wwbn/avideo Security Advisories for 29.0 (46)
-
[CRITICAL] WWBN AVideo: Unauthenticated Stored DOM Cross-Site Scripting via Per-Client Metadata Broadcast in YPTSocket Plugin
PKSA-rftd-5wbt-6qx1 GHSA-8whc-2wmv-ww35
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] WWBN AVideo: Stored XSS via Hostile YouTube Video Title in AVideo YouTubeAPI Gallery Section
PKSA-qfq6-tncf-8grt CVE-2026-50183 GHSA-66q5-cj5g-wrfx
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] WWBN AVideo: Unauthenticated Reflected XSS via $_GET['search'] in AVideo YouTubeAPI Gallery Pagination
PKSA-s76b-xf2h-zmsc CVE-2026-50182 GHSA-hgjh-6wj8-gcgf
Affected version: <=29.0
Reported by:
GitHub -
[HIGH] WWBN AVideo: Stored XSS via autoEvalCodeOnHTML Bypass in MessageSQLite WebSocket Handler (CVE-2026-43874 Bypass)
PKSA-k9kk-fbnx-923m CVE-2026-49279 GHSA-2fhx-q92v-5fhv
Affected version: <=29.0
Reported by:
GitHub -
[HIGH] WWBN AVideo: Authenticated wallet credit bypass in AuthorizeNet processPayment endpoint
PKSA-59k2-q697-bf8x CVE-2026-47696 GHSA-9392-pj54-qqf8
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] WWBN AVideo: Stored XSS via unescaped Gallery category description
PKSA-4cz6-6cfv-8gy3 CVE-2026-47694 GHSA-c8h8-vq34-9fw2
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] AVideo: Unauthenticated Arbitrary Image Read via Path Traversal in `view/img/image404Raw.php`
PKSA-2zy4-bynz-m2w3 CVE-2026-46337 GHSA-w4qq-74h6-58wq
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] AVideo: Authenticated Arbitrary File Read in view/update.php
PKSA-qsmt-54t8-4cfb CVE-2026-45731 GHSA-3mjv-375j-6h92
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] AVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unauthenticated user enumeration sibling that survives `d9cdc7024`
PKSA-23zk-pg8x-sksb CVE-2026-45620 GHSA-vpfx-pxqw-2w79
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] AVideo CVE-2026-43884 incomplete fix - six (or more) `isSSRFSafeURL()` call sites still discard the `$resolvedIP` out-param at master HEAD post-`603e7bf`
PKSA-fc5p-jrjx-1jy4 CVE-2026-45619 GHSA-c3ch-22rq-xfwr
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] AVideo: 2FA toggle endpoint has no CSRF protection, letting an attacker page silently disable a logged-in victim's 2FA
PKSA-p6p4-r212-wdgb CVE-2026-45610 GHSA-3mv2-vmwh-rwfx
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] AVideo: stored XSS via unescaped stream key in modeYoutubeLive.php class attribute
PKSA-wfgs-zzz2-wqdc CVE-2026-45580 GHSA-m5j4-7r85-2cj2
Affected version: <=29.0
Reported by:
GitHub -
[HIGH] AVideo: OS command injection in on_publish.php execAsync via unescaped m3u8 URL
PKSA-rjrh-w2j8-5qv7 CVE-2026-45578 GHSA-xw67-cg5f-4m2r
Affected version: <=29.0
Reported by:
GitHub -
[HIGH] AVideo's Meet plugin: `uploadRecordedVideo.json.php` derives `users_id` from the uploaded filename and calls passwordless `User->login()`, allowing any caller with the Meet shared secret to obtain a session as arbitrary users including admin
PKSA-psg4-6wzm-s4q8 GHSA-qxvm-r42f-5p8j
Affected version: <=29.0
Reported by:
GitHub -
[HIGH] AVideo Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor and Missing Authorization
PKSA-fx66-ws43-zr1x CVE-2026-43885 GHSA-xr49-f4rh-qcjf
Affected version: <=29.0
Reported by:
GitHub -
[HIGH] AVideo has SSRF Protection Bypass via HTTP Redirect and DNS Rebinding in isSSRFSafeURL()
