VYPR

Vendor CVEs

WWBN

All CVEs

208 total · sorted by risk
  • CVE-2026-34245MedMar 27, 2026
    risk 0.34cvss 6.3epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/PlayLists/View/Playlists_schedules/add.json.php` endpoint allows any authenticated user with streaming permission to create or modify broadcast schedules targeting any playlist on the…

  • CVE-2026-43878MedMay 11, 2026
    risk 0.33cvss 6.1epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/Meet/iframe.php echoes the attacker-controlled user and pass query parameters unescaped into a JavaScript double-quoted string literal inside a block. An attacker who sends a…

  • CVE-2026-34739MedMar 31, 2026
    risk 0.33cvss 6.1epss 0.00

    WWBN AVideo is an open source video platform. In versions 26.0 and prior, the User_Location plugin's testIP.php page reflects the ip request parameter directly into an HTML input element without applying htmlspecialchars() or any other output encoding. This allows an attacker to…

  • CVE-2026-34396MedMar 31, 2026
    risk 0.33cvss 6.1epss 0.00

    WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo admin panel renders plugin configuration values in HTML forms without applying htmlspecialchars() or any other output encoding. The jsonToFormElements() function in admin/functions.php directly…

  • CVE-2026-45731MedMay 29, 2026
    risk 0.32cvss 4.9epss 0.00

    WWBN AVideo is an open source video platform. In 29.0 and earlier, view/update.php reads $_POST['updateFile'] as a relative path under updatedb/ and passes it to PHP's file() for line-by-line execution as part of a database migration. An authenticated administrator can abuse…

  • CVE-2026-33237MedMar 21, 2026
    risk 0.29cvss 5.5epss 0.00

    WWBN AVideo is an open source video platform. Prior to version 26.0, the Scheduler plugin's `run()` function in `plugin/Scheduler/Scheduler.php` calls `url_get_contents()` with an admin-configurable `callbackURL` that is validated only by `isValidURL()` (URL format check).…

  • CVE-2026-47694MedMay 29, 2026
    risk 0.28cvss 5.4epss 0.00

    WWBN AVideo is an open source video platform. In 29.0 and earlier, AVideo stores category descriptions from user input and later renders category_description as raw HTML in the Gallery view. A user who can create or edit categories can store JavaScript in a category description,…

  • CVE-2026-43879MedMay 11, 2026
    risk 0.28cvss 5.4epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 29.0, an authenticated user can configure their own donation-notification webhook URL to point at internal/loopback/metadata hosts (e.g. http://127.0.0.1:8080/..., http://169.254.169.254/latest/...,…

  • CVE-2026-43877MedMay 11, 2026
    risk 0.28cvss 5.4epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/userSavePhoto.php is a legacy profile-photo endpoint that accepts a base64 POST parameter and writes the decoded bytes to videos/userPhoto/photo<users_id>.png. Its only access control is…

  • CVE-2026-41063MedApr 21, 2026
    risk 0.28cvss 5.4epss 0.00

    WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete XSS fix in AVideo's `ParsedownSafeWithLinks` class overrides `inlineMarkup` for raw HTML but does not override `inlineLink()` or `inlineUrlTag()`, allowing `javascript:` URLs in markdown link…

  • CVE-2026-41061MedApr 21, 2026
    risk 0.28cvss 5.4epss 0.00

    WWBN AVideo is an open source video platform. In versions 29.0 and below, the `isValidDuration()` regex at `objects/video.php:918` uses `/^[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}/` without a `$` end anchor, allowing arbitrary HTML/JavaScript to be appended after a valid duration…

  • CVE-2026-40929MedApr 21, 2026
    risk 0.28cvss 5.4epss 0.00

    WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/commentDelete.json.php` is a state-mutating JSON endpoint that deletes comments but performs no CSRF validation. It does not call `forbidIfIsUntrustedRequest()`, does not verify a CSRF/global…

  • CVE-2026-40928MedApr 21, 2026
    risk 0.28cvss 5.4epss 0.00

    WWBN AVideo is an open source video platform. In versions 29.0 and prior, multiple AVideo JSON endpoints under `objects/` accept state-changing requests via `$_REQUEST`/`$_GET` and persist changes tied to the caller's session user, without any anti-CSRF token, origin check, or…

  • CVE-2026-39367MedApr 7, 2026
    risk 0.28cvss 5.4epss 0.00

    WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's EPG (Electronic Program Guide) feature parses XML from user-controlled URLs and renders programme titles directly into HTML without any sanitization or escaping. A user with upload permission can…

  • CVE-2026-35181MedApr 6, 2026
    risk 0.28cvss 4.3epss 0.00

    WWBN AVideo is an open source video platform. In versions 26.0 and prior, the player skin configuration endpoint at admin/playerUpdate.json.php does not validate CSRF tokens. The plugins table is explicitly excluded from the ORM's domain-based security check via…

