Vendor CVEs
WWBN
All CVEs
208 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-34245 | Med | 0.34 | 6.3 | 0.00 | Mar 27, 2026 | WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/PlayLists/View/Playlists_schedules/add.json.php` endpoint allows any authenticated user with streaming permission to create or modify broadcast schedules targeting any playlist on the… | ||
| CVE-2026-43878 | Med | 0.33 | 6.1 | 0.00 | May 11, 2026 | WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/Meet/iframe.php echoes the attacker-controlled user and pass query parameters unescaped into a JavaScript double-quoted string literal inside a block. An attacker who sends a… | ||
| CVE-2026-34739 | Med | 0.33 | 6.1 | 0.00 | Mar 31, 2026 | WWBN AVideo is an open source video platform. In versions 26.0 and prior, the User_Location plugin's testIP.php page reflects the ip request parameter directly into an HTML input element without applying htmlspecialchars() or any other output encoding. This allows an attacker to… | ||
| CVE-2026-34396 | Med | 0.33 | 6.1 | 0.00 | Mar 31, 2026 | WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo admin panel renders plugin configuration values in HTML forms without applying htmlspecialchars() or any other output encoding. The jsonToFormElements() function in admin/functions.php directly… | ||
| CVE-2026-45731 | Med | 0.32 | 4.9 | 0.00 | May 29, 2026 | WWBN AVideo is an open source video platform. In 29.0 and earlier, view/update.php reads $_POST['updateFile'] as a relative path under updatedb/ and passes it to PHP's file() for line-by-line execution as part of a database migration. An authenticated administrator can abuse… | ||
| CVE-2026-33237 | Med | 0.29 | 5.5 | 0.00 | Mar 21, 2026 | WWBN AVideo is an open source video platform. Prior to version 26.0, the Scheduler plugin's `run()` function in `plugin/Scheduler/Scheduler.php` calls `url_get_contents()` with an admin-configurable `callbackURL` that is validated only by `isValidURL()` (URL format check).… | ||
| CVE-2026-47694 | Med | 0.28 | 5.4 | 0.00 | May 29, 2026 | WWBN AVideo is an open source video platform. In 29.0 and earlier, AVideo stores category descriptions from user input and later renders category_description as raw HTML in the Gallery view. A user who can create or edit categories can store JavaScript in a category description,… | ||
| CVE-2026-43879 | Med | 0.28 | 5.4 | 0.00 | May 11, 2026 | WWBN AVideo is an open source video platform. In versions up to and including 29.0, an authenticated user can configure their own donation-notification webhook URL to point at internal/loopback/metadata hosts (e.g. http://127.0.0.1:8080/..., http://169.254.169.254/latest/...,… | ||
| CVE-2026-43877 | Med | 0.28 | 5.4 | 0.00 | May 11, 2026 | WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/userSavePhoto.php is a legacy profile-photo endpoint that accepts a base64 POST parameter and writes the decoded bytes to videos/userPhoto/photo<users_id>.png. Its only access control is… | ||
| CVE-2026-41063 | Med | 0.28 | 5.4 | 0.00 | Apr 21, 2026 | WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete XSS fix in AVideo's `ParsedownSafeWithLinks` class overrides `inlineMarkup` for raw HTML but does not override `inlineLink()` or `inlineUrlTag()`, allowing `javascript:` URLs in markdown link… | ||
| CVE-2026-41061 | Med | 0.28 | 5.4 | 0.00 | Apr 21, 2026 | WWBN AVideo is an open source video platform. In versions 29.0 and below, the `isValidDuration()` regex at `objects/video.php:918` uses `/^[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}/` without a `$` end anchor, allowing arbitrary HTML/JavaScript to be appended after a valid duration… | ||
| CVE-2026-40929 | Med | 0.28 | 5.4 | 0.00 | Apr 21, 2026 | WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/commentDelete.json.php` is a state-mutating JSON endpoint that deletes comments but performs no CSRF validation. It does not call `forbidIfIsUntrustedRequest()`, does not verify a CSRF/global… | ||
| CVE-2026-40928 | Med | 0.28 | 5.4 | 0.00 | Apr 21, 2026 | WWBN AVideo is an open source video platform. In versions 29.0 and prior, multiple AVideo JSON endpoints under `objects/` accept state-changing requests via `$_REQUEST`/`$_GET` and persist changes tied to the caller's session user, without any anti-CSRF token, origin check, or… | ||