PKSA-458v-1gr5-bf2y CVE-2026-43884 GHSA-2hch-c97c-g99x
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] AVideo: IDOR in PayPalYPT Plugin Allows Any Authenticated User to Cancel Arbitrary PayPal Subscription Agreements
PKSA-45d7-4cq7-wyg1 CVE-2026-43883 GHSA-958h-qp3x-q4gj
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] AVideo: Unauthenticated CRLF/ICS Injection in Scheduler downloadICS.php Allows Calendar Event Spoofing
PKSA-81bf-8cfg-hbh2 CVE-2026-43882 GHSA-mwgh-92m2-wvhv
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] AVideo: Unauthenticated User Enumeration in objects/users.json.php via isCompany Parameter Allows Bypass of the Admin-Only Listing Restriction
PKSA-m1k1-6n5g-5skj CVE-2026-43881 GHSA-6rvw-7p8v-mjfq
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] AVideo: Unauthenticated Arbitrary Email Sending via sendEmail.json.php Enables Phishing from the Site’s Legitimate From Address
PKSA-7c98-nyt4-qt25 CVE-2026-43880 GHSA-5hgj-7gm9-cff5
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] AVideo has Blind SSRF in YPTWallet Donation Webhook via Missing isSSRFSafeURL() Check and CURLOPT_FOLLOWLOCATION Redirect Bypass
PKSA-n1mw-ddw6-yyqd CVE-2026-43879 GHSA-wp38-whx3-xffh
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] Video: Reflected XSS in plugin/Meet/iframe.php via Unescaped user and pass Parameters in JavaScript String Literal
PKSA-x5f2-6rvc-vhkd CVE-2026-43878 GHSA-mm5f-8q57-4fc4
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] AVideo: CSRF in userSavePhoto.php Allows Cross-Origin Overwrite of Authenticated Users' Profile Photos with Arbitrary Content
PKSA-7rzh-pwkp-t841 CVE-2026-43877 GHSA-jw8g-5j46-44rp
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] AVideo: HTML Injection in notifySubscribers.json.php Allows Platform-Branded Phishing Emails to Channel Subscribers
PKSA-71gv-fx3g-ynk8 CVE-2026-43876 GHSA-g9cm-rxp7-6gv5
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] AVideo: Password Hash Leak in MobileManager OAuth Redirect URL Enables Account Takeover
PKSA-dbh3-mg7m-c1nc CVE-2026-43875 GHSA-5w8w-26ch-v5cw
Affected version: <=29.0
Reported by:
GitHub -
[HIGH] AVideo has an Incomplete Fix for YPTSocket autoEvalCodeOnHTML Strip: Unauthenticated Cross-User JavaScript Execution via `$msg['json']` Relay Bypass
PKSA-15fj-zg4r-zsnq CVE-2026-43874 GHSA-ghcv-22jf-vfxm
Affected version: <=29.0
Reported by:
GitHub -
[HIGH] AVideo: Unauthenticated Disclosure of CloneSite `myKey` via Error Echo in `cloneClient.json.php` Enables Cross-Site DB Dump of the Configured Clone Server
PKSA-5tbj-dcxw-w2wv CVE-2026-43873 GHSA-qm9p-p5pw-jrx2
Affected version: <=29.0
Reported by:
GitHub -
[HIGH] WWBN AVideo: RCE cause by clonesite plugin
PKSA-z3t4-4xbz-b3c9 CVE-2026-41304 GHSA-xr6f-h4x7-r6qp
Affected version: <=29.0
Reported by:
GitHub -
[HIGH] WWBN AVideo has an incomplete fix for CVE-2026-33502: Command Injection
PKSA-v7bq-jd15-qdrz CVE-2026-41064 GHSA-pq8p-wc4f-vg7j
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] WWBN AVideo has an incomplete fix for CVE-2026-33500: XSS
PKSA-gvmz-qdx4-njzh CVE-2026-41063 GHSA-m7r8-6q9j-m2hc
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] WWBN AVideo has an Incomplete fix: Directory traversal bypass via query string in ReceiveImage downloadURL parameters
PKSA-pt2z-fxr4-fvmc CVE-2026-41062 GHSA-m63r-m9jh-3vc6
