6 matches found
CVE-2026-41061
WWBN AVideo is an open source video platform. In versions 29.0 and below, the isValidDuration regex at objects/video.php:918 uses /^0-91,2:0-91,2:0-91,2/ without a $ end anchor, allowing arbitrary HTML/JavaScript to be appended after a valid duration prefix. The crafted duration is stored in the...
EUVD-2026-19454
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the site customization endpoint at admin/customizesettingsnativeUpdate.json.php lacks CSRF token validation and writes uploaded logo files to disk before the ORM's domain-based security check executes. Combined with...
CVE-2026-33295
CVE-2026-33295 affects WWBN/AVideo prior to version 26.0, where a stored XSS exists in the CDN plugin’s downloadButtons.php. The vulnerability arises because the video record field clean_title is interpolated directly into a JavaScript string literal without escaping, enabling an attacker who can...
CVE-2026-33038
WWBN AVideo is an open source video platform. Versions 25.0 and below are vulnerable to unauthenticated application takeover through the install/checkConfiguration.php endpoint. install/checkConfiguration.php performs full application initialization: database setup, admin account creation, and...
CVE-2026-33041
CVE-2026-33041 affects WWBN AVideo. In versions 25.0 and earlier, the endpoint /objects/encryptPass.json.php exposes the site’s password hashing algorithm to unauthenticated users, allowing submission of a password to receive its hash and enabling offline cracking against leaked database hashes. ...
PT-2025-30672 · Wwbn · Avideo
Name of the Vulnerable Software and Affected Versions: WWBN AVideo versions 14.4 and dev master commit 8a8954ff Description: A race condition exists in the aVideoEncoder.json.php unzip functionality. A series of specially crafted HTTP requests can lead to arbitrary code execution. Recommendations...