| CVE-2026-39367 | Med | 0.28 | 5.4 | 0.00 | Apr 7, 2026 | WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's EPG (Electronic Program Guide) feature parses XML from user-controlled URLs and renders programme titles directly into HTML without any sanitization or escaping. A user with upload permission can… | ||
| CVE-2026-35181 | Med | 0.28 | 4.3 | 0.00 | Apr 6, 2026 | WWBN AVideo is an open source video platform. In versions 26.0 and prior, the player skin configuration endpoint at admin/playerUpdate.json.php does not validate CSRF tokens. The plugins table is explicitly excluded from the ORM's domain-based security check via… | ||
| CVE-2026-35180 | Med | 0.28 | 4.3 | 0.00 | Apr 6, 2026 | WWBN AVideo is an open source video platform. In versions 26.0 and prior, the site customization endpoint at admin/customize_settings_nativeUpdate.json.php lacks CSRF token validation and writes uploaded logo files to disk before the ORM's domain-based security check executes.… | ||
| CVE-2026-34362 | Med | 0.28 | 5.4 | 0.00 | Mar 27, 2026 | WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `verifyTokenSocket()` function in `plugin/YPTSocket/functions.php` has its token timeout validation commented out, causing WebSocket tokens to never expire despite being generated with a… | ||
| CVE-2026-34247 | Med | 0.28 | 5.4 | 0.00 | Mar 27, 2026 | WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/Live/uploadPoster.php` endpoint allows any authenticated user to overwrite the poster image for any scheduled live stream by supplying an arbitrary `live_schedule_id`. The endpoint… | ||
| CVE-2026-43881 | Med | 0.27 | 5.3 | 0.00 | May 11, 2026 | WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/users.json.php exposes two unauthenticated paths that disclose the full set of registered user accounts. The isCompany request parameter causes the handler to set $ignoreAdmin = true for… | ||
| CVE-2026-43880 | Med | 0.27 | 5.3 | 0.00 | May 11, 2026 | WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/sendEmail.json.php exposes two branches depending on whether contactForm=1 is submitted. When the parameter is omitted, the endpoint sets $sendTo to an attacker-supplied email and, for… | ||
| CVE-2026-40935 | Med | 0.27 | 5.3 | 0.00 | Apr 21, 2026 | WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/getCaptcha.php` accepts the CAPTCHA length (`ql`) directly from the query string with no clamping or sanitization, letting any unauthenticated client force the server to generate a 1-character… | ||
| CVE-2026-34732 | Med | 0.27 | 5.3 | 0.00 | Mar 31, 2026 | WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo CreatePlugin template for list.json.php does not include any authentication or authorization check. While the companion templates add.json.php and delete.json.php both require admin privileges,… | ||
| CVE-2026-34369 | Med | 0.27 | 5.3 | 0.00 | Mar 27, 2026 | WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_video_file` and `get_api_video` API endpoints in AVideo return full video playback sources (direct MP4 URLs, HLS manifests) for password-protected videos without verifying the video… | ||
| CVE-2026-34368 | Med | 0.27 | 5.3 | 0.00 | Mar 27, 2026 | WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `transferBalance()` method in `plugin/YPTWallet/YPTWallet.php` contains a Time-of-Check-Time-of-Use (TOCTOU) race condition. The method reads the sender's wallet balance, checks sufficiency… | ||
| CVE-2026-34364 | Med | 0.27 | 5.3 | 0.00 | Mar 27, 2026 | WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `categories.json.php` endpoint, which serves the category listing API, fails to enforce user group-based access controls on categories. In the default request path (no `?user=` parameter),… | ||
| CVE-2026-33763 | Med | 0.27 | 5.3 | 0.00 | Mar 27, 2026 | WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_video_password_is_correct` API endpoint allows any unauthenticated user to verify whether a given password is correct for any password-protected video. The endpoint returns a boolean… | ||
| CVE-2026-33761 | Med | 0.27 | 5.3 | 0.00 | Mar 27, 2026 | WWBN AVideo is an open source video platform. In versions up to and including 26.0, three `list.json.php` endpoints in the Scheduler plugin lack any authentication check, while every other endpoint in the same plugin directories (`add.json.php`, `delete.json.php`, `index.php`)… | ||
