wwbn/avideo
Packagist62 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting wwbn/avideopage 2 of 2
- CVE-2026-43879MEDIUMCVSS 5.4EG 5.42026-05-11
vulnerable: 10.4 ... 29.0 (18 versions)
WWBN AVideo is an open source video platform. In versions up to and including 29.0, an authenticated user can configure their own donation-notification webhook URL to point at internal/loopback/metadata hosts (e.g. http://127.0.0.1:8080/..…
- CVE-2026-43880MEDIUMCVSS 5.3EG 5.32026-05-11
vulnerable: 10.4 ... 29.0 (18 versions)
WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/sendEmail.json.php exposes two branches depending on whether contactForm=1 is submitted. When the parameter is omitted, the endpoint sets $sendTo t…
- CVE-2026-43881MEDIUMCVSS 5.3EG 5.32026-05-11
vulnerable: 10.4 ... 29.0 (18 versions)
WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/users.json.php exposes two unauthenticated paths that disclose the full set of registered user accounts. The isCompany request parameter causes the…
- CVE-2026-43882MEDIUMCVSS 4.3EG 4.32026-05-11
vulnerable: 10.4 ... 29.0 (18 versions)
WWBN AVideo is an open source video platform. In versions up to and including 29.0, the unauthenticated plugin/Scheduler/downloadICS.php endpoint passes attacker-controlled title, description, and joinURL parameters into Scheduler::downloa…
- CVE-2026-43883MEDIUMCVSS 4.2EG 4.22026-05-11
vulnerable: 10.4 ... 29.0 (18 versions)
WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/PayPalYPT/agreementCancel.json.php cancels a PayPal billing agreement using an attacker-supplied agreement parameter without verifying that the auth…
- CVE-2026-43884HIGHCVSS 7.7EG 7.72026-05-11
vulnerable: 10.4 ... 29.0 (18 versions)
WWBN AVideo is an open source video platform. In versions up to and including 29.0, two endpoints (plugin/AI/receiveAsync.json.php and objects/EpgParser.php) in AVideo call isSSRFSafeURL() to validate user-supplied URLs, then fetch them us…
- CVE-2026-43885HIGHCVSS 7.7EG 7.72026-05-11
vulnerable: 10.4 ... 29.0 (18 versions)
WWBN AVideo is an open source video platform. In versions up to and including 29.0, an unauthenticated user can read APISecret from objects/plugins.json.php and use it to call protected API endpoints (e.g. users_list) without logging in. C…
- CVE-2026-49279HIGHCVSS 0.0EG 0.02026-06-04
vulnerable: 10.4 ... 29.0 (18 versions)
WWBN AVideo: Stored XSS via autoEvalCodeOnHTML Bypass in MessageSQLite WebSocket Handler (CVE-2026-43874 Bypass) # AVideo: Stored XSS via `autoEvalCodeOnHTML` in MessageSQLite WebSocket Handler ## Summary AVideo has a stored XSS vulnera…
- CVE-2026-56341HIGHCVSS 7.5EG 7.52026-06-20
vulnerable: 10.4 ... 26.0 (17 versions)
AVideo through version 26.0 contains multiple unauthenticated list.json.php endpoints in payment plugins lacking authorization checks, exposing PayPal tokens, Authorize.Net webhooks, and Bitcoin transaction records. Unauthenticated attacke…
- CVE-2026-56346MEDIUMCVSS 6.5EG 6.52026-06-20
vulnerable: 10.4 ... 25.0 (16 versions)
AVideo through version 25.0 contains an authentication bypass vulnerability in the decryptMessage.json.php endpoint that allows unauthenticated users to decrypt PGP messages. Remote attackers can submit private keys, ciphertext, and passph…
- CVE-2026-56347MEDIUMCVSS 6.1EG 6.12026-06-20
vulnerable: 10.4 ... 26.0 (17 versions)
AVideo TopMenu plugin through version 26.0 contains a stored cross-site scripting vulnerability in menu item rendering due to missing output encoding of icon classes, URLs, and text labels. Attackers can inject malicious JavaScript through…
- CVE-2026-60092MEDIUMCVSS 6.1EG 6.12026-07-08
vulnerable: 10.4 ... 29.0 (18 versions)
AVideo (Meet plugin) through commit e8d6119f3cb1b849149906efeb0a41fc024f59f8 contains a stored cross-site scripting vulnerability in the Meet plugin's getMeetInfo.json.php endpoint. When a participant joins a public meeting, the raw HTTP U…
Check whether wwbn/avideo is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for wwbn/avideo CVEs against the assets you own.
Start Free Scan →