VYPR

Vendor CVEs

WWBN

All CVEs

208 total · sorted by risk
  • CVE-2026-56342Jun 20, 2026
    risk 0.00cvss epss 0.00

    AVideo through version 27.0 contains a server-side request forgery vulnerability in plugin/Live/test.php that allows authenticated administrators to read arbitrary URLs via the statsURL parameter, which lacks isSSRFSafeURL() validation and accepts requests to private IP ranges…

  • CVE-2026-56341Jun 20, 2026
    risk 0.00cvss epss 0.00

    AVideo through version 26.0 contains multiple unauthenticated list.json.php endpoints in payment plugins lacking authorization checks, exposing PayPal tokens, Authorize.Net webhooks, and Bitcoin transaction records. Unauthenticated attackers can retrieve all payment transaction…

  • CVE-2026-50182Jun 4, 2026
    risk 0.00cvss epss 0.00

    # Unauthenticated Reflected XSS via `$_GET['search']` in AVideo YouTubeAPI Gallery Pagination ## Summary A reflected Cross-Site Scripting vulnerability (CWE-79) in the AVideo YouTubeAPI plugin allows any unauthenticated attacker to execute arbitrary JavaScript in a victim's…

  • CVE-2026-33723Mar 23, 2026
    risk 0.00cvss epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `Subscribe::save()` method in `objects/subscribe.php` concatenates the `$this->users_id` property directly into an INSERT SQL query without sanitization or parameterized binding. This…

  • CVE-2026-33719Mar 23, 2026
    risk 0.00cvss epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, the CDN plugin endpoints `plugin/CDN/status.json.php` and `plugin/CDN/disable.json.php` use key-based authentication with an empty string default key. When the CDN plugin is enabled but the key…

  • CVE-2026-33717Mar 23, 2026
    risk 0.00cvss epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `downloadVideoFromDownloadURL()` function in `objects/aVideoEncoder.json.php` saves remote content to a web-accessible temporary directory using the original URL's filename and extension…

  • CVE-2026-33716Mar 23, 2026
    risk 0.00cvss epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, the standalone live stream control endpoint at `plugin/Live/standAloneFiles/control.json.php` accepts a user-supplied `streamerURL` parameter that overrides where the server sends token…

  • CVE-2026-33690Mar 23, 2026
    risk 0.00cvss epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `getRealIpAddr()` function in `objects/functions.php` trusts user-controlled HTTP headers to determine the client's IP address. An attacker can spoof their IP address by sending forged…

  • CVE-2026-33688Mar 23, 2026
    risk 0.00cvss epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, the password recovery endpoint at `objects/userRecoverPass.php` performs user existence and account status checks before validating the captcha. This allows an unauthenticated attacker to…

  • CVE-2026-33685Mar 23, 2026
    risk 0.00cvss epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/AD_Server/reports.json.php` endpoint performs no authentication or authorization checks, allowing any unauthenticated attacker to extract ad campaign analytics data including video…

  • CVE-2026-33683Mar 23, 2026
    risk 0.00cvss epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, a sanitization order-of-operations flaw in the user profile "about" field allows any registered user to inject arbitrary JavaScript that executes when other users visit their channel page. The…

  • CVE-2026-33681Mar 23, 2026
    risk 0.00cvss epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/pluginRunDatabaseScript.json.php` endpoint accepts a `name` parameter via POST and passes it to `Plugin::getDatabaseFileName()` without any path traversal sanitization. This allows…

  • CVE-2026-33651Mar 23, 2026
    risk 0.00cvss epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `remindMe.json.php` endpoint passes `$_REQUEST['live_schedule_id']` through multiple functions without sanitization until it reaches `Scheduler_commands::getAllActiveOrToRepeat()`, which…

  • CVE-2026-33650Mar 23, 2026
    risk 0.00cvss epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, a user with the "Videos Moderator" permission can escalate privileges to perform full video management operations — including ownership transfer and deletion of any video — despite the…

  • CVE-2026-33649Mar 23, 2026
    risk 0.00cvss epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/Permissions/setPermission.json.php` endpoint accepts GET parameters for a state-changing operation that modifies user group permissions. The endpoint has no CSRF token validation, and…

  • CVE-2026-33648Mar 23, 2026
    risk 0.00cvss epss 0.01

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, the restreamer endpoint constructs a log file path by embedding user-controlled `users_id` and `liveTransmitionHistory_id` values from the JSON request body without any sanitization. This log…

  • CVE-2026-33647Mar 23, 2026
    risk 0.00cvss epss 0.01

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `ImageGallery::saveFile()` method validates uploaded file content using `finfo` MIME type detection but derives the saved filename extension from the user-supplied original filename without…

  • CVE-2026-33513Mar 23, 2026
    risk 0.00cvss epss 0.01

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated API endpoint (`APIName=locale`) concatenates user input into an `include` path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files under…