| CVE-2026-33759 | Med | 0.27 | 5.3 | 0.00 | Mar 27, 2026 | WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/playlistsVideos.json.php` endpoint returns the full video contents of any playlist by ID without any authentication or authorization check. Private playlists (including `watch_later`… | ||
| CVE-2026-35448 | Low | 0.24 | 3.7 | 0.00 | Apr 6, 2026 | WWBN AVideo is an open source video platform. In versions 26.0 and prior, the BlockonomicsYPT plugin's check.php endpoint returns payment order data for any Bitcoin address without requiring authentication. The endpoint was designed as an AJAX polling helper for the… | ||
| CVE-2026-47696 | Med | 0.21 | 4.3 | 0.00 | May 29, 2026 | WWBN AVideo is an open source video platform. In 29.0 and earlier, plugin/AuthorizeNet/processPayment.json.php credits the logged-in user's wallet based only on the attacker-controlled amount POST parameter. The endpoint contains a TODO for real Authorize.Net charging, hardcodes… | ||
| CVE-2026-43882 | Med | 0.21 | 4.3 | 0.00 | May 11, 2026 | WWBN AVideo is an open source video platform. In versions up to and including 29.0, the unauthenticated plugin/Scheduler/downloadICS.php endpoint passes attacker-controlled title, description, and joinURL parameters into Scheduler::downloadICS(), which builds an ICS calendar… | ||
| CVE-2026-34738 | Med | 0.21 | 4.3 | 0.00 | Mar 31, 2026 | WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's video processing pipeline accepts an overrideStatus request parameter that allows any uploader to set a video's status to any valid state, including "active" (a). This bypasses the… | ||
| CVE-2026-33764 | Med | 0.21 | 4.3 | 0.00 | Mar 27, 2026 | WWBN AVideo is an open source video platform. In versions up to and including 26.0, the AI plugin's `save.json.php` endpoint loads AI response objects using an attacker-controlled `$_REQUEST['id']` parameter without validating that the AI response belongs to the specified video.… | ||
| CVE-2026-33238 | Med | 0.21 | 4.3 | 0.00 | Mar 21, 2026 | WWBN AVideo is an open source video platform. Prior to version 26.0, the `listFiles.json.php` endpoint accepts a `path` POST parameter and passes it directly to `glob()` without restricting the path to an allowed base directory. An authenticated uploader can traverse the entire… | ||
| CVE-2026-43883 | Med | 0.20 | 4.2 | 0.00 | May 11, 2026 | WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/PayPalYPT/agreementCancel.json.php cancels a PayPal billing agreement using an attacker-supplied agreement parameter without verifying that the authenticated user owns the agreement. A… | ||
| CVE-2026-33684 | med | 0.19 | — | — | Jun 22, 2026 | ## Summary The `set_api_signUp` method in the API plugin accepts `emailVerified`, `canUpload`, `canStream`, and `canCreateMeet` parameters from user-supplied input and applies them to newly created accounts without verifying that the request was authenticated with a valid… | ||
| CVE-2025-34442 | 0.03 | — | 0.01 | Dec 17, 2025 | AVideo versions prior to 20.1 disclose absolute filesystem paths via multiple public API endpoints. Returned metadata includes full server paths to media files, revealing underlying filesystem structure and facilitating more effective attack chains. | |||
| CVE-2025-34441 | 0.03 | — | 0.01 | Dec 17, 2025 | AVideo versions prior to 20.1 expose sensitive user information through an unauthenticated public API endpoint. Responses include emails, usernames, administrative status, and last login times, enabling user enumeration and privacy violations. | |||
| CVE-2022-32572 | 0.02 | — | 0.23 | Aug 22, 2022 | An os command injection vulnerability exists in the aVideoEncoder wget functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability. | |||
| CVE-2022-30547 | 0.02 | — | 0.64 | Aug 22, 2022 | A directory traversal vulnerability exists in the unzipDirectory functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability. | |||
| CVE-2023-48728 | 0.01 | — | 0.02 | Jan 10, 2024 | A cross-site scripting (xss) vulnerability exists in the functiongetOpenGraph videoName functionality of WWBN AVideo 11.6 and dev master commit 3c6bb3ff. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit a webpage to… | |||
