Lucene search
K

231 matches found

Cvelist
Cvelist
added 2026/04/21 7:50 p.m.33 views

CVE-2026-40907 WWBN AVideo has IDOR in Live Restreams list.json.php that Exposes Other Users' Stream Keys and OAuth Tokens

WWBN AVideo is an open source video platform. In versions 29.0 and prior, the endpoint plugin/Live/view/Liverestreams/list.json.php contains an Insecure Direct Object Reference IDOR vulnerability that allows any authenticated user with streaming permission to retrieve other users' live restream...

6.5CVSS0.00269EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/14 11:25 p.m.5 views

Cross-site Scripting (XSS)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Cross-site Scripting XSS in the ParsedownSafeWithLinks process. An attacker can execute arbitrary JavaScript in the context of another user's browser session by...

5.9CVSS5.7AI score0.00216EPSS
Exploits2References2
Snyk
Snyk
added 2026/04/14 11:18 p.m.10 views

Permissive Cross-domain Policy with Untrusted Domains

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Permissive Cross-domain Policy with Untrusted Domains via the allowOrigin function. An attacker can access sensitive user data and perform unauthorized actions by...

8.6CVSS5.7AI score0.00335EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/14 11:12 p.m.6 views

Cross-site Request Forgery (CSRF)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF in the handling of JSON endpoints that process state-changing requests without verifying the origin or requiring an anti-CSRF token...

5.4CVSS5.8AI score0.00115EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/14 10:50 p.m.3 views

Arbitrary Code Injection

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Arbitrary Code Injection via the msg and callback fields in relayed WebSocket messages, which are processed by client-side eval sinks. An attacker can execute...

10CVSS6.1AI score0.00645EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/14 10:49 p.m.4 views

Active Debug Code

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Active Debug Code via the git.json.php script, which executes a shell command and returns sensitive information as JSON to any unauthenticated user. An attacker ca...

6.9CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/08 12:8 a.m.4 views

Server-side Request Forgery (SSRF)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the downloadURL parameter processing in objects/aVideoEncoder.json.php. An attacker can access internal resources and exfiltrat...

7.1CVSS5.8AI score0.00206EPSS
Exploits0References2
EUVD
EUVD
added 2026/04/08 12:8 a.m.3 views

EUVD-2026-19883

WWBN AVideo's GIF poster fetch bypasses traversal scrubbing and exposes local files through public media URLs...

7.6CVSS5.9AI score0.00412EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/08 12:8 a.m.9 views

Server-side Request Forgery (SSRF)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the restreamerURL parameter of the restream log callback flow. An attacker can access internal network resources and retrieve...

7.1CVSS5.9AI score0.0021EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/08 12:8 a.m.4 views

Insufficient Verification of Data Authenticity

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity through the ipn.php process. An attacker can repeatedly increase their wallet balance and renew subscriptions by...

7.1CVSS5.8AI score0.0017EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/04/07 11:1 p.m.7 views

CVE-2026-35180

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the site customization endpoint at admin/customizesettingsnativeUpdate.json.php lacks CSRF token validation and writes uploaded logo files to disk before the ORM's domain-based security check executes. Combined with...

4.3CVSS5.8AI score0.00112EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/04/07 11:1 p.m.4 views

CVE-2026-35449

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the install/test.php diagnostic script has its CLI-only access guard disabled by commenting out the die statement. The script remains accessible via HTTP after installation, exposing video viewer statistics including IP...

5.3CVSS5.9AI score0.00332EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/04/07 11:1 p.m.3 views

CVE-2026-35450

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/API/check.ffmpeg.json.php endpoint probes the FFmpeg remote server configuration and returns connectivity status without any authentication. All sibling FFmpeg management endpoints kill.ffmpeg.json.php,...

5.3CVSS5.9AI score0.0037EPSS
Exploits1References1
NVD
NVD
added 2026/04/07 8:16 p.m.11 views

CVE-2026-39368

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the Live restream log callback flow accepted an attacker-controlled restreamerURL and later fetched that stored URL server-side, enabling stored SSRF for authenticated streamers. The vulnerable flow allowed a low-privilege...

6.5CVSS0.0021EPSS
Exploits0References1
NVD
NVD
added 2026/04/06 10:16 p.m.6 views

CVE-2026-35448

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the BlockonomicsYPT plugin's check.php endpoint returns payment order data for any Bitcoin address without requiring authentication. The endpoint was designed as an AJAX polling helper for the authenticated invoice.php page...

3.7CVSS0.00318EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/04/06 12:0 a.m.8 views

PT-2026-30713

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the site customization endpoint at admin/customize settings nativeUpdate.json.php lacks CSRF token validation and writes uploaded logo files to disk before the ORM's domain-based security check executes. Combined with...

4.3CVSS5.8AI score0.00112EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/04 6:17 a.m.6 views

Information Exposure

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Information Exposure via the client.log.php endpoint, which serves operational log files without enforcing authentication. An attacker can obtain sensitive interna...

6.9CVSS5.8AI score0.00367EPSS
Exploits1References2
Circl
Circl
added 2026/04/02 5:52 p.m.8 views

CVE-2026-35448

creationtimestamp| type| source ---|---|--- 2026-04-02 17:52:54+00:00| published-proof-of-concept| https://github.com/WWBN/AVideo/security/advisories/GHSA-3v7m-qg4x-58h9...

3.7CVSS5.8AI score0.00318EPSS
Exploits1References1
Snyk
Snyk
added 2026/04/01 11:25 p.m.1 views

Cross-site Scripting (XSS)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Cross-site Scripting XSS in the rendering of menu item fields such as icon classes, URLs, and text labels without proper output encoding in the TopMenu plugin. An...

6.1CVSS5.8AI score0.00167EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/04/01 11:1 p.m.3 views

CVE-2026-34716

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo YPTSocket plugin's caller feature renders incoming call notifications using the jQuery Toast Plugin, passing the caller's display name directly as the heading parameter. The toast plugin constructs the heading as...

6.4CVSS6.3AI score0.00279EPSS
Exploits1References1
Rows per page
Query Builder