WWBN AVideo 11.6 - Cross-Site Scripting

A reflected XSS vulnerability exists in the functiongetOpenGraph videoName functionality of WWBN AVideo 11.6 and dev master commit 3c6bb3ff, allowing arbitrary Javascript execution. id: CVE-2023-48728 info: name: WWBN AVideo 11.6 - Cross-Site Scripting author: ritikchaddha severity: medium...

WWBN AVideo 11.6 - Cross-Site Scripting

WWBN AVideo 11.6 contains a cross-site scripting vulnerability in the footer alerts functionality via the 'toast' parameter, which is inserted into the document with insufficient sanitization. id: CVE-2022-32770 info: name: WWBN AVideo 11.6 - Cross-Site Scripting author: arafatansari severity:...

WWBN AVideo 11.6 - Cross-Site Scripting

WWBN AVideo 11.6 contains a cross-site scripting vulnerability in the footer alerts functionality via the 'msg' parameter, which is inserted into the document with insufficient sanitization. id: CVE-2022-32772 info: name: WWBN AVideo 11.6 - Cross-Site Scripting author: arafatansari severity: medi...

WWBN AVideo 11.6 - Cross-Site Scripting

WWBN AVideo 11.6 contains a cross-site scripting vulnerability in the footer alerts functionality via the 'success' parameter, which is inserted into the document with insufficient sanitization. id: CVE-2022-32771 info: name: WWBN AVideo 11.6 - Cross-Site Scripting author: arafatansari severity:...

GHSA-7CQP-7CFV-6C3Q AVideo Meet plugin: anonymous-to-admin stored XSS via unescaped participant User-Agent in getMeetInfo.json.php Participants panel

Summary The Meet plugin stores the raw HTTP User-Agent header of every meeting participant and later renders it without output encoding in the meeting-management "Participants" panel that the meeting host and site administrators open. An anonymous, unauthenticated attacker can join any public...

CVE-2026-33731

creationtimestamp| type| source ---|---|--- 2026-06-22 14:00:57+00:00| published-proof-of-concept| https://github.com/WWBN/AVideo/security/advisories/GHSA-95jh-7r58-xmxw...

CVE-2026-56345

AVideo through 29.0 contains an authorization bypass vulnerability in the Meet plugin's uploadRecordedVideo.json.php endpoint that derives the target usersid from the uploaded filename without verification. An attacker with knowledge of the Meet shared secret can craft a malicious file upload wit...

CVE-2026-56347

CVE-2026-56347 affects the AVideo TopMenu plugin up to version 26.0. The issue is a stored cross-site scripting vulnerability in menu item rendering caused by missing output encoding of icon classes, URLs, and text labels. Attackers can inject malicious JavaScript through unescaped menu item fiel...

EUVD-2026-38134

AVideo TopMenu plugin through version 26.0 contains a stored cross-site scripting vulnerability in menu item rendering due to missing output encoding of icon classes, URLs, and text labels. Attackers can inject malicious JavaScript through unescaped menu item fields that execute for all site...

CVE-2026-56347 AVideo TopMenu Plugin - Stored Cross-Site Scripting via Unescaped Menu Item Fields

AVideo TopMenu plugin through version 26.0 contains a stored cross-site scripting vulnerability in menu item rendering due to missing output encoding of icon classes, URLs, and text labels. Attackers can inject malicious JavaScript through unescaped menu item fields that execute for all site...

CVE-2026-56346

CVE-2026-56346 affects AVideo up to version 25.0, with an authentication bypass in the decryptMessage.json.php endpoint that lets unauthenticated users decrypt PGP messages. Remote attackers can submit private keys, ciphertext, and passphrases to trigger server-side decryption without credentials...

CVE-2026-56345 AVideo - Arbitrary User Session Hijacking via Meet Plugin uploadRecordedVideo Endpoint

AVideo through 29.0 contains an authorization bypass vulnerability in the Meet plugin's uploadRecordedVideo.json.php endpoint that derives the target usersid from the uploaded filename without verification. An attacker with knowledge of the Meet shared secret can craft a malicious file upload wit...

EUVD-2026-38131

AVideo through version 27.0 contains a server-side request forgery vulnerability in plugin/Live/test.php that allows authenticated administrators to read arbitrary URLs via the statsURL parameter, which lacks isSSRFSafeURL validation and accepts requests to private IP ranges and cloud metadata...

CVE-2026-56342 AVideo - Server-Side Request Forgery in Live/test.php via statsURL Parameter

AVideo through version 27.0 contains a server-side request forgery vulnerability in plugin/Live/test.php that allows authenticated administrators to read arbitrary URLs via the statsURL parameter, which lacks isSSRFSafeURL validation and accepts requests to private IP ranges and cloud metadata...

CVE-2026-56341

AVideo prior to 26.1 (through version 26.0) exposes unauthenticated access to payment data via multiple list.json.php endpoints in payment plugins, lacking authorization checks. The issue enables retrieval of PayPal tokens, Authorize.Net webhooks, and Bitcoin transaction records, including agreem...

EUVD-2026-38130

AVideo through version 26.0 contains multiple unauthenticated list.json.php endpoints in payment plugins lacking authorization checks, exposing PayPal tokens, Authorize.Net webhooks, and Bitcoin transaction records. Unauthenticated attackers can retrieve all payment transaction data including...

PT-2026-51174

Name of the Vulnerable Software and Affected Versions AVideo versions prior to 27.1 Description Authenticated administrators can perform server-side request forgery SSRF—a flaw where a server is tricked into making requests to an unintended location—via the 'plugin/Live/test.php' endpoint. The...

CVE-2026-43875

WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/MobileManager/oauth2.php completes an OAuth login by sending an HTTP 302 Location: oauth2Success.php?user== where is the victim's stored password hash md5hash"whirlpool", sha1password read directly from the...

CVE-2026-43881

WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/users.json.php exposes two unauthenticated paths that disclose the full set of registered user accounts. The isCompany request parameter causes the handler to set $ignoreAdmin = true for any non-admin call...

CVE-2026-43878

WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/Meet/iframe.php echoes the attacker-controlled user and pass query parameters unescaped into a JavaScript double-quoted string literal inside a...