WWBN/AVideo
Packagist15 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting WWBN/AVideopage 1 of 1
- CVE-2026-39368MEDIUMCVSS 6.5EG 6.52026-04-07
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the Live restream log callback flow accepted an attacker-controlled restreamerURL and later fetched that stored URL server-side, enabling stored SSRF for authenticat…
- CVE-2026-39369HIGHCVSS 7.6EG 7.62026-04-07
WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoderReceiveImage.json.php allowed an authenticated uploader to fetch attacker-controlled same-origin /videos/... URLs, bypass traversal scrubbing, a…
- CVE-2026-39370HIGHCVSS 7.1EG 7.12026-04-07
WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoder.json.php still allows attacker-controlled downloadURL values with common media or archive extensions such as .mp4, .mp3, .zip, .jpg, .png, .gif…
- CVE-2026-45578HIGHCVSS 8.8EG 8.82026-05-15
WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a classic shell-metacharacter injection. The YPTSocket notification branch in plugin/Live/on_publish.php builds an execAsync() command line by string concatenation…
- CVE-2026-45580MEDIUMCVSS 5.4EG 5.42026-05-15
WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a stored cross-site scripting vulnerability. The Live plugin's "YouTube-style" view renders the live transmission's stream key into an HTML class attribute by raw …
- CVE-2026-45610MEDIUMCVSS 5.7EG 5.72026-05-15
WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a cross-site request forgery vulnerability on the 2FA toggle. plugin/LoginControl/set.json.php accepts POST type=set2FA value=false, calls LoginControl::setUser2FA…
- CVE-2026-45619MEDIUMCVSS 6.5EG 6.52026-05-15
WWBN AVideo is an open source video platform. In 29.0 and earlier, EpgParser.php, plugin/AI/receiveAsync.json.php, and other locations do not use the $resolvedIP out-param of isSSRFSafeURL() for DNS pinning via CURLOPT_RESOLVE, opening DNS…
- CVE-2026-45620MEDIUMCVSS 5.3EG 5.32026-05-18
WWBN AVideo is an open source video platform. In 29.0 and earlier, objects/mention.json.php has no User::loginCheck() or admin gate. It only has an entry guard: preg_match('/^@/', $_REQUEST['term']) and hard-coded rowCount=10. This enables…
- CVE-2026-45731MEDIUMCVSS 4.9EG 4.92026-05-18
WWBN AVideo is an open source video platform. In 29.0 and earlier, view/update.php reads $_POST['updateFile'] as a relative path under updatedb/ and passes it to PHP's file() for line-by-line execution as part of a database migration. An a…
- CVE-2026-46337MEDIUMCVSS 5.3EG 5.32026-05-19
WWBN AVideo is an open source video platform. In 29.0 and earlier, an unauthenticated remote attacker can read arbitrary image files anywhere on disk that the PHP user can open — including private user-profile photos that the application…
- CVE-2026-47694MEDIUMCVSS 5.4EG 5.42026-05-29
WWBN AVideo is an open source video platform. In 29.0 and earlier, AVideo stores category descriptions from user input and later renders category_description as raw HTML in the Gallery view. A user who can create or edit categories can sto…
- CVE-2026-47696MEDIUMCVSS 4.3EG 4.32026-05-29
WWBN AVideo is an open source video platform. In 29.0 and earlier, plugin/AuthorizeNet/processPayment.json.php credits the logged-in user's wallet based only on the attacker-controlled amount POST parameter. The endpoint contains a TODO fo…
- CVE-2026-50182MEDIUMCVSS 6.1EG 6.12026-06-04
WWBN AVideo: Unauthenticated Reflected XSS via $_GET['search'] in AVideo YouTubeAPI Gallery Pagination # Unauthenticated Reflected XSS via `$_GET['search']` in AVideo YouTubeAPI Gallery Pagination ## Summary A reflected Cross-Site Scrip…
- CVE-2026-50183MEDIUMCVSS 4.7EG 4.72026-06-04
WWBN AVideo: Stored XSS via Hostile YouTube Video Title in AVideo YouTubeAPI Gallery Section # Stored XSS via Hostile YouTube Video Title in AVideo YouTubeAPI Gallery Section ## Summary A stored Cross-Site Scripting vulnerability (CWE-7…
- CVE-2026-54458CRITICALCVSS 9.6EG 9.62026-06-04
WWBN AVideo: Unauthenticated Stored DOM Cross-Site Scripting via Per-Client Metadata Broadcast in YPTSocket Plugin # Unauthenticated Stored DOM XSS via `page_title` Broadcast in AVideo YPTSocket Plugin ## Summary A stored DOM Cross-Site…
Check whether WWBN/AVideo is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for WWBN/AVideo CVEs against the assets you own.
Start Free Scan →