wwbn/avideo Security Advisories (155)
-
[CRITICAL] WWBN AVideo: Unauthenticated Stored DOM Cross-Site Scripting via Per-Client Metadata Broadcast in YPTSocket Plugin
PKSA-rftd-5wbt-6qx1 GHSA-8whc-2wmv-ww35
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] WWBN AVideo: Stored XSS via Hostile YouTube Video Title in AVideo YouTubeAPI Gallery Section
PKSA-qfq6-tncf-8grt CVE-2026-50183 GHSA-66q5-cj5g-wrfx
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] WWBN AVideo: Unauthenticated Reflected XSS via $_GET['search'] in AVideo YouTubeAPI Gallery Pagination
PKSA-s76b-xf2h-zmsc CVE-2026-50182 GHSA-hgjh-6wj8-gcgf
Affected version: <=29.0
Reported by:
GitHub -
[HIGH] WWBN AVideo: Stored XSS via autoEvalCodeOnHTML Bypass in MessageSQLite WebSocket Handler (CVE-2026-43874 Bypass)
PKSA-k9kk-fbnx-923m CVE-2026-49279 GHSA-2fhx-q92v-5fhv
Affected version: <=29.0
Reported by:
GitHub -
[HIGH] WWBN AVideo: Authenticated wallet credit bypass in AuthorizeNet processPayment endpoint
PKSA-59k2-q697-bf8x CVE-2026-47696 GHSA-9392-pj54-qqf8
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] WWBN AVideo: Stored XSS via unescaped Gallery category description
PKSA-4cz6-6cfv-8gy3 CVE-2026-47694 GHSA-c8h8-vq34-9fw2
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] AVideo: Unauthenticated Arbitrary Image Read via Path Traversal in `view/img/image404Raw.php`
PKSA-2zy4-bynz-m2w3 CVE-2026-46337 GHSA-w4qq-74h6-58wq
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] AVideo: Authenticated Arbitrary File Read in view/update.php
PKSA-qsmt-54t8-4cfb CVE-2026-45731 GHSA-3mjv-375j-6h92
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] AVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unauthenticated user enumeration sibling that survives `d9cdc7024`
PKSA-23zk-pg8x-sksb CVE-2026-45620 GHSA-vpfx-pxqw-2w79
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] AVideo CVE-2026-43884 incomplete fix - six (or more) `isSSRFSafeURL()` call sites still discard the `$resolvedIP` out-param at master HEAD post-`603e7bf`
PKSA-fc5p-jrjx-1jy4 CVE-2026-45619 GHSA-c3ch-22rq-xfwr
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] AVideo: 2FA toggle endpoint has no CSRF protection, letting an attacker page silently disable a logged-in victim's 2FA
PKSA-p6p4-r212-wdgb CVE-2026-45610 GHSA-3mv2-vmwh-rwfx
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] AVideo: stored XSS via unescaped stream key in modeYoutubeLive.php class attribute
PKSA-wfgs-zzz2-wqdc CVE-2026-45580 GHSA-m5j4-7r85-2cj2
Affected version: <=29.0
Reported by:
GitHub -
[HIGH] AVideo: OS command injection in on_publish.php execAsync via unescaped m3u8 URL
PKSA-rjrh-w2j8-5qv7 CVE-2026-45578 GHSA-xw67-cg5f-4m2r
Affected version: <=29.0
Reported by:
GitHub -
[HIGH] AVideo's Meet plugin: `uploadRecordedVideo.json.php` derives `users_id` from the uploaded filename and calls passwordless `User->login()`, allowing any caller with the Meet shared secret to obtain a session as arbitrary users including admin
PKSA-psg4-6wzm-s4q8 GHSA-qxvm-r42f-5p8j
Affected version: <=29.0
Reported by:
GitHub -
[HIGH] AVideo Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor and Missing Authorization
PKSA-fx66-ws43-zr1x CVE-2026-43885 GHSA-xr49-f4rh-qcjf
Affected version: <=29.0
Reported by:
GitHub -
[HIGH] AVideo has SSRF Protection Bypass via HTTP Redirect and DNS Rebinding in isSSRFSafeURL()
PKSA-458v-1gr5-bf2y CVE-2026-43884 GHSA-2hch-c97c-g99x
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] AVideo: IDOR in PayPalYPT Plugin Allows Any Authenticated User to Cancel Arbitrary PayPal Subscription Agreements
PKSA-45d7-4cq7-wyg1 CVE-2026-43883 GHSA-958h-qp3x-q4gj
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] AVideo: Unauthenticated CRLF/ICS Injection in Scheduler downloadICS.php Allows Calendar Event Spoofing
PKSA-81bf-8cfg-hbh2 CVE-2026-43882 GHSA-mwgh-92m2-wvhv
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] AVideo: Unauthenticated User Enumeration in objects/users.json.php via isCompany Parameter Allows Bypass of the Admin-Only Listing Restriction
