tree, or pivots to other plugin credentials (PayPal/Stripe API keys, AWS keys for the CDN plugin, OpenAI key for the AI plugin). ## Security Impact Severity: sec-high. Pre-auth-friendly remote code execution: the only prerequisite is that the attacker can place a `'` into one of the three command-line variables, which on a streaming platform means a single low-privilege account. Attacker capability: with one `canStream` account and two HTTP requests, the attacker executes arbitrary shell commands as the AVideo runtime user. From there: read database credentials, exfiltrate user data, write a webshell into a publicly-served path, pivot to plugin credentials, persist via cron, or escalate via any local sudoers entries. Preconditions: AVideo deployment with `Live` and `YPTSocket` plugins enabled (the standard live-streaming bundle); attacker can reach `/plugin/Live/on_publish.php` over the network; a value containing `'` is reachable into `users_id`, `m3u8`, or `liveTransmitionHistory_id` (the current code lets `canStream` users supply such a value via the stream-key persistence path). Differential: source-inspection-verified end-to-end. The shell-tokenising behaviour of `'…'…'…'` is reproducible offline: ```sh $ s="php /a/b.php '7' 'https://s/live/evilkey';id>/tmp/pwn;#.m3u8' '42'" $ rm -f /tmp/pwn; bash -c "$s" 2>/dev/null; ls -l /tmp/pwn -rw-r--r-- 1 user user N <date> /tmp/pwn # injected `id` ran, output captured ``` The patched build (with the suggested `escapeshellarg()` fix below applied) constructs `php /a/b.php '7' 'https://s/live/evilkey'\''id>/tmp/pwn;#.m3u8' '42'`, which the shell parses as a single argument containing the literal characters; the second command never runs. ## Suggested Fix Use `escapeshellarg()` on every variable interpolated into the command string. This matches established project conventions (137 other call sites for ffmpeg invocations). ```diff --- a/plugin/Live/on_publish.php +++ b/plugin/Live/on_publish.php @@ -264,7 +264,11 @@ if (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') { include "{$global['systemRootPath']}plugin/Live/on_publish_socket_notification.php"; } else { - $command = get_php(). " {$global['systemRootPath']}plugin/Live/on_publish_socket_notification.php '$users_id' '$m3u8' '{$obj->liveTransmitionHistory_id}'"; + $command = get_php() + . ' ' . escapeshellarg($global['systemRootPath'] . 'plugin/Live/on_publish_socket_notification.php') + . ' ' . escapeshellarg((string) $users_id) + . ' ' . escapeshellarg((string) $m3u8) + . ' ' . escapeshellarg((string) $obj->liveTransmitionHistory_id); _error_log("NGINX Live::on_publish YPTSocket start ($command)"); $pid = execAsync($command); } ``` Defence-in-depth: `on_publish.php` is the nginx-rtmp webhook and should not be reachable from the public Internet. Add an `.htaccess`/nginx `location` rule restricting the file to `127.0.0.1` and any configured RTMP server IPs. That blocks the trigger path independently of the sanitisation work.
CVE-2026-43875	Med	0.44	6.8	0.00	May 11, 2026	WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/MobileManager/oauth2.php completes an OAuth login by sending an HTTP 302 Location: oauth2Success.php?user=<email>&pass=<HASH> where <HASH> is the victim's stored password hash (md5(hash("whirlpool", sha1(password)))) read directly from the users table. AVideo's own login endpoint (objects/login.json.php) accepts an encodedPass=1 flag that bypasses hashing and performs a direct string comparison between the supplied value and the stored hash. Anyone who captures the redirect URL — via server logs, referrer leakage, or browser history — therefore obtains a credential equivalent to the plaintext password and can fully take over the account, including admin accounts. Commit 977cd6930a97571a26da4239e25c8096dd4ecbc1 contains an updated fix.
CVE-2026-43876	Med	0.42	6.4	0.00	May 11, 2026	WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/notifySubscribers.json.php takes the raw message POST parameter and passes it into sendSiteEmail(), which substitutes it directly into an HTML email template (via str_replace on the {message} placeholder) and renders it with PHPMailer::msgHTML(). There is no HTML sanitization, character escaping, or output encoding on the attacker-controlled message between $_POST['message'] and the rendered email. Any authenticated user with upload permission can therefore broadcast arbitrary HTML — phishing links, tracking pixels, CSS/UI spoofing — to every subscriber on their channel (up to 10,000 recipients per invocation). The email is sent From: the platform's configured contact address and wrapped in the site's official logo and title, so attacker-supplied HTML arrives with the appearance of an official platform communication. Commit https://github.com/WWBN/AVideo/commit/ contains an updated fix.
CVE-2026-41062	Med	0.42	6.5	0.00	Apr 21, 2026	WWBN AVideo is an open source video platform. In versions 29.0 and below, the directory traversal fix introduced in commit 2375eb5e0 for `objects/aVideoEncoderReceiveImage.json.php` only checks the URL path component (via `parse_url($url, PHP_URL_PATH)`) for `..` sequences. However, the downstream function `try_get_contents_from_local()` in `objects/functionsFile.php` uses `explode('/videos/', $url)` on the full URL string including the query string. An attacker can place the `/videos/../../` traversal payload in the query string to bypass the security check and read arbitrary files from the server filesystem. Commit bd11c16ec894698e54e2cdae25026c61ad1ed441 contains an updated fix.
CVE-2026-40907	Med	0.42	6.5	0.00	Apr 21, 2026	WWBN AVideo is an open source video platform. In versions 29.0 and prior, the endpoint `plugin/Live/view/Live_restreams/list.json.php` contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user with streaming permission to retrieve other users' live restream configurations, including third-party platform stream keys and OAuth tokens (access_token, refresh_token) for services like YouTube Live, Facebook Live, and Twitch. Commit d5992fff2811df4adad1d9fc7d0a5837b882aed7 fixes the issue.
