VYPR
Vendor

WWBN

WWBN is a radio station broadcasting mainstream rock to Flint and The Thumb areas of Michigan. Syndicated shows on Banana include the morning comedy program The Free Beer and Hot Wings Show and the nightly music program Loudwire. It is owned by Townsquare Media and is a member of the Michigan Association of Broadcasters

Founded 1994
Products
2
CVEs
208
Across products
210
Status
Private

Products

2

Recent CVEs

208
View all 208 CVEs →
  • CVE-2025-34433CriDec 19, 2025
    risk 0.60cvss epss 0.01

    AVideo versions 14.3.1 prior to 20.1 contain an unauthenticated remote code execution vulnerability caused by predictable generation of an installation salt using PHP uniqid(). The installation timestamp is exposed via a public endpoint, and a derived hash identifier is…

  • CVE-2026-34374CriMar 27, 2026
    risk 0.59cvss 9.1epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `Live_schedule::keyExists()` method constructs a SQL query by interpolating a stream key directly into the query string without parameterization. This method is called as a fallback from…

  • CVE-2026-40911CriApr 21, 2026
    risk 0.58cvss 10.0epss 0.01

    WWBN AVideo is an open source video platform. In versions 29.0 and prior, the YPTSocket plugin's WebSocket server relays attacker-supplied JSON message bodies to every connected client without sanitizing the `msg` or `callback` fields. On the client side,…

  • CVE-2026-45578HigMay 29, 2026
    risk 0.57cvss 8.8epss 0.00

    WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a classic shell-metacharacter injection. The YPTSocket notification branch in plugin/Live/on_publish.php builds an execAsync() command line by string concatenation, single-quoting each argument but never…

  • CVE-2026-41304CriApr 22, 2026
    risk 0.57cvss 9.8epss 0.02

    WWBN AVideo is an open source video platform. In versions 29.0 and below, the `cloneServer.json.php` endpoint in the CloneSite plugin constructs shell commands using user-controlled input (`url` parameter) without proper sanitization. The input is directly concatenated into a…

  • CVE-2026-33770CriMar 27, 2026
    risk 0.57cvss 9.8epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `fixCleanTitle()` static method in `objects/category.php` constructs a SQL SELECT query by directly interpolating both `$clean_title` and `$id` into the query string without using prepared…

  • CVE-2026-41064CriApr 22, 2026
    risk 0.53cvss 9.3epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 29.0, an incomplete fix for AVideo's `test.php` adds `escapeshellarg` for wget but leaves the `file_get_contents` and `curl` code paths unsanitized, and the URL validation regex `/^http/` accepts…

  • CVE-2026-34394HigMar 31, 2026
    risk 0.53cvss 8.1epss 0.00

    WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's admin plugin configuration endpoint (admin/save.json.php) lacks any CSRF token validation. There is no call to isGlobalTokenValid() or verifyToken() before processing the request. Combined with…

  • CVE-2026-40909HigApr 21, 2026
    risk 0.50cvss 8.7epss 0.01

    WWBN AVideo is an open source video platform. In versions 29.0 and prior, the locale save endpoint (`locale/save.php`) constructs a file path by directly concatenating `$_POST['flag']` into the path at line 30 without any sanitization. The `$_POST['code']` parameter is then…

  • CVE-2026-33767HigMar 27, 2026
    risk 0.50cvss 8.8epss 0.01

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, in `objects/like.php`, the `getLike()` method constructs a SQL query using a prepared statement placeholder (`?`) for `users_id` but directly concatenates `$this->videos_id` into the query string…

  • CVE-2026-41055HigApr 21, 2026
    risk 0.49cvss 8.6epss 0.00

    WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete SSRF fix in AVideo's LiveLinks proxy adds `isSSRFSafeURL()` validation but leaves DNS TOCTOU vulnerabilities where DNS rebinding between validation and the actual HTTP request redirects…

  • CVE-2026-40925HigApr 21, 2026
    risk 0.47cvss 8.3epss 0.00

    WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/configurationUpdate.json.php` (also routed via `/updateConfig`) persists dozens of global site settings from `$_POST` but protects the endpoint only with `User::isAdmin()`. It does not call…

  • CVE-2026-41058HigApr 21, 2026
    risk 0.46cvss 8.1epss 0.00

    WWBN AVideo is an open source video platform. In versions 29.0 and below, the incomplete fix for AVideo's CloneSite `deleteDump` parameter does not apply path traversal filtering, allowing `unlink()` of arbitrary files via `../../` sequences in the GET parameter. Commit…

  • CVE-2026-41056HigApr 21, 2026
    risk 0.46cvss 8.1epss 0.00

    WWBN AVideo is an open source video platform. In versions 29.0 and below, the `allowOrigin($allowAll=true)` function in `objects/functions.php` reflects any arbitrary `Origin` header back in `Access-Control-Allow-Origin` along with `Access-Control-Allow-Credentials: true`. This…

  • CVE-2026-39370HigApr 7, 2026
    risk 0.46cvss 7.1epss 0.00

    WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoder.json.php still allows attacker-controlled downloadURL values with common media or archive extensions such as .mp4, .mp3, .zip, .jpg, .png, .gif, and .webm to bypass SSRF validation.…

  • CVE-2026-34375HigMar 27, 2026
    risk 0.46cvss 8.2epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, the YPTWallet Stripe payment confirmation page directly echoes the `$_REQUEST['plugin']` parameter into a JavaScript block without any encoding or sanitization. The `plugin` parameter is not…

  • CVE-2026-43885HigMay 11, 2026
    risk 0.43cvss epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 29.0, an unauthenticated user can read APISecret from objects/plugins.json.php and use it to call protected API endpoints (e.g. users_list) without logging in. Commit…

  • CVE-2026-43884HigMay 11, 2026
    risk 0.43cvss 7.7epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 29.0, two endpoints (plugin/AI/receiveAsync.json.php and objects/EpgParser.php) in AVideo call isSSRFSafeURL() to validate user-supplied URLs, then fetch them using bare file_get_contents() without…

  • CVE-2026-41060HigApr 21, 2026
    risk 0.43cvss 7.7epss 0.00

    WWBN AVideo is an open source video platform. In versions 29.0 and below, the `isSSRFSafeURL()` function in `objects/functions.php` contains a same-domain shortcircuit (lines 4290-4296) that allows any URL whose hostname matches `webSiteRootURL` to bypass all SSRF protections.…

  • CVE-2026-45619MedMay 29, 2026
    risk 0.42cvss 6.5epss 0.00

    WWBN AVideo is an open source video platform. In 29.0 and earlier, EpgParser.php, plugin/AI/receiveAsync.json.php, and other locations do not use the $resolvedIP out-param of isSSRFSafeURL() for DNS pinning via CURLOPT_RESOLVE, opening DNS-rebinding TOCTOU.