PKSA-m1k1-6n5g-5skj CVE-2026-43881 GHSA-6rvw-7p8v-mjfq
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] AVideo: Unauthenticated Arbitrary Email Sending via sendEmail.json.php Enables Phishing from the Site’s Legitimate From Address
PKSA-7c98-nyt4-qt25 CVE-2026-43880 GHSA-5hgj-7gm9-cff5
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] AVideo has Blind SSRF in YPTWallet Donation Webhook via Missing isSSRFSafeURL() Check and CURLOPT_FOLLOWLOCATION Redirect Bypass
PKSA-n1mw-ddw6-yyqd CVE-2026-43879 GHSA-wp38-whx3-xffh
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] Video: Reflected XSS in plugin/Meet/iframe.php via Unescaped user and pass Parameters in JavaScript String Literal
PKSA-x5f2-6rvc-vhkd CVE-2026-43878 GHSA-mm5f-8q57-4fc4
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] AVideo: CSRF in userSavePhoto.php Allows Cross-Origin Overwrite of Authenticated Users' Profile Photos with Arbitrary Content
PKSA-7rzh-pwkp-t841 CVE-2026-43877 GHSA-jw8g-5j46-44rp
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] AVideo: HTML Injection in notifySubscribers.json.php Allows Platform-Branded Phishing Emails to Channel Subscribers
PKSA-71gv-fx3g-ynk8 CVE-2026-43876 GHSA-g9cm-rxp7-6gv5
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] AVideo: Password Hash Leak in MobileManager OAuth Redirect URL Enables Account Takeover
PKSA-dbh3-mg7m-c1nc CVE-2026-43875 GHSA-5w8w-26ch-v5cw
Affected version: <=29.0
Reported by:
GitHub -
[HIGH] AVideo has an Incomplete Fix for YPTSocket autoEvalCodeOnHTML Strip: Unauthenticated Cross-User JavaScript Execution via `$msg['json']` Relay Bypass
PKSA-15fj-zg4r-zsnq CVE-2026-43874 GHSA-ghcv-22jf-vfxm
Affected version: <=29.0
Reported by:
GitHub -
[HIGH] AVideo: Unauthenticated Disclosure of CloneSite `myKey` via Error Echo in `cloneClient.json.php` Enables Cross-Site DB Dump of the Configured Clone Server
PKSA-5tbj-dcxw-w2wv CVE-2026-43873 GHSA-qm9p-p5pw-jrx2
Affected version: <=29.0
Reported by:
GitHub -
[HIGH] WWBN AVideo: RCE cause by clonesite plugin
PKSA-z3t4-4xbz-b3c9 CVE-2026-41304 GHSA-xr6f-h4x7-r6qp
Affected version: <=29.0
Reported by:
GitHub -
[HIGH] WWBN AVideo has an incomplete fix for CVE-2026-33502: Command Injection
PKSA-v7bq-jd15-qdrz CVE-2026-41064 GHSA-pq8p-wc4f-vg7j
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] WWBN AVideo has an incomplete fix for CVE-2026-33500: XSS
PKSA-gvmz-qdx4-njzh CVE-2026-41063 GHSA-m7r8-6q9j-m2hc
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] WWBN AVideo has an Incomplete fix: Directory traversal bypass via query string in ReceiveImage downloadURL parameters
PKSA-pt2z-fxr4-fvmc CVE-2026-41062 GHSA-m63r-m9jh-3vc6
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] WWBN AVideo has Stored XSS via Unanchored Duration Regex in Video Encoder Receiver
PKSA-gxyd-jpvf-3ngj CVE-2026-41061 GHSA-8pv3-29pp-pf8f
Affected version: <=29.0
Reported by:
GitHub -
[HIGH] WWBN AVideo has a SSRF via same-domain hostname with alternate port bypasses isSSRFSafeURL
PKSA-8cks-7g1w-tz19 CVE-2026-41060 GHSA-j432-4w3j-3w8j
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] WWBN AVideo has an incomplete fix for CVE-2026-33293: Path Traversal
PKSA-q934-7bnb-4bby CVE-2026-41058 GHSA-5879-4fmr-xwf2
Affected version: <=29.0
Reported by:
GitHub -
[HIGH] WWBN AVideo has a CORS Origin Reflection Bypass via plugin/API/router.php and allowOrigin(true) Exposes Authenticated API Responses
PKSA-tsyg-vszv-9tkz CVE-2026-41057 GHSA-ff5q-cc22-fgp4
Affected version: <=29.0
Reported by:
GitHub -
[HIGH] WWBN AVideo has CORS Origin Reflection with Credentials on Sensitive API Endpoints Enables Cross-Origin Account Takeover
PKSA-5c4b-gnfd-8xsq CVE-2026-41056 GHSA-ccq9-r5cw-5hwq
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] WWBN AVideo has an incomplete fix for CVE-2026-33039: SSRF
PKSA-zgmc-4215-ztzk CVE-2026-41055 GHSA-793q-xgj6-7frp
