CVE-2026-41064

WWBN AVideo is an open source video platform. In versions up to and including 29.0, an incomplete fix for AVideo's test.php adds escapeshellarg for wget but leaves the filegetcontents and curl code paths unsanitized, and the URL validation regex /^http/ accepts strings like httpevil.com. Commit...

CVE-2026-41064 AVideo has an incomplete fix for CVE-2026-33502 (Command Injection)

WWBN AVideo is an open source video platform. In versions up to and including 29.0, an incomplete fix for AVideo's test.php adds escapeshellarg for wget but leaves the filegetcontents and curl code paths unsanitized, and the URL validation regex /^http/ accepts strings like httpevil.com. Commit...

CVE-2026-41064

WWBN AVideo’s CVE-2026-33502 family is about an incomplete fix in plugin/Live/test.php. Affected versions (reported up to 29.0 in the CVE note, with related docs citing patch activity around commit 1e6cf03e93b5a5318204b010ea28440b0d9a5ab3) show that the wget path in test.php uses unsanitized user...

CVE-2026-35449

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the install/test.php diagnostic script has its CLI-only access guard disabled by commenting out the die statement. The script remains accessible via HTTP after installation, exposing video viewer statistics including IP...

CVE-2026-35449 WWBN AVideo has Unauthenticated Information Disclosure via Disabled CLI Guard in install/test.php

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the install/test.php diagnostic script has its CLI-only access guard disabled by commenting out the die statement. The script remains accessible via HTTP after installation, exposing video viewer statistics including IP...

GHSA-HG8Q-8WQR-35XX AVideo: Unauthenticated Information Disclosure via Disabled CLI Guard in install/test.php

Summary The install/test.php diagnostic script has its CLI-only access guard disabled by commenting out the die statement. The script remains accessible via HTTP after installation, exposing video viewer statistics including IP addresses, session IDs, and user agents to unauthenticated visitors...

AVideo: Unauthenticated Information Disclosure via Disabled CLI Guard in install/test.php

Summary The install/test.php diagnostic script has its CLI-only access guard disabled by commenting out the die statement. The script remains accessible via HTTP after installation, exposing video viewer statistics including IP addresses, session IDs, and user agents to unauthenticated visitors...

WWBN AVideo 安全漏洞

WWBN AVideo is a video platform building system developed by the WWBN team using PHP. Versions of WWBN AVideo prior to 26.0 contained security vulnerabilities. These vulnerabilities stemmed from logical errors in the test.php debugging endpoint of the StripeYPT plugin, which could lead to arbitra...

Server-side Request Forgery (SSRF)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the test.php endpoint. An attacker can access internal network resources, probe open or closed ports, and retrieve content fro...

EUVD-2021-34735

OpenBMCS 2.4 contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting arbitrary SQL code. Attackers can send GET requests to /debug/obixtest.php with malicious 'id' values to extract database information...

CVE-2023-1681

A vulnerability, which was classified as problematic, was found in Xunrui CMS 4.61. Affected is an unknown function of the file /config/myfield/test.php. The manipulation leads to information disclosure. It is possible to launch the attack remotely. The exploit has been disclosed to the public an...

Personal Weather Station Dashboard 安全漏洞

Personal Weather Station Dashboard PWSDashboard is a data-rich weather dashboard from the PWSDashboard open source. A security vulnerability exists in Personal Weather Station Dashboard, which stems from a directory traversal vulnerability in /test.php that could lead to reading arbitrary files...

USN-6825-1 libphp-adodb vulnerabilities

It was discovered that the PDO driver in ADOdb was incorrectly handling string quotes. A remote attacker could possibly use this issue to perform SQL injection attacks. This issue only affected Ubuntu 16.04 LTS. CVE-2016-7405 It was discovered that ADOdb was incorrectly handling GET parameters in...

VulnCheck KEV: CVE-2022-40881

SolarView Compact 6.00 was discovered to contain a command injection vulnerability via networktest.php...

PT-2023-22458 · Unknown · Spreadsheet-Reader

Name of the Vulnerable Software and Affected Versions: spreadsheet-reader version 0.5.11 Description: A Local File inclusion issue in test.php allows remote attackers to include arbitrary files via the File parameter. This could potentially lead to sensitive information disclosure or other securi...

SUSE CVE-2008-4182

Cross-site scripting XSS vulnerability in imp/test.php in Horde Turba Contact Manager H3 2.2.1 and other versions before 2.3.1, and possibly other Horde Project products, allows remote attackers to inject arbitrary web script or HTML via the User field in an IMAP session...

SUSE CVE-2020-18670

Cross Site Scripting XSS vulneraibility in Roundcube mail .4.4 via database host and user in /installer/test.php...

CVE-2020-18670

Cross Site Scripting XSS vulneraibility in Roundcube mail .4.4 via database host and user in /installer/test.php...

UBUNTU-CVE-2020-18671

Cross Site Scripting XSS vulnerability in Roundcube Mail =1.4.4 via smtp config in /installer/test.php...

UBUNTU-CVE-2020-18670

Cross Site Scripting XSS vulneraibility in Roundcube mail .4.4 via database host and user in /installer/test.php...