Lucene search
K

232 matches found

NVD
NVD
added 2026/03/23 7:16 p.m.8 views

CVE-2026-33513

WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated API endpoint APIName=locale concatenates user input into an include path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files under the web root can be...

8.6CVSS0.0074EPSS
Exploits3References1
CVE
CVE
added 2026/03/23 6:50 p.m.26 views

CVE-2026-33723

WWBN AVideo vulnerable to SQL Injection in Subscribe endpoint (Subscribe::save). In versions up to 26.0, Subscribe::save() builds an INSERT query by directly concatenating $this->users_id (derived from $_POST['user_id'] in subscribe.json.php and subscribeNotify.json.php) without sanitization o...

7.1CVSS6AI score0.00224EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2026/03/23 6:49 p.m.22 views

CVE-2026-33719 AVideo Vulnerable to Unauthenticated CDN Configuration Takeover via Empty Default Key Bypass and Mass-Assignment in status.json.php

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the CDN plugin endpoints plugin/CDN/status.json.php and plugin/CDN/disable.json.php use key-based authentication with an empty string default key. When the CDN plugin is enabled but the key has not been configured...

8.6CVSS0.00356EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/03/23 6:49 p.m.2 views

CVE-2026-33719 AVideo Vulnerable to Unauthenticated CDN Configuration Takeover via Empty Default Key Bypass and Mass-Assignment in status.json.php

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the CDN plugin endpoints plugin/CDN/status.json.php and plugin/CDN/disable.json.php use key-based authentication with an empty string default key. When the CDN plugin is enabled but the key has not been configured...

8.6CVSS5.7AI score0.00356EPSS
Exploits1References2
OSV
OSV
added 2026/03/23 6:48 p.m.5 views

CVE-2026-33717 AVideo Vulnerable to Remote Code Execution via Persistent PHP Temp File in Encoder downloadURL with Resolution Validation Abort

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the downloadVideoFromDownloadURL function in objects/aVideoEncoder.json.php saves remote content to a web-accessible temporary directory using the original URL's filename and extension including .php. By providing...

8.8CVSS5.9AI score0.00395EPSS
Exploits1References4
CVE
CVE
added 2026/03/23 6:46 p.m.22 views

CVE-2026-33716

WWBN AVideo v2/3 up to 26.0 (open source video platform) is affected by a flaw in the standalone live stream control endpoint plugin/Live/standAloneFiles/control.json.php. The user-supplied streamerURL can override token verification requests, enabling an attacker to redirect verification to a ma...

9.4CVSS5.8AI score0.00437EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2026/03/23 6:46 p.m.23 views

CVE-2026-33716 AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the standalone live stream control endpoint at plugin/Live/standAloneFiles/control.json.php accepts a user-supplied streamerURL parameter that overrides where the server sends token verification requests. An...

9.4CVSS0.00437EPSS
Exploits1References2
OSV
OSV
added 2026/03/23 6:43 p.m.7 views

CVE-2026-33688 AVideo has Pre-Captcha User Enumeration and Account Status Disclosure in Password Recovery Endpoint

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the password recovery endpoint at objects/userRecoverPass.php performs user existence and account status checks before validating the captcha. This allows an unauthenticated attacker to enumerate valid usernames a...

5.3CVSS5.8AI score0.00278EPSS
Exploits1References4
Vulnrichment
Vulnrichment
added 2026/03/23 6:42 p.m.3 views

CVE-2026-33685 AVideo Allows Unauthenticated Access to AD_Server reports.json.php that Exposes Ad Campaign Analytics and User Data

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the plugin/ADServer/reports.json.php endpoint performs no authentication or authorization checks, allowing any unauthenticated attacker to extract ad campaign analytics data including video titles, user channel...

5.3CVSS5.8AI score0.00315EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/03/23 6:42 p.m.24 views

CVE-2026-33685 AVideo Allows Unauthenticated Access to AD_Server reports.json.php that Exposes Ad Campaign Analytics and User Data

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the plugin/ADServer/reports.json.php endpoint performs no authentication or authorization checks, allowing any unauthenticated attacker to extract ad campaign analytics data including video titles, user channel...

