VYPR

Avideo

by WWBN

Source repositories

CVEs (208)

  • CVE-2026-43882MedMay 11, 2026
    risk 0.21cvss 4.3epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 29.0, the unauthenticated plugin/Scheduler/downloadICS.php endpoint passes attacker-controlled title, description, and joinURL parameters into Scheduler::downloadICS(), which builds an ICS calendar…

  • CVE-2026-34738MedMar 31, 2026
    risk 0.21cvss 4.3epss 0.00

    WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's video processing pipeline accepts an overrideStatus request parameter that allows any uploader to set a video's status to any valid state, including "active" (a). This bypasses the…

  • CVE-2026-33764MedMar 27, 2026
    risk 0.21cvss 4.3epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, the AI plugin's `save.json.php` endpoint loads AI response objects using an attacker-controlled `$_REQUEST['id']` parameter without validating that the AI response belongs to the specified video.…

  • CVE-2026-33238MedMar 21, 2026
    risk 0.21cvss 4.3epss 0.00

    WWBN AVideo is an open source video platform. Prior to version 26.0, the `listFiles.json.php` endpoint accepts a `path` POST parameter and passes it directly to `glob()` without restricting the path to an allowed base directory. An authenticated uploader can traverse the entire…

  • CVE-2026-43883MedMay 11, 2026
    risk 0.20cvss 4.2epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/PayPalYPT/agreementCancel.json.php cancels a PayPal billing agreement using an attacker-supplied agreement parameter without verifying that the authenticated user owns the agreement. A…

  • CVE-2026-33684medJun 22, 2026
    risk 0.19cvss epss

    ## Summary The `set_api_signUp` method in the API plugin accepts `emailVerified`, `canUpload`, `canStream`, and `canCreateMeet` parameters from user-supplied input and applies them to newly created accounts without verifying that the request was authenticated with a valid…

  • CVE-2025-34442Dec 17, 2025
    risk 0.03cvss epss 0.01

    AVideo versions prior to 20.1 disclose absolute filesystem paths via multiple public API endpoints. Returned metadata includes full server paths to media files, revealing underlying filesystem structure and facilitating more effective attack chains.

  • CVE-2025-34441Dec 17, 2025
    risk 0.03cvss epss 0.01

    AVideo versions prior to 20.1 expose sensitive user information through an unauthenticated public API endpoint. Responses include emails, usernames, administrative status, and last login times, enabling user enumeration and privacy violations.

  • CVE-2022-32572Aug 22, 2022
    risk 0.02cvss epss 0.23

    An os command injection vulnerability exists in the aVideoEncoder wget functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.

  • CVE-2022-30547Aug 22, 2022
    risk 0.02cvss epss 0.64

    A directory traversal vulnerability exists in the unzipDirectory functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.

  • CVE-2023-48728Jan 10, 2024
    risk 0.01cvss epss 0.02

    A cross-site scripting (xss) vulnerability exists in the functiongetOpenGraph videoName functionality of WWBN AVideo 11.6 and dev master commit 3c6bb3ff. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit a webpage to…

  • CVE-2022-32772Aug 22, 2022
    risk 0.01cvss epss 0.03

    A cross-site scripting (xss) vulnerability exists in the footer alerts functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get an authenticated user to send a crafted HTTP…

  • CVE-2022-32771Aug 22, 2022
    risk 0.01cvss epss 0.03

    A cross-site scripting (xss) vulnerability exists in the footer alerts functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get an authenticated user to send a crafted HTTP…

  • CVE-2022-32770Aug 22, 2022
    risk 0.01cvss epss 0.03

    A cross-site scripting (xss) vulnerability exists in the footer alerts functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get an authenticated user to send a crafted HTTP…

  • CVE-2022-30690Aug 22, 2022
    risk 0.01cvss epss 0.84

    A cross-site scripting (xss) vulnerability exists in the image403 functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get an authenticated user to send a crafted HTTP…

  • CVE-2022-30534Aug 22, 2022
    risk 0.01cvss epss 0.74

    An OS command injection vulnerability exists in the aVideoEncoder chunkfile functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this…

  • CVE-2022-26842Aug 22, 2022
    risk 0.01cvss epss 0.03

    A reflected cross-site scripting (xss) vulnerability exists in the charts tab selection functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get an authenticated user to…

  • CVE-2026-56347Jun 20, 2026
    risk 0.00cvss epss 0.00

    AVideo TopMenu plugin through version 26.0 contains a stored cross-site scripting vulnerability in menu item rendering due to missing output encoding of icon classes, URLs, and text labels. Attackers can inject malicious JavaScript through unescaped menu item fields that execute…

  • CVE-2026-56346Jun 20, 2026
    risk 0.00cvss epss 0.00

    AVideo through version 25.0 contains an authentication bypass vulnerability in the decryptMessage.json.php endpoint that allows unauthenticated users to decrypt PGP messages. Remote attackers can submit private keys, ciphertext, and passphrases to perform server-side decryption…

  • CVE-2026-56345Jun 20, 2026
    risk 0.00cvss epss 0.00

    AVideo through 29.0 contains an authorization bypass vulnerability in the Meet plugin's uploadRecordedVideo.json.php endpoint that derives the target users_id from the uploaded filename without verification. An attacker with knowledge of the Meet shared secret can craft a…

Page 5 of 11