VYPR

Avideo

by WWBN

Source repositories

CVEs (208)

  • CVE-2026-34611MedMar 31, 2026
    risk 0.35cvss 6.5epss 0.00

    WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/emailAllUsers.json.php allows administrators to send HTML emails to every registered user on the platform. While the endpoint verifies admin session status, it does not validate…

  • CVE-2026-34395MedMar 31, 2026
    risk 0.35cvss 6.5epss 0.00

    WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/YPTWallet/view/users.json.php endpoint returns all platform users with their personal information and wallet balances to any authenticated user. The endpoint checks User::isLogged() but does not…

  • CVE-2026-33766MedMar 27, 2026
    risk 0.35cvss 6.5epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, `isSSRFSafeURL()` validates URLs against private/reserved IP ranges before fetching, but `url_get_contents()` follows HTTP redirects without re-validating the redirect target. An attacker can…

  • CVE-2026-46337MedMay 29, 2026
    risk 0.34cvss 5.3epss 0.00

    WWBN AVideo is an open source video platform. In 29.0 and earlier, an unauthenticated remote attacker can read arbitrary image files anywhere on disk that the PHP user can open — including private user-profile photos that the application's normal serving wrappers gate behind…

  • CVE-2026-45620MedMay 29, 2026
    risk 0.34cvss 5.3epss 0.00

    WWBN AVideo is an open source video platform. In 29.0 and earlier, objects/mention.json.php has no User::loginCheck() or admin gate. It only has an entry guard: preg_match('/^@/', $_REQUEST['term']) and hard-coded rowCount=10. This enables unauthenticated user enumeration.

  • CVE-2026-40908MedApr 21, 2026
    risk 0.34cvss 5.3epss 0.00

    WWBN AVideo is an open source video platform. In versions 29.0 and prior, the file `git.json.php` at the web root executes `git log -1` and returns the full output as JSON to any unauthenticated user. This exposes the exact deployed commit hash (enabling version fingerprinting…

  • CVE-2026-35452MedApr 6, 2026
    risk 0.34cvss 5.3epss 0.00

    WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/CloneSite/client.log.php endpoint serves the clone operation log file without any authentication. Every other endpoint in the CloneSite plugin directory enforces User::isAdmin(). The log…

  • CVE-2026-35450MedApr 6, 2026
    risk 0.34cvss 5.3epss 0.00

    WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/API/check.ffmpeg.json.php endpoint probes the FFmpeg remote server configuration and returns connectivity status without any authentication. All sibling FFmpeg management endpoints…

  • CVE-2026-35449MedApr 6, 2026
    risk 0.34cvss 5.3epss 0.00

    WWBN AVideo is an open source video platform. In versions 26.0 and prior, the install/test.php diagnostic script has its CLI-only access guard disabled by commenting out the die() statement. The script remains accessible via HTTP after installation, exposing video viewer…

  • CVE-2026-35179MedApr 6, 2026
    risk 0.34cvss 5.3epss 0.00

    WWBN AVideo is an open source video platform. In versions 26.0 and prior, the SocialMediaPublisher plugin exposes a publishInstagram.json.php endpoint that acts as an unauthenticated proxy to the Facebook/Instagram Graph API. The endpoint accepts user-controlled parameters…

  • CVE-2026-34245MedMar 27, 2026
    risk 0.34cvss 6.3epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/PlayLists/View/Playlists_schedules/add.json.php` endpoint allows any authenticated user with streaming permission to create or modify broadcast schedules targeting any playlist on the…

  • CVE-2026-43878MedMay 11, 2026
    risk 0.33cvss 6.1epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/Meet/iframe.php echoes the attacker-controlled user and pass query parameters unescaped into a JavaScript double-quoted string literal inside a block. An attacker who sends a…

  • CVE-2026-34739MedMar 31, 2026
    risk 0.33cvss 6.1epss 0.00

    WWBN AVideo is an open source video platform. In versions 26.0 and prior, the User_Location plugin's testIP.php page reflects the ip request parameter directly into an HTML input element without applying htmlspecialchars() or any other output encoding. This allows an attacker to…

  • CVE-2026-34396MedMar 31, 2026
    risk 0.33cvss 6.1epss 0.00

    WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo admin panel renders plugin configuration values in HTML forms without applying htmlspecialchars() or any other output encoding. The jsonToFormElements() function in admin/functions.php directly…

  • CVE-2026-45731MedMay 29, 2026
    risk 0.32cvss 4.9epss 0.00

    WWBN AVideo is an open source video platform. In 29.0 and earlier, view/update.php reads $_POST['updateFile'] as a relative path under updatedb/ and passes it to PHP's file() for line-by-line execution as part of a database migration. An authenticated administrator can abuse…

  • CVE-2026-33237MedMar 21, 2026
    risk 0.29cvss 5.5epss 0.00

    WWBN AVideo is an open source video platform. Prior to version 26.0, the Scheduler plugin's `run()` function in `plugin/Scheduler/Scheduler.php` calls `url_get_contents()` with an admin-configurable `callbackURL` that is validated only by `isValidURL()` (URL format check).…

  • CVE-2026-47694MedMay 29, 2026
    risk 0.28cvss 5.4epss 0.00

    WWBN AVideo is an open source video platform. In 29.0 and earlier, AVideo stores category descriptions from user input and later renders category_description as raw HTML in the Gallery view. A user who can create or edit categories can store JavaScript in a category description,…

  • CVE-2026-43879MedMay 11, 2026
    risk 0.28cvss 5.4epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 29.0, an authenticated user can configure their own donation-notification webhook URL to point at internal/loopback/metadata hosts (e.g. http://127.0.0.1:8080/..., http://169.254.169.254/latest/...,…

  • CVE-2026-43877MedMay 11, 2026
    risk 0.28cvss 5.4epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/userSavePhoto.php is a legacy profile-photo endpoint that accepts a base64 POST parameter and writes the decoded bytes to videos/userPhoto/photo<users_id>.png. Its only access control is…

  • CVE-2026-41063MedApr 21, 2026
    risk 0.28cvss 5.4epss 0.00

    WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete XSS fix in AVideo's `ParsedownSafeWithLinks` class overrides `inlineMarkup` for raw HTML but does not override `inlineLink()` or `inlineUrlTag()`, allowing `javascript:` URLs in markdown link…

Page 3 of 11