Lucene search
K

422 matches found

NVD
NVD
added 2026/05/29 2:16 p.m.12 views

CVE-2026-45620

WWBN AVideo is an open source video platform. In 29.0 and earlier, objects/mention.json.php has no User::loginCheck or admin gate. It only has an entry guard: pregmatch'/^@/', $REQUEST'term' and hard-coded rowCount=10. This enables unauthenticated user enumeration...

5.3CVSS0.00193EPSS
Exploits0References1
NVD
NVD
added 2026/05/29 2:16 p.m.18 views

CVE-2026-46337

WWBN AVideo is an open source video platform. In 29.0 and earlier, an unauthenticated remote attacker can read arbitrary image files anywhere on disk that the PHP user can open — including private user-profile photos that the application's normal serving wrappers gate behind ACLs, admin-uploaded...

6.9CVSS0.00455EPSS
Exploits1References1
NVD
NVD
added 2026/05/29 2:16 p.m.46 views

CVE-2026-45578

WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a classic shell-metacharacter injection. The YPTSocket notification branch in plugin/Live/onpublish.php builds an execAsync command line by string concatenation, single-quoting each argument but never calling...

8.8CVSS0.00318EPSS
Exploits0References1
NVD
NVD
added 2026/05/29 2:16 p.m.16 views

CVE-2026-45619

WWBN AVideo is an open source video platform. In 29.0 and earlier, EpgParser.php, plugin/AI/receiveAsync.json.php, and other locations do not use the $resolvedIP out-param of isSSRFSafeURL for DNS pinning via CURLOPTRESOLVE, opening DNS-rebinding TOCTOU...

6.5CVSS0.00136EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/29 1:14 p.m.10 views

CVE-2026-45580 WWBN AVideo Live: stored XSS via unescaped stream key in modeYoutubeLive.php class attribute

WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a stored cross-site scripting vulnerability. The Live plugin's "YouTube-style" view renders the live transmission's stream key into an HTML class attribute by raw echo, without htmlspecialchars. A canStream user can persi...

5.4CVSS5.6AI score0.00136EPSS
Exploits0References1
CVE
CVE
added 2026/05/29 1:14 p.m.22 views

CVE-2026-45580

CVE-2026-45580 affects WWBN/AVideo versions 29.0 and earlier, via stored XSS in the Live plugin’s YouTube-style live view. The root cause is that modeYoutubeLive.php renders the live stream key directly into an HTML class attribute without escaping, enabling a canStream user to persist a key cont...

5.4CVSS5.6AI score0.00136EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/05/29 1:14 p.m.40 views

CVE-2026-45578 WWBN AVideo Live: OS command injection in on_publish.php execAsync via unescaped m3u8 URL

WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a classic shell-metacharacter injection. The YPTSocket notification branch in plugin/Live/onpublish.php builds an execAsync command line by string concatenation, single-quoting each argument but never calling...

8.8CVSS0.00318EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/29 1:14 p.m.11 views

EUVD-2026-33310

WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a classic shell-metacharacter injection. The YPTSocket notification branch in plugin/Live/onpublish.php builds an execAsync command line by string concatenation, single-quoting each argument but never calling...

8.8CVSS5.9AI score0.00318EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/29 1:11 p.m.10 views

CVE-2026-45619

WWBN AVideo is an open source video platform. In 29.0 and earlier, EpgParser.php, plugin/AI/receiveAsync.json.php, and other locations do not use the $resolvedIP out-param of isSSRFSafeURL for DNS pinning via CURLOPTRESOLVE, opening DNS-rebinding TOCTOU...

6.5CVSS5.8AI score0.00136EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/29 1:11 p.m.10 views

CVE-2026-45619 AVideo CVE-2026-43884 incomplete fix - `isSSRFSafeURL()` call sites still discard the `$resolvedIP` out-param at master HEAD post

WWBN AVideo is an open source video platform. In 29.0 and earlier, EpgParser.php, plugin/AI/receiveAsync.json.php, and other locations do not use the $resolvedIP out-param of isSSRFSafeURL for DNS pinning via CURLOPTRESOLVE, opening DNS-rebinding TOCTOU...