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] CAPTCHA Bypass in WWBN/AVideo via Attacker-Controlled Length Parameter and Missing Token Invalidation on Failure
PKSA-k6wt-ck7m-8514 CVE-2026-40935 GHSA-hg7g-56h5-5pqr
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] WWBN AVideo is missing CSRF protection in objects/commentDelete.json.php enables mass comment deletion against moderators and content creators
PKSA-8nj2-vhcz-7bc5 CVE-2026-40929 GHSA-8qm8-g55h-xmqr
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] WWBN AVideo: Missing CSRF Protection on State-Changing JSON Endpoints Enables Forced Comment Creation, Vote Manipulation, and Category Asset Deletion
PKSA-k36z-m2m9-7f9w CVE-2026-40928 GHSA-x2pw-9c38-cp2j
Affected version: <=29.0
Reported by:
GitHub -
[HIGH] WWBN AVideo has Multiple CSRF Vulnerabilities in Admin JSON Endpoints (Category CRUD, Plugin Update Script)
PKSA-ttj4-18vr-tsp9 CVE-2026-40926 GHSA-ffw8-fwxp-h64w
Affected version: <=29.0
Reported by:
GitHub -
[HIGH] WWBN AVideo has CSRF in configurationUpdate.json.php Enables Full Site Configuration Takeover Including Encoder URL and SMTP Credentials
PKSA-nfcd-g6c3-5tff CVE-2026-40925 GHSA-vvfw-4m39-fjqf
Affected version: <=29.0
Reported by:
GitHub -
[CRITICAL] WWBN AVideo YPTSocket WebSocket Broadcast Relay Leads to Unauthenticated Cross-User JavaScript Execution via Client-Side eval() Sinks
PKSA-zr2c-vrf1-x6qy CVE-2026-40911 GHSA-gph2-j4c9-vhhr
Affected version: <=29.0
Reported by:
GitHub -
[HIGH] WWBN AVideo has a Path Traversal in Locale Save Endpoint Enables Arbitrary PHP File Write to Any Web-Accessible Directory (RCE)
PKSA-mbzn-myxk-vdz9 CVE-2026-40909 GHSA-6rc6-p838-686f
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] WWBN AVideo has an Unauthenticated Information Disclosure via git.json.php Exposes Developer Emails and Deployed Version
PKSA-yc9y-ydj1-h48d CVE-2026-40908 GHSA-52hf-63q4-r926
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] WWBN AVideo has an IDOR in Live Restreams list.json.php Exposes Other Users' Stream Keys and OAuth Tokens
PKSA-2sy8-4q8b-cn2c CVE-2026-40907 GHSA-gpgp-w4x2-h3h7
Affected version: <=29.0
Reported by:
GitHub -
[HIGH] WWBN AVideo has an Allowlisted downloadURL media extensions bypass SSRF protection and enable internal response exfiltration (Incomplete fix for CVE-2026-27732)
PKSA-k95w-1pmg-ryfd CVE-2026-39370 GHSA-cmcr-q4jf-p6q9
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] WWBN AVideo's GIF poster fetch bypasses traversal scrubbing and exposes local files through public media URLs
PKSA-jrf5-73b5-1wm8 CVE-2026-39369 GHSA-f4f9-627c-jh33
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] WWBN AVideo has a Live restream log callback flow enabling stored SSRF to internal services
PKSA-9dyr-jdcn-mr53 CVE-2026-39368 GHSA-q4x6-6mm2-crg9
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] WWBN AVideo has Stored XSS via Malicious EPG XML Program Titles in AVideo EPG Page
PKSA-zd55-pq2p-fmtz CVE-2026-39367 GHSA-rqp3-gf5h-mrqx
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] WWBN AVideo Affected by a PayPal IPN Replay Attack Enabling Wallet Balance Inflation via Missing Transaction Deduplication in ipn.php
PKSA-1dhf-r34w-p2f7 CVE-2026-39366 GHSA-mmw7-wq3c-wf9p
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo: Unauthenticated Information Disclosure via Missing Auth on CloneSite client.log.php
PKSA-8d75-pkrm-ryk2 CVE-2026-35452 GHSA-99j6-hj87-6fcf
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo: Unauthenticated FFmpeg Remote Server Status Disclosure via check.ffmpeg.json.php
PKSA-yv5c-84v4-5kzs CVE-2026-35450 GHSA-2vg4-rrx4-qcpq
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo: Unauthenticated Information Disclosure via Disabled CLI Guard in install/test.php
PKSA-8k5g-7b6v-dmzw CVE-2026-35449 GHSA-hg8q-8wqr-35xx
Affected version: <=26.0
Reported by:
GitHub -
[LOW] AVideo: Unauthenticated Access to Payment Order Data via BlockonomicsYPT check.php