  • CVE-2026-35180MedApr 6, 2026
    risk 0.28cvss 4.3epss 0.00

    WWBN AVideo is an open source video platform. In versions 26.0 and prior, the site customization endpoint at admin/customize_settings_nativeUpdate.json.php lacks CSRF token validation and writes uploaded logo files to disk before the ORM's domain-based security check executes.…

  • CVE-2026-34362MedMar 27, 2026
    risk 0.28cvss 5.4epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `verifyTokenSocket()` function in `plugin/YPTSocket/functions.php` has its token timeout validation commented out, causing WebSocket tokens to never expire despite being generated with a…

  • CVE-2026-34247MedMar 27, 2026
    risk 0.28cvss 5.4epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/Live/uploadPoster.php` endpoint allows any authenticated user to overwrite the poster image for any scheduled live stream by supplying an arbitrary `live_schedule_id`. The endpoint…

  • CVE-2026-43881MedMay 11, 2026
    risk 0.27cvss 5.3epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/users.json.php exposes two unauthenticated paths that disclose the full set of registered user accounts. The isCompany request parameter causes the handler to set $ignoreAdmin = true for…

  • CVE-2026-43880MedMay 11, 2026
    risk 0.27cvss 5.3epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/sendEmail.json.php exposes two branches depending on whether contactForm=1 is submitted. When the parameter is omitted, the endpoint sets $sendTo to an attacker-supplied email and, for…

  • CVE-2026-40935MedApr 21, 2026
    risk 0.27cvss 5.3epss 0.00

    WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/getCaptcha.php` accepts the CAPTCHA length (`ql`) directly from the query string with no clamping or sanitization, letting any unauthenticated client force the server to generate a 1-character…

  • CVE-2026-34732MedMar 31, 2026
    risk 0.27cvss 5.3epss 0.00

    WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo CreatePlugin template for list.json.php does not include any authentication or authorization check. While the companion templates add.json.php and delete.json.php both require admin privileges,…

  • CVE-2026-34369MedMar 27, 2026
    risk 0.27cvss 5.3epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_video_file` and `get_api_video` API endpoints in AVideo return full video playback sources (direct MP4 URLs, HLS manifests) for password-protected videos without verifying the video…

  • CVE-2026-34368MedMar 27, 2026
    risk 0.27cvss 5.3epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `transferBalance()` method in `plugin/YPTWallet/YPTWallet.php` contains a Time-of-Check-Time-of-Use (TOCTOU) race condition. The method reads the sender's wallet balance, checks sufficiency…

  • CVE-2026-34364MedMar 27, 2026
    risk 0.27cvss 5.3epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `categories.json.php` endpoint, which serves the category listing API, fails to enforce user group-based access controls on categories. In the default request path (no `?user=` parameter),…

  • CVE-2026-33763MedMar 27, 2026
    risk 0.27cvss 5.3epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_video_password_is_correct` API endpoint allows any unauthenticated user to verify whether a given password is correct for any password-protected video. The endpoint returns a boolean…

  • CVE-2026-33761MedMar 27, 2026
    risk 0.27cvss 5.3epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, three `list.json.php` endpoints in the Scheduler plugin lack any authentication check, while every other endpoint in the same plugin directories (`add.json.php`, `delete.json.php`, `index.php`)…

  • CVE-2026-33759MedMar 27, 2026
    risk 0.27cvss 5.3epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/playlistsVideos.json.php` endpoint returns the full video contents of any playlist by ID without any authentication or authorization check. Private playlists (including `watch_later`…

  • CVE-2026-35448LowApr 6, 2026
    risk 0.24cvss 3.7epss 0.00

    WWBN AVideo is an open source video platform. In versions 26.0 and prior, the BlockonomicsYPT plugin's check.php endpoint returns payment order data for any Bitcoin address without requiring authentication. The endpoint was designed as an AJAX polling helper for the…

  • CVE-2026-47696MedMay 29, 2026
    risk 0.21cvss 4.3epss 0.00

    WWBN AVideo is an open source video platform. In 29.0 and earlier, plugin/AuthorizeNet/processPayment.json.php credits the logged-in user's wallet based only on the attacker-controlled amount POST parameter. The endpoint contains a TODO for real Authorize.Net charging, hardcodes…

  • CVE-2026-43882MedMay 11, 2026
    risk 0.21cvss 4.3epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 29.0, the unauthenticated plugin/Scheduler/downloadICS.php endpoint passes attacker-controlled title, description, and joinURL parameters into Scheduler::downloadICS(), which builds an ICS calendar…

  • CVE-2026-34738MedMar 31, 2026
    risk 0.21cvss 4.3epss 0.00

    WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's video processing pipeline accepts an overrideStatus request parameter that allows any uploader to set a video's status to any valid state, including "active" (a). This bypasses the…