CVE-2026-39368	Med	0.42	6.5	0.00	Apr 7, 2026	WWBN AVideo is an open source video platform. In versions 26.0 and prior, the Live restream log callback flow accepted an attacker-controlled restreamerURL and later fetched that stored URL server-side, enabling stored SSRF for authenticated streamers. The vulnerable flow allowed a low-privilege user with streaming permission to store an arbitrary callback URL and trigger server-side requests to loopback or internal HTTP services through the restream log feature.
CVE-2026-39366	Med	0.42	6.5	0.00	Apr 7, 2026	WWBN AVideo is an open source video platform. In versions 26.0 and prior, the PayPal IPN v1 handler at plugin/PayPalYPT/ipn.php lacks transaction deduplication, allowing an attacker to replay a single legitimate IPN notification to repeatedly inflate their wallet balance and renew subscriptions. The newer ipnV2.php and webhook.php handlers correctly deduplicate via PayPalYPT_log entries, but the v1 handler was never updated and remains actively referenced as the notify_url for billing plans.
CVE-2026-34740	Med	0.42	6.5	0.00	Mar 31, 2026	WWBN AVideo is an open source video platform. In versions 26.0 and prior, the EPG (Electronic Program Guide) link feature in AVideo allows authenticated users with upload permissions to store arbitrary URLs that the server fetches on every EPG page visit. The URL is validated only with PHP's FILTER_VALIDATE_URL, which accepts internal network addresses. Although AVideo has a dedicated isSSRFSafeURL() function for preventing SSRF, it is not called in this code path. This results in a stored server-side request forgery vulnerability that can be used to scan internal networks, access cloud metadata services, and interact with internal services. At time of publication, there are no publicly available patches.
CVE-2026-34737	Med	0.42	6.5	0.00	Mar 31, 2026	WWBN AVideo is an open source video platform. In versions 26.0 and prior, the StripeYPT plugin includes a test.php debug endpoint that is accessible to any logged-in user, not just administrators. This endpoint processes Stripe webhook-style payloads and triggers subscription operations, including cancellation. Due to a bug in the retrieveSubscriptions() method that cancels subscriptions instead of merely retrieving them, any authenticated user can cancel arbitrary Stripe subscriptions by providing a subscription ID. At time of publication, there are no publicly available patches.
CVE-2026-34733	Med	0.42	6.5	0.00	Mar 31, 2026	WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo installation script install/deleteSystemdPrivate.php contains a PHP operator precedence bug in its CLI-only access guard. The script is intended to run exclusively from the command line, but the guard condition !php_sapi_name() === 'cli' never evaluates to true due to how PHP resolves operator precedence. The ! (logical NOT) operator binds more tightly than === (strict comparison), causing the expression to always evaluate to false, which means the die() statement never executes. As a result, the script is accessible via HTTP without authentication and will delete files from the server's temp directory while also disclosing the temp directory contents in its response. At time of publication, there are no publicly available patches.
CVE-2026-34716	Med	0.42	6.4	0.00	Mar 31, 2026	WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo YPTSocket plugin's caller feature renders incoming call notifications using the jQuery Toast Plugin, passing the caller's display name directly as the heading parameter. The toast plugin constructs the heading as raw HTML ('<h2>' + heading + '</h2>') and inserts it into the DOM via jQuery's .html() method, which parses and executes any embedded HTML or script content. An attacker can set their display name to an XSS payload and trigger code execution on any online user's browser simply by initiating a call - no victim interaction is required beyond being connected to the WebSocket. At time of publication, there are no publicly available patches.
CVE-2026-34613	Med	0.42	6.5	0.00	Mar 31, 2026	WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/pluginSwitch.json.php allows administrators to enable or disable any installed plugin. The endpoint checks for an active admin session but does not validate a CSRF token. Additionally, the plugins database table is explicitly listed in ignoreTableSecurityCheck(), which means the ORM-level Referer/Origin domain validation in ObjectYPT::save() is also bypassed. Combined with SameSite=None on session cookies, an attacker can disable critical security plugins (such as LoginControl for 2FA, subscription enforcement, or access control plugins) by luring an admin to a malicious page. At time of publication, there are no publicly available patches.
CVE-2026-34611	Med	0.42	6.5	0.00	Mar 31, 2026	WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/emailAllUsers.json.php allows administrators to send HTML emails to every registered user on the platform. While the endpoint verifies admin session status, it does not validate a CSRF token. Because AVideo sets SameSite=None on session cookies, a cross-origin POST request from an attacker-controlled page will include the admin's session cookie automatically. An attacker who lures an admin to a malicious page can send an arbitrary HTML email to every user on the platform, appearing to originate from the instance's legitimate SMTP address. At time of publication, there are no publicly available patches.
CVE-2026-34395	Med	0.42	6.5	0.00	Mar 31, 2026	WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/YPTWallet/view/users.json.php endpoint returns all platform users with their personal information and wallet balances to any authenticated user. The endpoint checks User::isLogged() but does not check User::isAdmin(), so any registered user can dump the full user database. At time of publication, there are no publicly available patches.
CVE-2026-33766	Med	0.42	6.5	0.00	Mar 27, 2026	WWBN AVideo is an open source video platform. In versions up to and including 26.0, `isSSRFSafeURL()` validates URLs against private/reserved IP ranges before fetching, but `url_get_contents()` follows HTTP redirects without re-validating the redirect target. An attacker can bypass SSRF protection by redirecting from a public URL to an internal target. Commit 8b7e9dad359d5fac69e0cbbb370250e0b284bc12 contains a patch.

Page 2 of 10