6.5CVSS5.8AI score0.00136EPSS
Exploits0References1
CVE
CVE
added 2026/05/29 1:11 p.m.27 views

CVE-2026-45619

Summary: WWBN AVideo prior to 29.0 allowed SSRF via isSSRFSafeURL() because subsequent fetches used file_get_contents() with redirects enabled. Two endpoints (plugin/AI/receiveAsync.json.php and objects/EpgParser.php) validate the URL but do not prevent redirects, enabling a redirect-based DNS re...

6.5CVSS5.8AI score0.00136EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/05/29 1:7 p.m.38 views

CVE-2026-45620 AVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unauthenticated user enumeration

WWBN AVideo is an open source video platform. In 29.0 and earlier, objects/mention.json.php has no User::loginCheck or admin gate. It only has an entry guard: pregmatch'/^@/', $REQUEST'term' and hard-coded rowCount=10. This enables unauthenticated user enumeration...

5.3CVSS0.00193EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/29 1:7 p.m.14 views

CVE-2026-45620 AVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unauthenticated user enumeration

WWBN AVideo is an open source video platform. In 29.0 and earlier, objects/mention.json.php has no User::loginCheck or admin gate. It only has an entry guard: pregmatch'/^@/', $REQUEST'term' and hard-coded rowCount=10. This enables unauthenticated user enumeration...

5.3CVSS5.8AI score0.0027EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/29 1:7 p.m.13 views

CVE-2026-45620

WWBN AVideo is an open source video platform. In 29.0 and earlier, objects/mention.json.php has no User::loginCheck or admin gate. It only has an entry guard: pregmatch'/^@/', $REQUEST'term' and hard-coded rowCount=10. This enables unauthenticated user enumeration...

5.3CVSS5.8AI score0.00193EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2026/05/29 1:5 p.m.13 views

EUVD-2026-33306

WWBN AVideo is an open source video platform. In 29.0 and earlier, view/update.php reads $POST'updateFile' as a relative path under updatedb/ and passes it to PHP's file for line-by-line execution as part of a database migration. An authenticated administrator can abuse this to read arbitrary tex...

6.9CVSS6AI score0.00469EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/05/29 1:0 p.m.48 views

CVE-2026-47694 WWBN AVideo: Stored XSS via unescaped Gallery category description

WWBN AVideo is an open source video platform. In 29.0 and earlier, AVideo stores category descriptions from user input and later renders categorydescription as raw HTML in the Gallery view. A user who can create or edit categories can store JavaScript in a category description, which executes whe...

5.4CVSS0.00162EPSS
Exploits1References1
CNNVD
CNNVD
added 2026/05/29 12:0 a.m.9 views

WWBN AVideo 安全漏洞

WWBN AVideo is a video platform building system developed by the WWBN team using PHP. Versions of WWBN AVideo prior to 29.0 contained security vulnerabilities. These vulnerabilities stemmed from the plugin/AuthorizeNet/processPayment.json.php file, which only increased the logged-in user’s wallet...

7.1CVSS6AI score0.0012EPSS
Exploits1References1
CNNVD
CNNVD
added 2026/05/29 12:0 a.m.10 views

WWBN AVideo 安全漏洞

WWBN AVideo is a video platform building system written in PHP, developed by the WWBN team. Versions of WWBN AVideo prior to 29.0 contained security vulnerabilities. These vulnerabilities stemmed from the use of the view/update.php script, which read $POSTupdateFile as a relative path under the...

6.9CVSS5.8AI score0.00469EPSS
Exploits1References1
CNNVD
CNNVD
added 2026/05/29 12:0 a.m.8 views

WWBN AVideo 安全漏洞

WWBN AVideo is a video platform building system developed by the WWBN team using PHP. Versions of WWBN AVideo prior to 29.0 contained security vulnerabilities. These vulnerabilities stemmed from cross-site request forgeing during 2FA switching. The set.json.php file accepts POST requests to set 2...

6.5CVSS5.7AI score0.0011EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/29 12:0 a.m.8 views

WWBN AVideo 代码问题漏洞

WWBN AVideo is a video platform building system developed by the WWBN team using PHP. Versions of WWBN AVideo prior to 29.0 contained code vulnerabilities. These vulnerabilities stemmed from the lack of using the $resolvedIP output parameter from functions like EpgParser.php and...

6.5CVSS5.9AI score0.00136EPSS
Exploits0References1
Rows per page
Query Builder