PKSA-v2fv-f7cj-pvmk CVE-2026-35448 GHSA-3v7m-qg4x-58h9
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo: CSRF on Player Skin Configuration via admin/playerUpdate.json.php
PKSA-6czf-bc7p-h4k6 CVE-2026-35181 GHSA-4q27-4rrq-fx95
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo: Unauthenticated Instagram Graph API Proxy via publishInstagram.json.php
PKSA-9kdr-v9xz-q97d CVE-2026-35179 GHSA-x9w5-xccw-5h9w
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo has Stored XSS via Unescaped Menu Item Fields in TopMenu Plugin
PKSA-h129-dyyg-hqpq GHSA-gmpc-fxg2-vcmq
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo: Stored SSRF via Video EPG Link Missing isSSRFSafeURL() Validation
PKSA-v4v4-994j-g46x CVE-2026-34740 GHSA-x5vx-vrpf-r45f
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo: Reflected XSS via Unescaped ip Parameter in User_Location testIP.php
PKSA-trzy-nkyc-3bq1 CVE-2026-34739 GHSA-jqrj-chh6-8h78
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo: Video Publishing Workflow Bypass via Unauthorized overrideStatus Request Parameter
PKSA-4yg6-hdf3-cm7q CVE-2026-34738 GHSA-m577-w9j8-ch7j
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo: Arbitrary Stripe Subscription Cancellation via Debug Endpoint and retrieveSubscriptions() Bug
PKSA-jw1r-58j1-stm1 CVE-2026-34737 GHSA-38rh-4v39-vfxv
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo: Unauthenticated File Deletion via PHP Operator Precedence Bug in CLI Guard
PKSA-tjqt-v3v3-pg6b CVE-2026-34733 GHSA-wwpw-hrx8-79r5
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo: Missing Authentication in CreatePlugin list.json.php Template Affects 21 Endpoints
PKSA-mshg-1d1p-db19 CVE-2026-34732 GHSA-g2mg-cgr6-vmv7
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] AVideo: Unauthenticated Live Stream Termination via RTMP Callback on_publish_done.php
PKSA-nbcf-22q2-3259 CVE-2026-34731 GHSA-4jcg-jxpf-5vq3
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo: DOM XSS via Unsanitized Display Name in WebSocket Call Notification
PKSA-nph7-q1m2-1jj5 CVE-2026-34716 GHSA-w4hp-w536-jg64
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo: CSRF on Plugin Enable/Disable Endpoint Allows Disabling Security Plugins
PKSA-bppj-bwtk-gjyq CVE-2026-34613 GHSA-hqxf-mhfw-rc44
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo: CSRF on emailAllUsers.json.php Enables Mass Phishing Email to All Users
PKSA-zmm3-dkmp-577r CVE-2026-34611 GHSA-c4xj-x7p8-3x7q
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo has Stored XSS via Unescaped Plugin Configuration Values in Admin Panel
PKSA-8d8v-tnwh-mvxd CVE-2026-34396 GHSA-v4h7-3x43-qqw4
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo vulnerable to Mass User PII Disclosure via Missing Authorization in YPTWallet users.json.php
PKSA-9wd9-hqm1-g8vw CVE-2026-34395 GHSA-77jp-mgcw-rfmr
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] AVideo's CSRF on Admin Plugin Configuration Enables Payment Credential Hijacking
PKSA-sgq7-y46w-x6wm CVE-2026-34394 GHSA-4wwr-7h7c-chqr
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] AVideo Vulnerable to Reflected XSS via Unsanitized plugin Parameter in YPTWallet Stripe Payment Page
PKSA-vp5k-2k3q-kh8x CVE-2026-34375 GHSA-pm37-62g7-p768
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo has Video Password Protection Bypass via API Endpoints Returning Full Playback Sources Without Password Verification
PKSA-jgsk-3v13-mp5q CVE-2026-34369 GHSA-q6jj-r49p-94fh
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo Vulnerable to Wallet Balance Double-Spend via TOCTOU Race Condition in transferBalance
PKSA-r7hg-81sr-ph3s CVE-2026-34368 GHSA-h54m-c522-h6qr
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo has User Group-Based Category Access Control Bypass via Missing and Broken Group Filtering in categories.json.php
PKSA-zrqg-465j-tm13 CVE-2026-34364 GHSA-73gr-r64q-7jh4
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo's WebSocket Token Never Expires Due to Commented-Out Timeout Validation in verifyTokenSocket()