5.3CVSS0.00315EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/03/23 6:41 p.m.2 views

CVE-2026-33683 AVideo vulnerable to Stored XSS via html_entity_decode() Reversing xss_esc() Sanitization in Channel About Field

WWBN AVideo is an open source video platform. In versions up to and including 26.0, a sanitization order-of-operations flaw in the user profile "about" field allows any registered user to inject arbitrary JavaScript that executes when other users visit their channel page. The xssesc function...

5.4CVSS5.9AI score0.00176EPSS
Exploits1References2
CVE
CVE
added 2026/03/23 6:39 p.m.20 views

CVE-2026-33681

WWBN AVideo (versions up to 26.0) has a path traversal flaw in the objects/pluginRunDatabaseScript.json.php endpoint. An authenticated admin (or an attacker via CSRF) can pass a name parameter via POST, which is handed to Plugin::getDatabaseFileName() without proper sanitization and allows readin...

7.2CVSS6AI score0.00493EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2026/03/23 6:28 p.m.24 views

CVE-2026-33650 AVideo's Video Moderator Privilege Escalation via Ownership Transfer Enables Arbitrary Video Deletion

WWBN AVideo is an open source video platform. In versions up to and including 26.0, a user with the "Videos Moderator" permission can escalate privileges to perform full video management operations — including ownership transfer and deletion of any video — despite the permission being documented ...

7.6CVSS0.0024EPSS
Exploits1References2
CVE
CVE
added 2026/03/23 6:21 p.m.22 views

CVE-2026-33513

The connected GHSA advisory documents an unauthenticated Local File Inclusion in AVideo via the API locale endpoint (plugin/API/get.json.php?APIName=locale). User input is concatenated into an include path without canonicalization or validation, allowing path traversal to arbitrary PHP files unde...

8.6CVSS6.4AI score0.0074EPSS
Exploits3References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/03/23 6:21 p.m.6 views

CVE-2026-33513

WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated API endpoint APIName=locale concatenates user input into an include path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files under the web root can be...

8.6CVSS6.4AI score0.0074EPSS
Exploits3References2Affected Software1
CVE
CVE
added 2026/03/23 6:17 p.m.18 views

CVE-2026-33512

WWBN AVideo (open source video platform) — Affected versions up to 26.0 have an unauthenticated decryptString action in the API plugin that accepts ciphertext and returns plaintext, exposing protected tokens/metadata. Ciphertext is publicly obtainable (e.g., view/url2Embed.json.php). Patch is ava...

7.5CVSS5.7AI score0.00234EPSS
Exploits1References2Affected Software1
NVD
NVD
added 2026/03/23 5:16 p.m.3 views

CVE-2026-33507

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the objects/pluginImport.json.php endpoint allows admin users to upload and install plugin ZIP files containing executable PHP code, but lacks any CSRF protection. Combined with the application explicitly setting...

8.8CVSS0.00367EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/03/23 4:32 p.m.3 views

CVE-2026-33507 AVideo Affected by CSRF on Plugin Import Endpoint Enables Unauthenticated Remote Code Execution via Malicious Plugin Upload

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the objects/pluginImport.json.php endpoint allows admin users to upload and install plugin ZIP files containing executable PHP code, but lacks any CSRF protection. Combined with the application explicitly setting...

8.8CVSS5.9AI score0.00367EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/03/23 4:32 p.m.7 views

CVE-2026-33507

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the objects/pluginImport.json.php endpoint allows admin users to upload and install plugin ZIP files containing executable PHP code, but lacks any CSRF protection. Combined with the application explicitly setting...

8.8CVSS5.9AI score0.00367EPSS
Exploits1References3Affected Software1
CVE
CVE
added 2026/03/23 4:29 p.m.22 views

CVE-2026-33502

Summary (CVE-2026-33502) AVideo (open-source video platform) contains an unauthenticated SSRF via plugin/Live/test.php. In affected versions

9.3CVSS5.9AI score0.00442EPSS
Exploits1References2Affected Software1
Rows per page
Query Builder