CVE-2026-43873 WWBN AVideo: Unauthenticated Disclosure of CloneSite `myKey` via Error Echo in `cloneClient.json.php` Enables Cross-Site DB Dump of the Configured Clone Server

WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/CloneSite/cloneClient.json.php echoes the local CloneSite shared secret $objClone-myKey, a constant md5$global'systemRootPath' . $global'salt' into the HTTP response body on every unauthenticated request. T...

CVE-2026-43873

The CVE describes an Information Exposure in WWBN AVideo’s CloneSite feature. In versions up to 29.0, cloneClient.json.php echoes the local CloneSite secret (myKey) on unauthenticated requests, exposing a static per-installation key derived from systemRootPath and salt. When a victim site has a r...

AVideo: Unauthenticated Disclosure of CloneSite `myKey` via Error Echo in `cloneClient.json.php` Enables Cross-Site DB Dump of the Configured Clone Server

Summary plugin/CloneSite/cloneClient.json.php echoes the local CloneSite shared secret $objClone-myKey, a constant md5$global'systemRootPath' . $global'salt' into the HTTP response body on every unauthenticated request. The unauthenticated error branch was intended to reject non-admin callers...

Information Exposure

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Information Exposure via the cloneClient.json.php process. An attacker can obtain sensitive authentication credentials by sending unauthenticated HTTP requests,...

GHSA-QM9P-P5PW-JRX2 AVideo: Unauthenticated Disclosure of CloneSite `myKey` via Error Echo in `cloneClient.json.php` Enables Cross-Site DB Dump of the Configured Clone Server

Summary plugin/CloneSite/cloneClient.json.php echoes the local CloneSite shared secret $objClone-myKey, a constant md5$global'systemRootPath' . $global'salt' into the HTTP response body on every unauthenticated request. The unauthenticated error branch was intended to reject non-admin callers...

PT-2026-37289

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions prior to 29.0 Description An issue exists where the endpoint 'plugin/CloneSite/cloneClient.json.php' echoes the local CloneSite shared secret, stored in the variable myKey a constant generated via md5$global'systemRootPath...

VulnCheck KEV: CVE-2026-33478

WWBN AVideo is an open source video platform. In versions up to and including 26.0, multiple vulnerabilities in AVideo's CloneSite plugin chain together to allow a completely unauthenticated attacker to achieve remote code execution. The clones.json.php endpoint exposes clone secret keys without...

CVE-2026-41304

WWBN AVideo is an open source video platform. In versions 29.0 and below, the cloneServer.json.php endpoint in the CloneSite plugin constructs shell commands using user-controlled input url parameter without proper sanitization. The input is directly concatenated into a wget command executed via...

WWBN AVideo 命令注入漏洞

WWBN AVideo is a video platform building system developed by the WWBN team using PHP. Versions of WWBN AVideo prior to 29.0 contained a command injection vulnerability. This vulnerability stemmed from improper cleanup during the construction of shell commands using user-controlled url parameters ...

CVE-2026-41058

WWBN AVideo is an open source video platform. In versions 29.0 and below, the incomplete fix for AVideo's CloneSite deleteDump parameter does not apply path traversal filtering, allowing unlink of arbitrary files via ../../ sequences in the GET parameter. Commit...

CVE-2026-41304

CVE-2026-41304 affects WWBN AVideo (versions 29.0 and earlier) via the CloneSite plugin’s cloneServer.json.php. The endpoint builds a shell command by directly concatenating user-supplied input from the url parameter into a wget command and executes it with exec(), enabling command injection. Thi...

CVE-2026-41304 WWBN AVideo vulnerable to RCE caused by clonesite plugin

WWBN AVideo is an open source video platform. In versions 29.0 and below, the cloneServer.json.php endpoint in the CloneSite plugin constructs shell commands using user-controlled input url parameter without proper sanitization. The input is directly concatenated into a wget command executed via...

CVE-2026-41304

WWBN AVideo is an open source video platform. In versions 29.0 and below, the cloneServer.json.php endpoint in the CloneSite plugin constructs shell commands using user-controlled input url parameter without proper sanitization. The input is directly concatenated into a wget command executed via...

CVE-2026-41304 WWBN AVideo vulnerable to RCE caused by clonesite plugin

WWBN AVideo is an open source video platform. In versions 29.0 and below, the cloneServer.json.php endpoint in the CloneSite plugin constructs shell commands using user-controlled input url parameter without proper sanitization. The input is directly concatenated into a wget command executed via...

CVE-2026-41058

WWBN AVideo is an open source video platform. In versions 29.0 and below, the incomplete fix for AVideo's CloneSite deleteDump parameter does not apply path traversal filtering, allowing unlink of arbitrary files via ../../ sequences in the GET parameter. Commit...

EUVD-2026-24535

WWBN AVideo is an open source video platform. In versions 29.0 and below, the incomplete fix for AVideo's CloneSite deleteDump parameter does not apply path traversal filtering, allowing unlink of arbitrary files via ../../ sequences in the GET parameter. Commit...

CVE-2026-41058 AVideo has an incomplete fix for CVE-2026-33293 (Path Traversal) in AVideo

WWBN AVideo is an open source video platform. In versions 29.0 and below, the incomplete fix for AVideo's CloneSite deleteDump parameter does not apply path traversal filtering, allowing unlink of arbitrary files via ../../ sequences in the GET parameter. Commit...

CVE-2026-41058

WWBN AVideo (open source video platform) is affected in versions 29.0 and below by an incomplete fix for a path-traversal issue in the CloneSite deleteDump parameter. The vulnerability allows an attacker to cause unlink() of arbitrary files via GET parameter ../../ sequences due to missing path-t...

WWBN AVideo 路径遍历漏洞

WWBN AVideo is a video platform building system written in PHP, developed by the WWBN team. Versions of WWBN AVideo prior to 29.0 contained a path traversal vulnerability. This vulnerability stemmed from incomplete repairs to the CloneSite deleteDump parameter, without applying path traversal...

PT-2026-34227

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions 29.0 and earlier Description The CloneSite plugin contains a flaw where the 'cloneServer.json.php' endpoint constructs shell commands using the url parameter without proper sanitization. This input is directly concatenated...