PKSA-3yrj-j1ff-gsp4 CVE-2026-34362 GHSA-2mg4-pfgx-64cf
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo: IDOR in uploadPoster.php Allows Any Authenticated User to Overwrite Scheduled Live Stream Posters and Trigger False Socket Notifications
PKSA-6jcq-63hk-b922 CVE-2026-34247 GHSA-g3hj-mf85-679g
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo: Missing Authorization in Playlist Schedule Creation Allows Cross-User Broadcast Hijacking
PKSA-fw58-yv1p-mjjv CVE-2026-34245 GHSA-2rm7-j397-3fqg
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] AVideo: Unauthenticated Access to Payment Log DataTables Endpoints Exposes Transaction Data, PayPal Tokens, and User Financial Records
PKSA-mhr2-p9hx-xy4j GHSA-wprj-9cvc-5w37
Affected version: <=26.0
Reported by:
GitHub -
[CRITICAL] AVideo has Plaintext Video Password Storage
PKSA-vcf8-yygk-smvm CVE-2026-33867 GHSA-363v-5rh8-23wg
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] AVideo has SQL Injection in category.php fixCleanTitle() via Unparameterized clean_title and id Variables
PKSA-d1c1-62x6-fsdv CVE-2026-33770 GHSA-584p-rpvq-35vf
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] AVideo has SQL Injection via Partial Prepared Statement — videos_id Concatenated Directly into Query
PKSA-d7fp-yz92-57bz CVE-2026-33767 GHSA-fj74-qxj7-r3vc
Affected version: <26.0
Reported by:
GitHub -
[MEDIUM] AVideo has SSRF Protection Bypass via HTTP Redirect in Image Download Endpoints
PKSA-37q2-fmsd-htgf CVE-2026-33766 GHSA-f359-r3pv-2phf
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo: IDOR in AI Plugin Allows Stealing Other Users' AI-Generated Metadata and Transcriptions
PKSA-ggc8-4vpf-v295 CVE-2026-33764 GHSA-g39v-qrj6-jxrh
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo has an Unauthenticated Video Password Brute-Force Vulnerability via Unrate-Limited Boolean Oracle
PKSA-qmkf-gp88-ftk6 CVE-2026-33763 GHSA-8prq-2jr2-cm92
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo: Unauthenticated Access to Scheduler Plugin Endpoints Leaks Scheduled Tasks, Email Content, and User Mappings
PKSA-t2zr-g4vs-n5nr CVE-2026-33761 GHSA-j724-5c6c-68g5
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo: Unauthenticated IDOR in playlistsVideos.json.php Exposes Private Playlist Contents
PKSA-kzzd-7tpm-2718 CVE-2026-33759 GHSA-75qq-68m8-pvfr
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] AVideo is Vulnerable to SQL Injection through Subscribe Endpoint via Unsanitized user_id Parameter
PKSA-c9d6-fz2f-92mg CVE-2026-33723 GHSA-ffr8-fxhv-fv8h
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] AVideo: Unauthenticated CDN Configuration Takeover via Empty Default Key Bypass and Mass-Assignment
PKSA-nk6y-bx1m-kq7t CVE-2026-33719 GHSA-r64r-883r-wcwh
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] AVideo: Remote Code Execution via PHP Temp File in Encoder downloadURL
PKSA-xbpw-5md3-j3nz CVE-2026-33717 GHSA-8wf4-c4x3-h952
Affected version: <=26.0
Reported by:
GitHub -
[CRITICAL] AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php
PKSA-7gff-yt7v-8bkx CVE-2026-33716 GHSA-9hv9-gvwm-95f2
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo vulnerable to IP Address Spoofing via Untrusted HTTP Headers in getRealIpAddr()
PKSA-x77f-z8vb-hbfr CVE-2026-33690 GHSA-8p2x-5cpm-qrqw
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo: Full-Read SSRF Through Unvalidated statsURL Parameter in plugin/Live/test.php
PKSA-6bhm-ppng-rh7j GHSA-wxjx-r2j2-96fx
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo has Pre-Captcha User Enumeration and Account Status Disclosure in Password Recovery Endpoint
PKSA-rmrd-1jny-519s CVE-2026-33688 GHSA-m99f-mmvg-3xmx
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo Allows Unauthenticated Access to AD_Server reports.json.php that Exposes Ad Campaign Analytics and User Data
PKSA-rhxf-1yfy-x5fd CVE-2026-33685 GHSA-j36m-74g2-7m95