  • CVE-2026-33512Mar 23, 2026
    risk 0.00cvss epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, the API plugin exposes a `decryptString` action without any authentication. Anyone can submit ciphertext and receive plaintext. Ciphertext is issued publicly (e.g., `view/url2Embed.json.php`), so…

  • CVE-2026-33507Mar 23, 2026
    risk 0.00cvss epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/pluginImport.json.php` endpoint allows admin users to upload and install plugin ZIP files containing executable PHP code, but lacks any CSRF protection. Combined with the application…

  • CVE-2026-33502Mar 23, 2026
    risk 0.00cvss epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated server-side request forgery vulnerability in `plugin/Live/test.php` allows any remote user to make the AVideo server send HTTP requests to arbitrary URLs. This can be used to…

  • CVE-2026-33501Mar 23, 2026
    risk 0.00cvss epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, the endpoint `plugin/Permissions/View/Users_groups_permissions/list.json.php` lacks any authentication or authorization check, allowing unauthenticated users to retrieve the complete permission…

  • CVE-2026-33500Mar 23, 2026
    risk 0.00cvss epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, the fix for CVE-2026-27568 (GHSA-rcqw-6466-3mv7) introduced a custom `ParsedownSafeWithLinks` class that sanitizes raw HTML `` and `` tags in comments, but explicitly disables Parsedown's…

  • CVE-2026-33499Mar 23, 2026
    risk 0.00cvss epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `view/forbiddenPage.php` and `view/warningPage.php` templates reflect the `$_REQUEST['unlockPassword']` parameter directly into an HTML `` tag's attributes without any output encoding…

  • CVE-2026-33493Mar 23, 2026
    risk 0.00cvss epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/import.json.php` endpoint accepts a user-controlled `fileURI` POST parameter with only a regex check that the value ends in `.mp4`. Unlike `objects/listFiles.json.php`, which was…

  • CVE-2026-33492Mar 23, 2026
    risk 0.00cvss epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, AVideo's `_session_start()` function accepts arbitrary session IDs via the `PHPSESSID` GET parameter and sets them as the active PHP session. A session regeneration bypass exists for specific…

  • CVE-2026-33488Mar 23, 2026
    risk 0.00cvss epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `createKeys()` function in the LoginControl plugin's PGP 2FA system generates 512-bit RSA keys, which have been publicly factorable since 1999. An attacker who obtains a target user's public…

  • CVE-2026-33485Mar 23, 2026
    risk 0.00cvss epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, the RTMP `on_publish` callback at `plugin/Live/on_publish.php` is accessible without authentication. The `$_POST['name']` parameter (stream key) is interpolated directly into SQL queries in two…

  • CVE-2026-33483Mar 23, 2026
    risk 0.00cvss epss 0.01

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `aVideoEncoderChunk.json.php` endpoint is a completely standalone PHP script with no authentication, no framework includes, and no resource limits. An unauthenticated remote attacker can send…

  • CVE-2026-33482Mar 23, 2026
    risk 0.00cvss epss 0.02

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `sanitizeFFmpegCommand()` function in `plugin/API/standAlone/functions.php` is designed to prevent OS command injection in ffmpeg commands by stripping dangerous shell metacharacters (`&&`,…

  • CVE-2026-33480Mar 23, 2026
    risk 0.00cvss epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `isSSRFSafeURL()` function in AVideo can be bypassed using IPv4-mapped IPv6 addresses (`::ffff:x.x.x.x`). The unauthenticated `plugin/LiveLinks/proxy.php` endpoint uses this function to…

  • CVE-2026-33479Mar 23, 2026
    risk 0.00cvss epss 0.01

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, the Gallery plugin's `saveSort.json.php` endpoint passes unsanitized user input from `$_REQUEST['sections']` array values directly into PHP's `eval()` function. While the endpoint is gated behind…

  • CVE-2026-33478Mar 23, 2026
    risk 0.00cvss epss 0.13

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, multiple vulnerabilities in AVideo's CloneSite plugin chain together to allow a completely unauthenticated attacker to achieve remote code execution. The `clones.json.php` endpoint exposes clone…

  • CVE-2026-33354Mar 23, 2026
    risk 0.00cvss epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, `POST /objects/aVideoEncoder.json.php` accepts a requester-controlled `chunkFile` parameter intended for staged upload chunks. Instead of restricting that path to trusted server-generated chunk…

  • CVE-2026-33352Mar 23, 2026
    risk 0.00cvss epss 0.00

    WWBN AVideo is an open source video platform. Prior to version 26.0, an unauthenticated SQL injection vulnerability exists in `objects/category.php` in the `getAllCategories()` method. The `doNotShowCats` request parameter is sanitized only by stripping single-quote characters…

