Lucene search
K

42 matches found

Circl
Circl
added 2026/06/22 2:0 p.m.5 views

CVE-2026-33731

creationtimestamp| type| source ---|---|--- 2026-06-22 14:00:57+00:00| published-proof-of-concept| https://github.com/WWBN/AVideo/security/advisories/GHSA-95jh-7r58-xmxw...

5.8AI score
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:13 p.m.10 views

CVE-2026-40925

WWBN AVideo is an open source video platform. In versions 29.0 and prior, objects/configurationUpdate.json.php also routed via /updateConfig persists dozens of global site settings from $POST but protects the endpoint only with User::isAdmin. It does not call forbidIfIsUntrustedRequest, does not...

8.3CVSS5.4AI score0.00173EPSS
Exploits1References1
CNNVD
CNNVD
added 2026/05/11 12:0 a.m.9 views

WWBN AVideo 访问控制错误漏洞

WWBN AVideo is a video platform building system written in PHP, developed by the WWBN team. Versions of WWBN AVideo prior to 29.0 contained an access control vulnerability. This vulnerability stemmed from the objects/users.json.php file exposing unvalidated paths, which could allow attackers to...

5.3CVSS5.8AI score0.0027EPSS
Exploits0References1
Snyk
Snyk
added 2026/05/05 7:7 p.m.7 views

Arbitrary Code Injection

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Arbitrary Code Injection through the autoEvalCodeOnHTML process. An attacker can execute arbitrary JavaScript code in the browser context of any logged-in user by...

7.2CVSS6.1AI score0.00238EPSS
Exploits0References2
Metasploit
Metasploit
added 2026/04/10 7:2 p.m.347 views

AVideo Unauthenticated SQL Injection Credential Dump

AVideo use auxiliary/gather/avideocatnamesqli msf auxiliaryavideocatnamesqli show actions ...actions... msf auxiliaryavideocatnamesqli set ACTION msf auxiliaryavideocatnamesqli show options ...show and set options... msf auxiliaryavideocatnamesqli run This module requires Metasploit:...

9.8CVSS5.6AI score0.0151EPSS
Exploits1
Github Security Blog
Github Security Blog
added 2026/04/08 12:8 a.m.7 views

WWBN AVideo's GIF poster fetch bypasses traversal scrubbing and exposes local files through public media URLs

Summary objects/aVideoEncoderReceiveImage.json.php allowed an authenticated uploader to fetch attacker-controlled same-origin /videos/... URLs, bypass traversal scrubbing, and expose server-local files through the GIF poster storage path. The vulnerable GIF branch could be abused to read local...

7.6CVSS5.9AI score0.00412EPSS
Exploits0References4Affected Software1
NVD
NVD
added 2026/03/27 7:16 p.m.13 views

CVE-2026-34369

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the getapivideofile and getapivideo API endpoints in AVideo return full video playback sources direct MP4 URLs, HLS manifests for password-protected videos without verifying the video password. While the normal we...

5.3CVSS0.00376EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/03/27 4:12 p.m.2 views

CVE-2026-33767

WWBN AVideo is an open source video platform. In versions up to and including 26.0, in objects/like.php, the getLike method constructs a SQL query using a prepared statement placeholder ? for usersid but directly concatenates $this-videosid into the query string without parameterization. An...

7.1CVSS6AI score0.00509EPSS
Exploits1References3Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/03/23 6:50 p.m.5 views

CVE-2026-33723

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the Subscribe::save method in objects/subscribe.php concatenates the $this-usersid property directly into an INSERT SQL query without sanitization or parameterized binding. This property originates from...

7.1CVSS6AI score0.00224EPSS
Exploits1References3Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/03/23 6:45 p.m.6 views

CVE-2026-33690

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the getRealIpAddr function in objects/functions.php trusts user-controlled HTTP headers to determine the client's IP address. An attacker can spoof their IP address by sending forged headers, bypassing any IP-base...

