current-impact (=1.0.0), nmea-streamer (>=1.0.1 <=2.2.0) potentially affected by CVE-2026-39320 via signalk-server (=1.46.3)

signalk-server NPM version =1.46.3 is affected by a known vulnerability. The following packages have a transitive dependency on signalk-server and may be impacted: - current-impact =1.0.0 - nmea-streamer =1.0.1, =2.2.0 Source cves: CVE-2026-39320 Source advisory: OSV:GHSA-7GCJ-PHFF-2884...

CVE-2026-35208

lichess.org is the forever free, adless and open source chess server. Any approved streamer can inject arbitrary HTML into /streamer and the homepage “Live streams” widget by placing markup in their Twitch/YouTube stream title. CSP is present and blocks inline script execution, but the issue is...

CVE-2026-39368

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the Live restream log callback flow accepted an attacker-controlled restreamerURL and later fetched that stored URL server-side, enabling stored SSRF for authenticated streamers. The vulnerable flow allowed a low-privilege...

CVE-2026-39368 WWBN AVideo has a Live restream log callback flow enabling stored SSRF to internal services

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the Live restream log callback flow accepted an attacker-controlled restreamerURL and later fetched that stored URL server-side, enabling stored SSRF for authenticated streamers. The vulnerable flow allowed a low-privilege...

CVE-2026-35208

lichess.org is the forever free, adless and open source chess server. Any approved streamer can inject arbitrary HTML into /streamer and the homepage “Live streams” widget by placing markup in their Twitch/YouTube stream title. CSP is present and blocks inline script execution, but the issue is...

EUVD-2026-19476

lichess.org is the forever free, adless and open source chess server. Any approved streamer can inject arbitrary HTML into /streamer and the homepage “Live streams” widget by placing markup in their Twitch/YouTube stream title. CSP is present and blocks inline script execution, but the issue is...

CVE-2026-35208

lichess.org is the forever free, adless and open source chess server. Any approved streamer can inject arbitrary HTML into /streamer and the homepage “Live streams” widget by placing markup in their Twitch/YouTube stream title. CSP is present and blocks inline script execution, but the issue is...

CVE-2026-35208

CVE-2026-35208 affects lichess.org: an Unsanitized Stream Title Injection occurs in the streamer workflow where approved streamers can inject HTML into the /streamer page and the Live streams widget by providing a title, which is rendered in the UI as-is. CSP blocks inline scripts, but the vulner...

CVE-2026-35208 lichess.org has an Unsanitized Stream Title Injection on /streamer

lichess.org is the forever free, adless and open source chess server. Any approved streamer can inject arbitrary HTML into /streamer and the homepage “Live streams” widget by placing markup in their Twitch/YouTube stream title. CSP is present and blocks inline script execution, but the issue is...

CVE-2026-35208 lichess.org has an Unsanitized Stream Title Injection on /streamer

lichess.org is the forever free, adless and open source chess server. Any approved streamer can inject arbitrary HTML into /streamer and the homepage “Live streams” widget by placing markup in their Twitch/YouTube stream title. CSP is present and blocks inline script execution, but the issue is...

PT-2026-30726

lichess.org is the forever free, adless and open source chess server. Any approved streamer can inject arbitrary HTML into /streamer and the homepage “Live streams” widget by placing markup in their Twitch/YouTube stream title. CSP is present and blocks inline script execution, but the issue is...

current-impact (=1.0.0), nmea-streamer (>=1.0.1 <=2.2.0) potentially affected by CVE-2026-33951 via signalk-server (=1.46.3)

signalk-server NPM version =1.46.3 is affected by a known vulnerability. The following packages have a transitive dependency on signalk-server and may be impacted: - current-impact =1.0.0 - nmea-streamer =1.0.1, =2.2.0 Source cves: CVE-2026-33951 Source advisory: OSV:GHSA-GFMV-VH34-H2X5...

current-impact (=1.0.0), nmea-streamer (>=1.0.1 <=2.2.0) potentially affected by CVE-2026-33950 via signalk-server (=1.46.3)

signalk-server NPM version =1.46.3 is affected by a known vulnerability. The following packages have a transitive dependency on signalk-server and may be impacted: - current-impact =1.0.0 - nmea-streamer =1.0.1, =2.2.0 Source cves: CVE-2026-33950 Source advisory: OSV:GHSA-X8HC-FQV3-7GWF...

current-impact (=1.0.0), nmea-streamer (>=1.0.1 <=2.2.0) potentially affected by CVE-2026-35038 via signalk-server (=1.46.3)

signalk-server NPM version =1.46.3 is affected by a known vulnerability. The following packages have a transitive dependency on signalk-server and may be impacted: - current-impact =1.0.0 - nmea-streamer =1.0.1, =2.2.0 Source cves: CVE-2026-35038 Source advisory: OSV:GHSA-QH3J-MRG8-F234...

AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php

Summary The standalone live stream control endpoint at plugin/Live/standAloneFiles/control.json.php accepts a user-supplied streamerURL parameter that overrides where the server sends token verification requests. An attacker can redirect token verification to a server they control that always...

Server-side Request Forgery (SSRF)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the streamerURL parameter in control.json.php. An attacker can gain unauthorized control over live streams by supplying a...

GHSA-9HV9-GVWM-95F2 AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php

Summary The standalone live stream control endpoint at plugin/Live/standAloneFiles/control.json.php accepts a user-supplied streamerURL parameter that overrides where the server sends token verification requests. An attacker can redirect token verification to a server they control that always...

EUVD-2026-14502

AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php...

CVE-2026-33716

WWBN AVideo v2/3 up to 26.0 (open source video platform) is affected by a flaw in the standalone live stream control endpoint plugin/Live/standAloneFiles/control.json.php. The user-supplied streamerURL can override token verification requests, enabling an attacker to redirect verification to a ma...

CVE-2026-33716

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the standalone live stream control endpoint at plugin/Live/standAloneFiles/control.json.php accepts a user-supplied streamerURL parameter that overrides where the server sends token verification requests. An...