  • CVE-2026-33351Mar 23, 2026
    risk 0.00cvss epss 0.00

    WWBN AVideo is an open source video platform. Prior to version 26.0, a Server-Side Request Forgery (SSRF) vulnerability exists in `plugin/Live/standAloneFiles/saveDVR.json.php`. When the AVideo Live plugin is deployed in standalone mode (the intended configuration for this…

  • CVE-2026-33297Mar 23, 2026
    risk 0.00cvss epss 0.00

    WWBN AVideo is an open source video platform. Prior to version 26.0, the `setPassword.json.php` endpoint in the CustomizeUser plugin allows administrators to set a channel password for any user. Due to a logic error in how the submitted password value is processed, any password…

  • CVE-2026-33296Mar 22, 2026
    risk 0.00cvss epss 0.00

    WWBN AVideo is an open source video platform. Prior to version 26.0, WWBN/AVideo contains an open redirect vulnerability in the login flow where a user-supplied redirectUri parameter is reflected directly into a JavaScript `document.location` assignment without JavaScript-safe…

  • CVE-2026-33295Mar 22, 2026
    risk 0.00cvss epss 0.00

    WWBN AVideo is an open source video platform. Prior to version 26.0, WWBN/AVideo contains a stored cross-site scripting vulnerability in the CDN plugin's download buttons component. The `clean_title` field of a video record is interpolated directly into a JavaScript string…

  • CVE-2026-33294Mar 22, 2026
    risk 0.00cvss epss 0.00

    WWBN AVideo is an open source video platform. Prior to version 26.0, the BulkEmbed plugin's save endpoint (`plugin/BulkEmbed/save.json.php`) fetches user-supplied thumbnail URLs via `url_get_contents()` without SSRF protection. Unlike all six other URL-fetching endpoints in…

  • CVE-2026-33293Mar 22, 2026
    risk 0.00cvss epss 0.01

    WWBN AVideo is an open source video platform. Prior to version 26.0, the `deleteDump` parameter in `plugin/CloneSite/cloneServer.json.php` is passed directly to `unlink()` without any path sanitization. An attacker with valid clone credentials can use path traversal sequences…

  • CVE-2026-33319Mar 22, 2026
    risk 0.00cvss epss 0.00

    WWBN AVideo is an open source video platform. Prior to version 26.0, the `uploadVideoToLinkedIn()` method in the SocialMediaPublisher plugin constructs a shell command by directly interpolating an upload URL received from LinkedIn's API response, without sanitization via…

  • CVE-2026-33292Mar 22, 2026
    risk 0.00cvss epss 0.01

    WWBN AVideo is an open source video platform. Prior to version 26.0, the HLS streaming endpoint (`view/hls.php`) is vulnerable to a path traversal attack that allows an unauthenticated attacker to stream any private or paid video on the platform. The `videoDirectory` GET…

  • CVE-2026-33043Mar 20, 2026
    risk 0.00cvss epss 0.00

    WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/phpsessionid.json.php exposes the current PHP session ID to any unauthenticated request. The allowOrigin() function reflects any Origin header back in Access-Control-Allow-Origin with…

  • CVE-2026-33041Mar 20, 2026
    risk 0.00cvss epss 0.00

    WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/encryptPass.json.php exposes the application's password hashing algorithm to any unauthenticated user. An attacker can submit arbitrary passwords and receive their hashed equivalents, enabling…

  • CVE-2026-33039Mar 20, 2026
    risk 0.00cvss epss 0.00

    WWBN AVideo is an open source video platform. In versions 25.0 and below, the plugin/LiveLinks/proxy.php endpoint validates user-supplied URLs against internal/private networks using isSSRFSafeURL(), but only checks the initial URL. When the initial URL responds with an HTTP…

  • CVE-2026-33038Mar 20, 2026
    risk 0.00cvss epss 0.00

    WWBN AVideo is an open source video platform. Versions 25.0 and below are vulnerable to unauthenticated application takeover through the install/checkConfiguration.php endpoint. install/checkConfiguration.php performs full application initialization: database setup, admin…

  • CVE-2026-33037Mar 20, 2026
    risk 0.00cvss epss 0.01

    WWBN AVideo is an open source video platform. In versions 25.0 and below, the official Docker deployment files (docker-compose.yml, env.example) ship with the admin password set to "password", which is automatically used to seed the admin account during installation, meaning any…

  • CVE-2026-33035Mar 20, 2026
    risk 0.00cvss epss 0.00

    WWBN AVideo is an open source video platform. In versions 25.0 and below, there is a reflected XSS vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser. User input from a URL parameter flows through PHP's json_encode() into a…

  • CVE-2026-33025Mar 20, 2026
    risk 0.00cvss epss 0.00

    AVideo is a video-sharing Platform. Versions prior to 8.0 contain a SQL Injection vulnerability in the getSqlFromPost() method of Object.php. The $_POST['sort'] array keys are used directly as SQL column identifiers inside an ORDER BY clause. Although real_escape_string() was…