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo vulnerable to Stored XSS via html_entity_decode() Reversing xss_esc() Sanitization in Channel About Field
PKSA-cx3j-v85y-y9tv CVE-2026-33683 GHSA-ghx5-7jjg-q2j7
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] AVideo has Path Traversal in pluginRunDatabaseScript.json.php Enables Arbitrary SQL File Execution via Unsanitized Plugin Name
PKSA-9p99-sn38-6cwv CVE-2026-33681 GHSA-3hwv-x8g3-9qpr
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] AVideo has a Blind SQL Injection in Live Schedule Reminder via Unsanitized live_schedule_id in Scheduler_commands::getAllActiveOrToRepeat()
PKSA-m663-qqs4-57t4 CVE-2026-33651 GHSA-pvw4-p2jm-chjm
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] AVideo: Video Moderator Privilege Escalation via Ownership Transfer Enables Arbitrary Video Deletion
PKSA-kbvc-x3nh-bwr5 CVE-2026-33650 GHSA-8x77-f38v-4m5j
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] AVideo's GET-Based CSRF in setPermission.json.php Enables Privilege Escalation via Arbitrary Permission Modification
PKSA-nfgn-q1hy-xddr CVE-2026-33649 GHSA-g8x9-7mgh-7cvj
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] AVideo Vulnerable to OS Command Injection via Unsanitized `users_id` and `liveTransmitionHistory_id` in Restreamer Log File Path
PKSA-cpqv-3x62-47s6 CVE-2026-33648 GHSA-5m4q-5cvx-36mw
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] AVideo Vulnerable to Remote Code Execution via MIME/Extension Mismatch in ImageGallery File Upload
PKSA-sv6m-nx8k-5kz3 CVE-2026-33647 GHSA-wxjw-phj6-g75w
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] AVideo has an Unauthenticated Local File Inclusion in API locale (RCE possible with writable PHP)
PKSA-2x5y-pg7k-8jx1 CVE-2026-33513 GHSA-8fw8-q79c-fp9m
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] AVideo has an unauthenticated decrypt oracle leaking any ciphertext
PKSA-stv4-sw5c-pp7h CVE-2026-33512 GHSA-mwjc-5j4x-r686
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] AVideo Affected by CSRF on Plugin Import Endpoint Enables Unauthenticated Remote Code Execution via Malicious Plugin Upload
PKSA-9rhr-hzp4-skcj CVE-2026-33507 GHSA-hv36-p4w4-6vmj
Affected version: <=26.0
Reported by:
GitHub -
[CRITICAL] AVideo has Unauthenticated SSRF via plugin/Live/test.php
PKSA-734r-s438-vkf3 CVE-2026-33502 GHSA-3fpm-8rjr-v5mc
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo has Unauthenticated Information Disclosure of User Group Permission Mappings via Permissions Plugin
PKSA-93k3-9zdh-zky7 CVE-2026-33501 GHSA-96qp-8cmq-jvq8
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo - Incomplete Fix for CVE-2026-27568: Stored XSS via Markdown `javascript:` URI Bypasses ParsedownSafeWithLinks Sanitization
PKSA-fjmv-8jwk-wtsg CVE-2026-33500 GHSA-72h5-39r7-r26j
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo has Reflected XSS via unlockPassword Parameter in forbiddenPage.php and warningPage.php
PKSA-g9zg-y2pv-yf4q CVE-2026-33499 GHSA-7292-w8qp-mhq2
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] AVideo has a Path Traversal in import.json.php Allows Private Video Theft and Arbitrary File Read/Deletion via fileURI Parameter
PKSA-28kd-gd4j-w94p CVE-2026-33493 GHSA-83xq-8jxj-4rxm
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] AVideo has Session Fixation via GET PHPSESSID Parameter With Disabled Login Session Regeneration
PKSA-3ybr-q6r1-fnzm CVE-2026-33492 GHSA-x3pr-vrhq-vq43
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] AVideo has a PGP 2FA Bypass via Cryptographically Broken 512-bit RSA Key Generation in LoginControl Plugin
PKSA-qjdg-5npg-72ng CVE-2026-33488 GHSA-6m5f-j7w2-w953
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] AVideo has an Unauthenticated Blind SQL Injection in RTMP on_publish Callback via Stream Name Parameter
PKSA-v7r8-5fwd-x92z CVE-2026-33485 GHSA-8p58-35c3-ccxx
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] AVideo Affected by Unauthenticated Disk Space Exhaustion via Unlimited Temp File Creation in aVideoEncoderChunk.json.php