5.3CVSS5.8AI score0.00175EPSS
Exploits1References3Affected Software1
Cvelist
Cvelist
added 2026/03/23 6:25 p.m.21 views

CVE-2026-33648 AVideo Vulnerable to OS Command Injection via Unsanitized `users_id` and `liveTransmitionHistory_id` in Restreamer Log File Path

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the restreamer endpoint constructs a log file path by embedding user-controlled usersid and liveTransmitionHistoryid values from the JSON request body without any sanitization. This log file path is then...

8.8CVSS0.00612EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/20 9:55 p.m.3 views

Use of a Broken or Risky Cryptographic Algorithm

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm via the decryptString function. An attacker can access confidential information by submitting arbitrary ciphertext...

8.7CVSS5.9AI score0.00234EPSS
Exploits1References5
Vulnrichment
Vulnrichment
added 2026/03/20 5:52 a.m.3 views

CVE-2026-33043 AVideo affected by Session Hijacking via Unauthenticated Session ID Disclosure with Permissive CORS

WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/phpsessionid.json.php exposes the current PHP session ID to any unauthenticated request. The allowOrigin function reflects any Origin header back in Access-Control-Allow-Origin with Access-Control-Allow-Credentials...

8.1CVSS5.8AI score0.00345EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/17 7:48 p.m.3 views

Information Exposure

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Information Exposure via the encryptPass.json.php process. An attacker can obtain hashed equivalents of arbitrary passwords by submitting them to the exposed...

6.9CVSS5.9AI score0.00327EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/02 8:49 p.m.2 views

SQL Injection

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to SQL Injection via the catName parameter in JSON-formatted POST requests to objects/videos.json.php and objects/video.php. An attacker can execute arbitrary SQL...

9.8CVSS6.2AI score0.0151EPSS
Exploits1References2
Packet Storm
Packet Storm
added 2026/01/16 12:0 a.m.178 views

📄 AVideo Notify.ffmpeg.json.php Unauthenticated Remote Code Execution

This Metasploit module exploits an unauthenticated remote code execution vulnerability in the AVideos notify.ffmpeg.json.php endpoint. The vulnerability stems from a critical cryptographic weakness in the salt generation mechanism combined with information disclosure vulnerabilities that allow an...

9.3CVSS7.9AI score0.01457EPSS
Exploits2
RedhatCVE
RedhatCVE
added 2026/01/09 12:41 p.m.17 views

CVE-2023-25314

Cross Site Scripting XSS vulnerability in World Wide Broadcast Network AVideo before 12.4, allows attackers to gain sensitive information via the success parameter to /user...

6.1CVSS5.8AI score0.00395EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/01/09 9:54 a.m.7 views

CVE-2020-23489

The import.json.php file before 8.9 for Avideo is vulnerable to a File Deletion vulnerability. This allows the deletion of configuration.php, which leads to certain privilege checks not being in place, and therefore a user can escalate privileges to admin...

8.8CVSS7AI score0.02329EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/01/09 9:54 a.m.6 views

CVE-2020-23490

There was a local file disclosure vulnerability in AVideo 8.9 via the proxy streaming. An unauthenticated attacker can exploit this issue to read an arbitrary file on the server. Which could leak database credentials or other sensitive information such as /etc/passwd file...

7.5CVSS6.3AI score0.02623EPSS
Exploits1References1
Cvelist
Cvelist
added 2025/12/19 3:37 p.m.26 views

CVE-2025-34433 AVideo < 20.1 Unauthenticated RCE via Predictable Installation Salt

AVideo versions 14.3.1 prior to 20.1 contain an unauthenticated remote code execution vulnerability caused by predictable generation of an installation salt using PHP uniqid. The installation timestamp is exposed via a public endpoint, and a derived hash identifier is accessible through...

9.3CVSS0.01457EPSS
Exploits2References4
Rows per page
Query Builder