| CVE-2022-32772 | 0.01 | — | 0.03 | Aug 22, 2022 | A cross-site scripting (xss) vulnerability exists in the footer alerts functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get an authenticated user to send a crafted HTTP… | |||
| CVE-2022-32771 | 0.01 | — | 0.03 | Aug 22, 2022 | A cross-site scripting (xss) vulnerability exists in the footer alerts functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get an authenticated user to send a crafted HTTP… | |||
| CVE-2022-32770 | 0.01 | — | 0.03 | Aug 22, 2022 | A cross-site scripting (xss) vulnerability exists in the footer alerts functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get an authenticated user to send a crafted HTTP… | |||
| CVE-2022-30690 | 0.01 | — | 0.84 | Aug 22, 2022 | A cross-site scripting (xss) vulnerability exists in the image403 functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get an authenticated user to send a crafted HTTP… | |||
| CVE-2022-30534 | 0.01 | — | 0.74 | Aug 22, 2022 | An OS command injection vulnerability exists in the aVideoEncoder chunkfile functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this… | |||
| CVE-2022-26842 | 0.01 | — | 0.03 | Aug 22, 2022 | A reflected cross-site scripting (xss) vulnerability exists in the charts tab selection functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get an authenticated user to… | |||
| CVE-2026-56347 | 0.00 | — | 0.00 | Jun 20, 2026 | AVideo TopMenu plugin through version 26.0 contains a stored cross-site scripting vulnerability in menu item rendering due to missing output encoding of icon classes, URLs, and text labels. Attackers can inject malicious JavaScript through unescaped menu item fields that execute… | |||
| CVE-2026-56346 | 0.00 | — | 0.00 | Jun 20, 2026 | AVideo through version 25.0 contains an authentication bypass vulnerability in the decryptMessage.json.php endpoint that allows unauthenticated users to decrypt PGP messages. Remote attackers can submit private keys, ciphertext, and passphrases to perform server-side decryption… | |||
| CVE-2026-56345 | 0.00 | — | 0.00 | Jun 20, 2026 | AVideo through 29.0 contains an authorization bypass vulnerability in the Meet plugin's uploadRecordedVideo.json.php endpoint that derives the target users_id from the uploaded filename without verification. An attacker with knowledge of the Meet shared secret can craft a… |
- risk 0.34cvss 6.3epss 0.00
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/PlayLists/View/Playlists_schedules/add.json.php` endpoint allows any authenticated user with streaming permission to create or modify broadcast schedules targeting any playlist on the…
- risk 0.33cvss 6.1epss 0.00
WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/Meet/iframe.php echoes the attacker-controlled user and pass query parameters unescaped into a JavaScript double-quoted string literal inside a block. An attacker who sends a…
- risk 0.33cvss 6.1epss 0.00
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the User_Location plugin's testIP.php page reflects the ip request parameter directly into an HTML input element without applying htmlspecialchars() or any other output encoding. This allows an attacker to…
- risk 0.33cvss 6.1epss 0.00
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo admin panel renders plugin configuration values in HTML forms without applying htmlspecialchars() or any other output encoding. The jsonToFormElements() function in admin/functions.php directly…
- risk 0.32cvss 4.9epss 0.00
WWBN AVideo is an open source video platform. In 29.0 and earlier, view/update.php reads $_POST['updateFile'] as a relative path under updatedb/ and passes it to PHP's file() for line-by-line execution as part of a database migration. An authenticated administrator can abuse…
- risk 0.29cvss 5.5epss 0.00
WWBN AVideo is an open source video platform. Prior to version 26.0, the Scheduler plugin's `run()` function in `plugin/Scheduler/Scheduler.php` calls `url_get_contents()` with an admin-configurable `callbackURL` that is validated only by `isValidURL()` (URL format check).…
- risk 0.28cvss 5.4epss 0.00
WWBN AVideo is an open source video platform. In 29.0 and earlier, AVideo stores category descriptions from user input and later renders category_description as raw HTML in the Gallery view. A user who can create or edit categories can store JavaScript in a category description,…