PKSA-f4gx-6t2c-nrd6 CVE-2026-33483 GHSA-vv7w-qf5c-734w
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] AVideo has an OS Command Injection via $() Shell Substitution Bypass in sanitizeFFmpegCommand()
PKSA-tp22-rjkg-27h5 CVE-2026-33482 GHSA-pmj8-r2j7-xg6c
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] AVideo has a SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in Unauthenticated LiveLinks Proxy
PKSA-8d9c-5xxm-8vns CVE-2026-33480 GHSA-p3gr-g84w-g8hh
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] AVideo has PHP Code Injection via eval() in Gallery saveSort.json.php Exploitable Through CSRF Against Admin
PKSA-4kfk-t6qg-77z2 CVE-2026-33479 GHSA-xggw-g9pm-9qhh
Affected version: <=26.0
Reported by:
GitHub -
[CRITICAL] AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection
PKSA-f178-s5q3-rpz6 CVE-2026-33478 GHSA-687q-32c6-8x68
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] AVideo has an authenticated arbitrary local file read via `chunkFile` path injection in `aVideoEncoder.json.php`
PKSA-6mc5-gbk2-4jkz CVE-2026-33354 GHSA-4jw9-5hrc-m4j6
Affected version: <=26.0
Reported by:
GitHub -
[CRITICAL] AVideo has an Unauthenticated SQL Injection via `doNotShowCats` Parameter (Backslash Escape Bypass)
PKSA-zqc4-q9ns-kq82 CVE-2026-33352 GHSA-mcj5-6qr4-95fj
Affected version: <=26.0
Reported by:
GitHub -
[CRITICAL] AVideo has Unauthenticated SSRF via `webSiteRootURL` Parameter in saveDVR.json.php, Chaining to Verification Bypass
PKSA-kz4k-1fdq-4jkn CVE-2026-33351 GHSA-5f7v-4f6g-74rj
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo: IDOR - Any Admin Can Set Another User's Channel Password via setPassword.json.php
PKSA-qms8-qf5t-6w9q CVE-2026-33297 GHSA-6547-8hrg-c55m
Affected version: <=25.0
Reported by:
GitHub -
[LOW] AVideo has an Open Redirect via Unvalidated redirectUri in userLogin.php
PKSA-yh5p-7324-8k1n CVE-2026-33296 GHSA-hj5h-5623-gwhw
Affected version: <=25.0
Reported by:
GitHub -
[HIGH] AVideo Affected by Stored XSS via Unescaped Video Title in CDN downloadButtons.php
PKSA-7zcq-fgdd-9176 CVE-2026-33295 GHSA-gc3m-4mcr-h3pv
Affected version: <=25.0
Reported by:
GitHub -
[MEDIUM] AVideo Affected by SSRF in BulkEmbed Thumbnail Fetch Allows Reading Internal Network Resources
PKSA-69wq-d8c2-6qbn CVE-2026-33294 GHSA-66cw-h2mj-j39p
Affected version: <=25.0
Reported by:
GitHub -
[HIGH] AVideo Affected by Arbitrary File Deletion via Path Traversal in CloneSite deleteDump Parameter
PKSA-61gg-79td-yp6m CVE-2026-33293 GHSA-xmjm-86qv-g226
Affected version: <=25.0
Reported by:
GitHub -
[HIGH] AVideo has an Authorization Bypass via Path Traversal in HLS Endpoint Allows Streaming Private/Paid Videos
PKSA-ht27-8rcs-t939 CVE-2026-33292 GHSA-pw4v-x838-w5pg
Affected version: <=25.0
Reported by:
GitHub -
[MEDIUM] AVideo has Unauthenticated PGP Message Decryption via Public Endpoint
PKSA-3whn-q4tm-bwhh GHSA-5x2w-37xf-7962
Affected version: <=25.0
Reported by:
GitHub -
[MEDIUM] AVideo has an OS Command Injection via Unescaped URL in LinkedIn Video Upload Shell Command
PKSA-5drt-2yg3-m4bb CVE-2026-33319 GHSA-w5ff-2mjc-4phc
Affected version: <=25.0
Reported by:
GitHub -
[MEDIUM] AVideo has a Path Traversal in listFiles.json.php Enables Server Filesystem Enumeration
PKSA-484r-cdwt-2gm4 CVE-2026-33238 GHSA-4wmm-6qxj-fpj4
Affected version: <=25.0
Reported by:
GitHub -
[MEDIUM] AVideo has SSRF in Scheduler Plugin via callbackURL Missing `isSSRFSafeURL()` Validation
PKSA-1msk-y5kh-hb4p CVE-2026-33237 GHSA-v467-g7g7-hhfh
Affected version: <=25.0
Reported by:
GitHub -
[HIGH] AVideo vulnerable to unauthenticated SSRF via HTTP redirect bypass in LiveLinks proxy
PKSA-spwc-tcr7-cpby CVE-2026-33039 GHSA-9x67-f2v7-63rw
Affected version: <=25.0
Reported by:
GitHub -
[MEDIUM] Unauthenticated Reflected XSS via innerHTML in AVideo
PKSA-qj1g-pbwp-h996 CVE-2026-33035 GHSA-wfq5-qgqp-hvhv
Affected version: <=25.0
Reported by:
GitHub -
[HIGH] AVideo affected by Session Hijacking via Unauthenticated Session ID Disclosure with Permissive CORS
PKSA-pcdx-pg9p-v4gz CVE-2026-33043 GHSA-qc3p-398r-p59j
Affected version: <=25.0
Reported by:
GitHub -
[MEDIUM] AVideo has an Unauthenticated Password Hash Oracle via encryptPass.json.php
PKSA-v5mg-73g8-w2x4 CVE-2026-33041 GHSA-px7x-gq96-rmp5
Affected version: <=25.0
Reported by:
GitHub -
[HIGH] AVideo affected by unauthenticated application takeover via exposed web installer on uninitialized deployments
PKSA-3jbs-pwhv-9v32 CVE-2026-33038 GHSA-2f9h-23f7-8gcx
Affected version: <=25.0
Reported by:
GitHub -
[MEDIUM] AVideo has Unauthenticated IDOR - Playlist Information Disclosure
PKSA-prng-jvqx-4vkt CVE-2026-30885 GHSA-6w2r-cfpc-23r5
Affected version: <25.0
Reported by:
GitHub -
[HIGH] AVideo: Unauthenticated PHP session store exposed to host network via published memcached port
PKSA-876z-dgrg-zwqs CVE-2026-29093 GHSA-xxpw-32hf-q8v9
Affected version: <=21.0
Reported by:
GitHub -
[CRITICAL] WWBN AVideo is vulnerable to unauthenticated OS Command Injection via base64Url in objects/getImage.php
PKSA-jc43-whmg-bn3y CVE-2026-29058 GHSA-9j26-99jh-v26q
Affected version: <7.0.0
Reported by:
GitHub -
[CRITICAL] AVideo has Authenticated Remote Code Execution via Unsafe Plugin ZIP Extraction
PKSA-p5zb-45dv-s5gy CVE-2026-28502 GHSA-v8jw-8w5p-23g3
Affected version: <21.0
Reported by:
GitHub -
[CRITICAL] AVideo has Unauthenticated SQL Injection via JSON Request Bypass in objects/videos.json.php
PKSA-xtjn-tvnf-r8sj CVE-2026-28501 GHSA-pv87-r9qf-x56p
Affected version: <=21.0.0
Reported by:
GitHub -
[HIGH] AVideo has Authenticated Server-Side Request Forgery via downloadURL in aVideoEncoder.json.php
PKSA-mpqq-rw7h-r6qr CVE-2026-27732 GHSA-h39h-7cvg-q7j6
Affected version: <=21.0.0
Reported by:
GitHub -
[MEDIUM] AVideo has Stored Cross-Site Scripting via Markdown Comment Injection
PKSA-zj1v-1r3y-vnpg CVE-2026-27568 GHSA-rcqw-6466-3mv7
Affected version: <21.0
Reported by:
GitHub -
[MEDIUM] AVideo cross-site scripting vulnerability in the view/about.php page
PKSA-m87c-2qr6-rc54 CVE-2024-34899 GHSA-f98p-2hc5-fm7v
Affected version: <14.3
Reported by:
GitHub -
[CRITICAL] WWBN AVideo Remote Code Execution
PKSA-1khc-7hwp-86mz CVE-2024-31819 GHSA-mv5w-wr5c-575p
Affected version: >=12.4,<=14.2
Reported by:
GitHub -
[MEDIUM] WWBN AVideo recovery notification bypass vulnerability
PKSA-bpdw-n2tk-hn54 CVE-2023-50172 GHSA-8m5f-2xvp-2c8w
Affected version: <=12.4
Reported by:
GitHub -
[CRITICAL] WWBN AVideo Insufficient Entropy vulnerbaility
PKSA-c41p-f5f9-8mhz CVE-2023-49599 GHSA-wqcc-qf63-c2x4
Affected version: <=12.4
Reported by:
GitHub -
[HIGH] WWBN AVideo Improper Restriction of Excessive Authentication Attempts vulnerability
PKSA-ybsw-d66n-nyf1 CVE-2023-49810 GHSA-v977-h4hm-rrff
Affected version: <=12.4
Reported by:
GitHub -
[HIGH] WWBN AVideo command injection vulnerability
PKSA-ws9n-zq9c-9xzs CVE-2023-32073 GHSA-2mhh-27v7-3vcx
Affected version: <=12.4
Reported by:
GitHub -
[HIGH] WWBN/AVideo stored XSS vulnerability leads to takeover of any user's account, including admin's account
PKSA-t55s-s47b-sccg CVE-2023-30860 GHSA-xr9h-p2rc-rpqm
Affected version: <12.4
Reported by:
GitHub -
[HIGH] Remote code injection in wwbn/avideo
PKSA-ct52-vj4v-3chj CVE-2023-30854 GHSA-6vrj-ph27-qfp3
Affected version: <12.4
Reported by:
GitHub -
[HIGH] Cross site scripting (XSS) in wwbn/avideo
PKSA-8k5w-rfw7-6y43 GHSA-2fch-hv74-fgw9
Affected version: <12.4
Reported by:
GitHub -
[CRITICAL] AVideo contains Command injection when embedding a video link
PKSA-cgqj-pxkw-3pc8 CVE-2023-25313 GHSA-pgvh-p3g4-86jw
Affected version: <12.4
Reported by:
GitHub -
[HIGH] AVideo vulnerable to Improper Privilege Management
PKSA-z1jq-qzpj-5hjc CVE-2020-23489 GHSA-2mgx-226x-8pwv
Affected version: <8.9
Reported by:
GitHub -
[MEDIUM] Open redirect in wwbn/avideo
PKSA-yy51-mh2t-n18p CVE-2022-27463 GHSA-34hv-f45p-4qfq
Affected version: <=11.6
Reported by:
GitHub