Nine CVEs Disclosed in WWBN AVideo: Wallet Fraud, Pre-Auth RCE, and More
Nine security vulnerabilities were disclosed in the open-source AVideo platform on May 29, 2026, including a pre-auth shell injection (CVSS 8.8) and a wallet fraud bug that hardcodes payment success.
On May 29, 2026, nine CVEs were disclosed for WWBN AVideo, an open-source video platform. The vulnerabilities span a wide attack surface, from an unauthenticated wallet-credit bug that hardcodes payment success to a pre-auth shell-metacharacter injection rated High (CVSS 8.8), as well as stored XSS, CSRF, arbitrary file read, and DNS-rebinding flaws. All vulnerabilities affect AVideo 29.0 and earlier; no patches have been released at the time of disclosure.
The most unusual bug is CVE-2026-47696 (High), which allows any authenticated user to arbitrarily inflate their wallet balance. The endpoint plugin/AuthorizeNet/processPayment.json.php credits the logged-in user's wallet based solely on an attacker-controlled amount POST parameter. The code contains a TODO for real Authorize.Net integration, hardcodes $paymentSuccess = true, and then calls the credit function without any actual payment verification.
CVE-2026-45578 (High, CVSS 8.8) is a classic shell-metacharacter injection in the Live plugin's on_publish.php hook. The YPTSocket notification branch builds an execAsync() command by string concatenation, single-quoting each argument but never calling escapeshellarg(). A single quote in any argument allows an attacker to break out of the quoted context and execute arbitrary OS commands. Because the on_publish hook fires during stream publishing—which can be triggered by unauthenticated or low-privilege users depending on the deployment—this bug is the batch's highest-severity item.
Three CVEs cover cross-site scripting and request forgery. CVE-2026-47694 (Medium, CVSS 5.4) is a stored XSS via category descriptions, where user-supplied descriptions are rendered as raw HTML in the Gallery view. CVE-2026-45580 (Medium, CVSS 5.4) is a stored XSS in the Live plugin's YouTube-style view, where the stream key is echoed raw into an HTML class attribute. CVE-2026-45610 (Medium, CVSS 5.7) is a CSRF vulnerability on the 2FA toggle endpoint, allowing an attacker to silently disable a user's two-factor authentication.
CVE-2026-46337 (Medium) allows an unauthenticated remote attacker to read arbitrary image files anywhere on disk that the PHP user can open, including private user-profile photos and encrypted video previews. CVE-2026-45731 (Medium) is an authenticated path-traversal/arbitrary file read in view/update.php, where an authenticated administrator can abuse a database migration endpoint to read arbitrary text files.
CVE-2026-45620 (Medium, CVSS 5.3) enables unauthenticated user enumeration via the mention autocomplete endpoint, leaking valid usernames. CVE-2026-45619 (Medium, CVSS 6.5) is a DNS-rebinding vulnerability in multiple locations, where the application fails to pin resolved IPs, opening a TOCTOU window for attackers.
As of the May 29 disclosure, no patched version has been released. Users are advised to monitor the WWBN AVideo GitHub repository for a security release. In the interim, administrators should restrict access to the affected endpoints via web-server access controls or reverse-proxy rules.
The breadth of this disclosure is notable: a single open-source video platform ships with bugs ranging from a fake payment processor that gives away free wallet credit to unauthenticated shell injection and a 2FA toggle that any cross-site request can flip. Together, the nine CVEs paint a picture of an application where authentication, authorization, and input-validation checks are applied inconsistently across its plugin and API surface.