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] WWBN AVideo has Stored XSS via Unanchored Duration Regex in Video Encoder Receiver
PKSA-gxyd-jpvf-3ngj CVE-2026-41061 GHSA-8pv3-29pp-pf8f
Affected version: <=29.0
Reported by:
GitHub -
[HIGH] WWBN AVideo has a SSRF via same-domain hostname with alternate port bypasses isSSRFSafeURL
PKSA-8cks-7g1w-tz19 CVE-2026-41060 GHSA-j432-4w3j-3w8j
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] WWBN AVideo has an incomplete fix for CVE-2026-33293: Path Traversal
PKSA-q934-7bnb-4bby CVE-2026-41058 GHSA-5879-4fmr-xwf2
Affected version: <=29.0
Reported by:
GitHub -
[HIGH] WWBN AVideo has a CORS Origin Reflection Bypass via plugin/API/router.php and allowOrigin(true) Exposes Authenticated API Responses
PKSA-tsyg-vszv-9tkz CVE-2026-41057 GHSA-ff5q-cc22-fgp4
Affected version: <=29.0
Reported by:
GitHub -
[HIGH] WWBN AVideo has CORS Origin Reflection with Credentials on Sensitive API Endpoints Enables Cross-Origin Account Takeover
PKSA-5c4b-gnfd-8xsq CVE-2026-41056 GHSA-ccq9-r5cw-5hwq
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] WWBN AVideo has an incomplete fix for CVE-2026-33039: SSRF
PKSA-zgmc-4215-ztzk CVE-2026-41055 GHSA-793q-xgj6-7frp
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] CAPTCHA Bypass in WWBN/AVideo via Attacker-Controlled Length Parameter and Missing Token Invalidation on Failure
PKSA-k6wt-ck7m-8514 CVE-2026-40935 GHSA-hg7g-56h5-5pqr
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] WWBN AVideo is missing CSRF protection in objects/commentDelete.json.php enables mass comment deletion against moderators and content creators
PKSA-8nj2-vhcz-7bc5 CVE-2026-40929 GHSA-8qm8-g55h-xmqr
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] WWBN AVideo: Missing CSRF Protection on State-Changing JSON Endpoints Enables Forced Comment Creation, Vote Manipulation, and Category Asset Deletion
PKSA-k36z-m2m9-7f9w CVE-2026-40928 GHSA-x2pw-9c38-cp2j
Affected version: <=29.0
Reported by:
GitHub -
[HIGH] WWBN AVideo has Multiple CSRF Vulnerabilities in Admin JSON Endpoints (Category CRUD, Plugin Update Script)
PKSA-ttj4-18vr-tsp9 CVE-2026-40926 GHSA-ffw8-fwxp-h64w
Affected version: <=29.0
Reported by:
GitHub -
[HIGH] WWBN AVideo has CSRF in configurationUpdate.json.php Enables Full Site Configuration Takeover Including Encoder URL and SMTP Credentials
PKSA-nfcd-g6c3-5tff CVE-2026-40925 GHSA-vvfw-4m39-fjqf
Affected version: <=29.0
Reported by:
GitHub -
[CRITICAL] WWBN AVideo YPTSocket WebSocket Broadcast Relay Leads to Unauthenticated Cross-User JavaScript Execution via Client-Side eval() Sinks
PKSA-zr2c-vrf1-x6qy CVE-2026-40911 GHSA-gph2-j4c9-vhhr
Affected version: <=29.0
Reported by:
GitHub -
[HIGH] WWBN AVideo has a Path Traversal in Locale Save Endpoint Enables Arbitrary PHP File Write to Any Web-Accessible Directory (RCE)
PKSA-mbzn-myxk-vdz9 CVE-2026-40909 GHSA-6rc6-p838-686f
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] WWBN AVideo has an Unauthenticated Information Disclosure via git.json.php Exposes Developer Emails and Deployed Version
PKSA-yc9y-ydj1-h48d CVE-2026-40908 GHSA-52hf-63q4-r926
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] WWBN AVideo has an IDOR in Live Restreams list.json.php Exposes Other Users' Stream Keys and OAuth Tokens
PKSA-2sy8-4q8b-cn2c CVE-2026-40907 GHSA-gpgp-w4x2-h3h7
Affected version: <=29.0
Reported by:
GitHub