- risk 0.28cvss 5.4epss 0.00
WWBN AVideo is an open source video platform. In versions up to and including 29.0, an authenticated user can configure their own donation-notification webhook URL to point at internal/loopback/metadata hosts (e.g. http://127.0.0.1:8080/..., http://169.254.169.254/latest/...,…
- risk 0.28cvss 5.4epss 0.00
WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/userSavePhoto.php is a legacy profile-photo endpoint that accepts a base64 POST parameter and writes the decoded bytes to videos/userPhoto/photo<users_id>.png. Its only access control is…
- risk 0.28cvss 5.4epss 0.00
WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete XSS fix in AVideo's `ParsedownSafeWithLinks` class overrides `inlineMarkup` for raw HTML but does not override `inlineLink()` or `inlineUrlTag()`, allowing `javascript:` URLs in markdown link…
- risk 0.28cvss 5.4epss 0.00
WWBN AVideo is an open source video platform. In versions 29.0 and below, the `isValidDuration()` regex at `objects/video.php:918` uses `/^[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}/` without a `$` end anchor, allowing arbitrary HTML/JavaScript to be appended after a valid duration…
- risk 0.28cvss 5.4epss 0.00
WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/commentDelete.json.php` is a state-mutating JSON endpoint that deletes comments but performs no CSRF validation. It does not call `forbidIfIsUntrustedRequest()`, does not verify a CSRF/global…
- risk 0.28cvss 5.4epss 0.00
WWBN AVideo is an open source video platform. In versions 29.0 and prior, multiple AVideo JSON endpoints under `objects/` accept state-changing requests via `$_REQUEST`/`$_GET` and persist changes tied to the caller's session user, without any anti-CSRF token, origin check, or…
- risk 0.28cvss 5.4epss 0.00
WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's EPG (Electronic Program Guide) feature parses XML from user-controlled URLs and renders programme titles directly into HTML without any sanitization or escaping. A user with upload permission can…
- risk 0.28cvss 4.3epss 0.00
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the player skin configuration endpoint at admin/playerUpdate.json.php does not validate CSRF tokens. The plugins table is explicitly excluded from the ORM's domain-based security check via…
- risk 0.28cvss 4.3epss 0.00
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the site customization endpoint at admin/customize_settings_nativeUpdate.json.php lacks CSRF token validation and writes uploaded logo files to disk before the ORM's domain-based security check executes.…
- risk 0.28cvss 5.4epss 0.00
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `verifyTokenSocket()` function in `plugin/YPTSocket/functions.php` has its token timeout validation commented out, causing WebSocket tokens to never expire despite being generated with a…
- risk 0.28cvss 5.4epss 0.00
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/Live/uploadPoster.php` endpoint allows any authenticated user to overwrite the poster image for any scheduled live stream by supplying an arbitrary `live_schedule_id`. The endpoint…
- risk 0.27cvss 5.3epss 0.00
WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/users.json.php exposes two unauthenticated paths that disclose the full set of registered user accounts. The isCompany request parameter causes the handler to set $ignoreAdmin = true for…
- risk 0.27cvss 5.3epss 0.00
WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/sendEmail.json.php exposes two branches depending on whether contactForm=1 is submitted. When the parameter is omitted, the endpoint sets $sendTo to an attacker-supplied email and, for…
- risk 0.27cvss 5.3epss 0.00
WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/getCaptcha.php` accepts the CAPTCHA length (`ql`) directly from the query string with no clamping or sanitization, letting any unauthenticated client force the server to generate a 1-character…
- risk 0.27cvss 5.3epss 0.00
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo CreatePlugin template for list.json.php does not include any authentication or authorization check. While the companion templates add.json.php and delete.json.php both require admin privileges,…