  • CVE-2026-33764MedMar 27, 2026
    risk 0.21cvss 4.3epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, the AI plugin's `save.json.php` endpoint loads AI response objects using an attacker-controlled `$_REQUEST['id']` parameter without validating that the AI response belongs to the specified video.…

  • CVE-2026-33238MedMar 21, 2026
    risk 0.21cvss 4.3epss 0.00

    WWBN AVideo is an open source video platform. Prior to version 26.0, the `listFiles.json.php` endpoint accepts a `path` POST parameter and passes it directly to `glob()` without restricting the path to an allowed base directory. An authenticated uploader can traverse the entire…

  • CVE-2026-43883MedMay 11, 2026
    risk 0.20cvss 4.2epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/PayPalYPT/agreementCancel.json.php cancels a PayPal billing agreement using an attacker-supplied agreement parameter without verifying that the authenticated user owns the agreement. A…

  • CVE-2026-33684medJun 22, 2026
    risk 0.19cvss epss

    ## Summary The `set_api_signUp` method in the API plugin accepts `emailVerified`, `canUpload`, `canStream`, and `canCreateMeet` parameters from user-supplied input and applies them to newly created accounts without verifying that the request was authenticated with a valid…

  • CVE-2025-34442Dec 17, 2025
    risk 0.03cvss epss 0.01

    AVideo versions prior to 20.1 disclose absolute filesystem paths via multiple public API endpoints. Returned metadata includes full server paths to media files, revealing underlying filesystem structure and facilitating more effective attack chains.

  • CVE-2025-34441Dec 17, 2025
    risk 0.03cvss epss 0.01

    AVideo versions prior to 20.1 expose sensitive user information through an unauthenticated public API endpoint. Responses include emails, usernames, administrative status, and last login times, enabling user enumeration and privacy violations.

  • CVE-2022-32572Aug 22, 2022
    risk 0.02cvss epss 0.23

    An os command injection vulnerability exists in the aVideoEncoder wget functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.

  • CVE-2022-30547Aug 22, 2022
    risk 0.02cvss epss 0.64

    A directory traversal vulnerability exists in the unzipDirectory functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.

  • CVE-2023-48728Jan 10, 2024
    risk 0.01cvss epss 0.02

    A cross-site scripting (xss) vulnerability exists in the functiongetOpenGraph videoName functionality of WWBN AVideo 11.6 and dev master commit 3c6bb3ff. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit a webpage to…

  • CVE-2022-32772Aug 22, 2022
    risk 0.01cvss epss 0.03

    A cross-site scripting (xss) vulnerability exists in the footer alerts functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get an authenticated user to send a crafted HTTP…

  • CVE-2022-32771Aug 22, 2022
    risk 0.01cvss epss 0.03

    A cross-site scripting (xss) vulnerability exists in the footer alerts functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get an authenticated user to send a crafted HTTP…

  • CVE-2022-32770Aug 22, 2022
    risk 0.01cvss epss 0.03

    A cross-site scripting (xss) vulnerability exists in the footer alerts functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get an authenticated user to send a crafted HTTP…

  • CVE-2022-30690Aug 22, 2022
    risk 0.01cvss epss 0.84

    A cross-site scripting (xss) vulnerability exists in the image403 functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get an authenticated user to send a crafted HTTP…

  • CVE-2022-30534Aug 22, 2022
    risk 0.01cvss epss 0.74

    An OS command injection vulnerability exists in the aVideoEncoder chunkfile functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this…

  • CVE-2022-26842Aug 22, 2022
    risk 0.01cvss epss 0.03

    A reflected cross-site scripting (xss) vulnerability exists in the charts tab selection functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get an authenticated user to…

  • CVE-2026-56347Jun 20, 2026
    risk 0.00cvss epss 0.00

    AVideo TopMenu plugin through version 26.0 contains a stored cross-site scripting vulnerability in menu item rendering due to missing output encoding of icon classes, URLs, and text labels. Attackers can inject malicious JavaScript through unescaped menu item fields that execute…

  • CVE-2026-56346Jun 20, 2026
    risk 0.00cvss epss 0.00

    AVideo through version 25.0 contains an authentication bypass vulnerability in the decryptMessage.json.php endpoint that allows unauthenticated users to decrypt PGP messages. Remote attackers can submit private keys, ciphertext, and passphrases to perform server-side decryption…

  • CVE-2026-56345Jun 20, 2026
    risk 0.00cvss epss 0.00

    AVideo through 29.0 contains an authorization bypass vulnerability in the Meet plugin's uploadRecordedVideo.json.php endpoint that derives the target users_id from the uploaded filename without verification. An attacker with knowledge of the Meet shared secret can craft a…

Page 2 of 5