32 matches found
CVE-2026-45580
WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a stored cross-site scripting vulnerability. The Live plugin's "YouTube-style" view renders the live transmission's stream key into an HTML class attribute by raw echo, without htmlspecialchars. A canStream user can persi...
CVE-2026-45580
WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a stored cross-site scripting vulnerability. The Live plugin's "YouTube-style" view renders the live transmission's stream key into an HTML class attribute by raw echo, without htmlspecialchars. A canStream user can persi...
CVE-2026-45580 WWBN AVideo Live: stored XSS via unescaped stream key in modeYoutubeLive.php class attribute
WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a stored cross-site scripting vulnerability. The Live plugin's "YouTube-style" view renders the live transmission's stream key into an HTML class attribute by raw echo, without htmlspecialchars. A canStream user can persi...
CVE-2026-45580
CVE-2026-45580 affects WWBN/AVideo versions 29.0 and earlier, via stored XSS in the Live plugin’s YouTube-style live view. The root cause is that modeYoutubeLive.php renders the live stream key directly into an HTML class attribute without escaping, enabling a canStream user to persist a key cont...
CVE-2026-45580
WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a stored cross-site scripting vulnerability. The Live plugin's "YouTube-style" view renders the live transmission's stream key into an HTML class attribute by raw echo, without htmlspecialchars. A canStream user can persi...
EUVD-2026-33311
WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a stored cross-site scripting vulnerability. The Live plugin's "YouTube-style" view renders the live transmission's stream key into an HTML class attribute by raw echo, without htmlspecialchars. A canStream user can persi...
CVE-2026-45580 WWBN AVideo Live: stored XSS via unescaped stream key in modeYoutubeLive.php class attribute
WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a stored cross-site scripting vulnerability. The Live plugin's "YouTube-style" view renders the live transmission's stream key into an HTML class attribute by raw echo, without htmlspecialchars. A canStream user can persi...
WWBN AVideo 跨站脚本漏洞
WWBN AVideo is a video platform building system developed by the WWBN team using PHP. Versions of WWBN AVideo prior to 29.0 contained a cross-site scripting vulnerability. This vulnerability stemmed from the Live plugin’s YouTube-style view, which rendered the live stream key directly into HTML...
Astra Linux - уязвимость в redis
Redis is an in-memory database that persists data on disk. A specially crafted XAUTOCLAIM command on a stream key in a specific state may lead to a heap overflow, and potentially remote code execution. This issue affects versions on the 7.x branch prior to 7.0.4. The patch is released in version...
AVideo: stored XSS via unescaped stream key in modeYoutubeLive.php class attribute
Summary Type: Stored cross-site scripting. The Live plugin's "YouTube-style" view renders the live transmission's stream key into an HTML class attribute by raw echo, without htmlspecialchars. A canStream user can persist a key containing " plus an event handler via plugin/Live/saveLive.php, and...
GHSA-M5J4-7R85-2CJ2 AVideo: stored XSS via unescaped stream key in modeYoutubeLive.php class attribute
Summary Type: Stored cross-site scripting. The Live plugin's "YouTube-style" view renders the live transmission's stream key into an HTML class attribute by raw echo, without htmlspecialchars. A canStream user can persist a key containing " plus an event handler via plugin/Live/saveLive.php, and...
Cross-site Scripting (XSS)
Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Cross-site Scripting XSS in the rendering of the modeYoutubeLive.php template, where user-supplied input is echoed directly into an HTML class attribute without...
PT-2026-43461
Name of the Vulnerable Software and Affected Versions AVideo versions 29.0 and earlier Description A stored cross-site scripting issue exists in the Live plugin's "YouTube-style" view. The application renders the live transmission's stream key into an HTML class attribute using a raw echo without...
CVE-2026-34374
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the Liveschedule::keyExists method constructs a SQL query by interpolating a stream key directly into the query string without parameterization. This method is called as a fallback from LiveTransmition::keyExists...
CVE-2026-34374
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the Liveschedule::keyExists method constructs a SQL query by interpolating a stream key directly into the query string without parameterization. This method is called as a fallback from LiveTransmition::keyExists...
CVE-2026-34374
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the Liveschedule::keyExists method constructs a SQL query by interpolating a stream key directly into the query string without parameterization. This method is called as a fallback from LiveTransmition::keyExists...
CVE-2026-34374 AVideo has SQL Injection in Live_schedule::keyExists() via Unparameterized Stream Key
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the Liveschedule::keyExists method constructs a SQL query by interpolating a stream key directly into the query string without parameterization. This method is called as a fallback from LiveTransmition::keyExists...
CVE-2026-34374
CVE-2026-34374 affects WWBN AVideo up to version 26.0. The vulnerability is due to Live_schedule::keyExists() constructing a SQL query by directly interpolating the stream key (unparameterized) when used as a fallback from LiveTransmition::keyExists(), bypassing the parameterized protection. This...
EUVD-2026-16750
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the Liveschedule::keyExists method constructs a SQL query by interpolating a stream key directly into the query string without parameterization. This method is called as a fallback from LiveTransmition::keyExists...
CVE-2026-34374 AVideo has SQL Injection in Live_schedule::keyExists() via Unparameterized Stream Key
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the Liveschedule::keyExists method constructs a SQL query by interpolating a stream key directly into the query string without parameterization. This method is called as a fallback from LiveTransmition::keyExists...