- risk 0.27cvss 5.3epss 0.00
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_video_file` and `get_api_video` API endpoints in AVideo return full video playback sources (direct MP4 URLs, HLS manifests) for password-protected videos without verifying the video…
- risk 0.27cvss 5.3epss 0.00
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `transferBalance()` method in `plugin/YPTWallet/YPTWallet.php` contains a Time-of-Check-Time-of-Use (TOCTOU) race condition. The method reads the sender's wallet balance, checks sufficiency…
- risk 0.27cvss 5.3epss 0.00
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `categories.json.php` endpoint, which serves the category listing API, fails to enforce user group-based access controls on categories. In the default request path (no `?user=` parameter),…
- risk 0.27cvss 5.3epss 0.00
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_video_password_is_correct` API endpoint allows any unauthenticated user to verify whether a given password is correct for any password-protected video. The endpoint returns a boolean…
- risk 0.27cvss 5.3epss 0.00
WWBN AVideo is an open source video platform. In versions up to and including 26.0, three `list.json.php` endpoints in the Scheduler plugin lack any authentication check, while every other endpoint in the same plugin directories (`add.json.php`, `delete.json.php`, `index.php`)…
- risk 0.27cvss 5.3epss 0.00
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/playlistsVideos.json.php` endpoint returns the full video contents of any playlist by ID without any authentication or authorization check. Private playlists (including `watch_later`…
- risk 0.24cvss 3.7epss 0.00
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the BlockonomicsYPT plugin's check.php endpoint returns payment order data for any Bitcoin address without requiring authentication. The endpoint was designed as an AJAX polling helper for the…
- risk 0.21cvss 4.3epss 0.00
WWBN AVideo is an open source video platform. In 29.0 and earlier, plugin/AuthorizeNet/processPayment.json.php credits the logged-in user's wallet based only on the attacker-controlled amount POST parameter. The endpoint contains a TODO for real Authorize.Net charging, hardcodes…
- risk 0.21cvss 4.3epss 0.00
WWBN AVideo is an open source video platform. In versions up to and including 29.0, the unauthenticated plugin/Scheduler/downloadICS.php endpoint passes attacker-controlled title, description, and joinURL parameters into Scheduler::downloadICS(), which builds an ICS calendar…
- risk 0.21cvss 4.3epss 0.00
WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's video processing pipeline accepts an overrideStatus request parameter that allows any uploader to set a video's status to any valid state, including "active" (a). This bypasses the…
- risk 0.21cvss 4.3epss 0.00
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the AI plugin's `save.json.php` endpoint loads AI response objects using an attacker-controlled `$_REQUEST['id']` parameter without validating that the AI response belongs to the specified video.…
- risk 0.21cvss 4.3epss 0.00
WWBN AVideo is an open source video platform. Prior to version 26.0, the `listFiles.json.php` endpoint accepts a `path` POST parameter and passes it directly to `glob()` without restricting the path to an allowed base directory. An authenticated uploader can traverse the entire…
- risk 0.20cvss 4.2epss 0.00
WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/PayPalYPT/agreementCancel.json.php cancels a PayPal billing agreement using an attacker-supplied agreement parameter without verifying that the authenticated user owns the agreement. A…
- risk 0.19cvss —epss —
## Summary The `set_api_signUp` method in the API plugin accepts `emailVerified`, `canUpload`, `canStream`, and `canCreateMeet` parameters from user-supplied input and applies them to newly created accounts without verifying that the request was authenticated with a valid…
- CVE-2025-34442Dec 17, 2025risk 0.03cvss —epss 0.01
AVideo versions prior to 20.1 disclose absolute filesystem paths via multiple public API endpoints. Returned metadata includes full server paths to media files, revealing underlying filesystem structure and facilitating more effective attack chains.
- CVE-2025-34441Dec 17, 2025risk 0.03cvss —epss 0.01
AVideo versions prior to 20.1 expose sensitive user information through an unauthenticated public API endpoint. Responses include emails, usernames, administrative status, and last login times, enabling user enumeration and privacy violations.
- CVE-2022-32572Aug 22, 2022risk 0.02cvss —epss 0.23
An os command injection vulnerability exists in the aVideoEncoder wget functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.
- CVE-2022-30547Aug 22, 2022risk 0.02cvss —epss 0.64
A directory traversal vulnerability exists in the unzipDirectory functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.
- CVE-2023-48728Jan 10, 2024risk 0.01cvss —epss 0.02
A cross-site scripting (xss) vulnerability exists in the functiongetOpenGraph videoName functionality of WWBN AVideo 11.6 and dev master commit 3c6bb3ff. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit a webpage to…
- CVE-2022-32772Aug 22, 2022risk 0.01cvss —epss 0.03
A cross-site scripting (xss) vulnerability exists in the footer alerts functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get an authenticated user to send a crafted HTTP…
- CVE-2022-32771Aug 22, 2022risk 0.01cvss —epss 0.03
A cross-site scripting (xss) vulnerability exists in the footer alerts functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get an authenticated user to send a crafted HTTP…
- CVE-2022-32770Aug 22, 2022risk 0.01cvss —epss 0.03
A cross-site scripting (xss) vulnerability exists in the footer alerts functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get an authenticated user to send a crafted HTTP…
- CVE-2022-30690Aug 22, 2022risk 0.01cvss —epss 0.84
A cross-site scripting (xss) vulnerability exists in the image403 functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get an authenticated user to send a crafted HTTP…
- CVE-2022-30534Aug 22, 2022risk 0.01cvss —epss 0.74
An OS command injection vulnerability exists in the aVideoEncoder chunkfile functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this…
- CVE-2022-26842Aug 22, 2022risk 0.01cvss —epss 0.03
A reflected cross-site scripting (xss) vulnerability exists in the charts tab selection functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get an authenticated user to…
- CVE-2026-56347Jun 20, 2026risk 0.00cvss —epss 0.00
AVideo TopMenu plugin through version 26.0 contains a stored cross-site scripting vulnerability in menu item rendering due to missing output encoding of icon classes, URLs, and text labels. Attackers can inject malicious JavaScript through unescaped menu item fields that execute…
- CVE-2026-56346Jun 20, 2026risk 0.00cvss —epss 0.00
AVideo through version 25.0 contains an authentication bypass vulnerability in the decryptMessage.json.php endpoint that allows unauthenticated users to decrypt PGP messages. Remote attackers can submit private keys, ciphertext, and passphrases to perform server-side decryption…
- CVE-2026-56345Jun 20, 2026risk 0.00cvss —epss 0.00
AVideo through 29.0 contains an authorization bypass vulnerability in the Meet plugin's uploadRecordedVideo.json.php endpoint that derives the target users_id from the uploaded filename without verification. An attacker with knowledge of the Meet shared secret can craft a…
Page 2 of 5