CVE-2026-33354 AVideo has an authenticated arbitrary local file read via `chunkFile` path injection in `aVideoEncoder.json.php`

WWBN AVideo is an open source video platform. In versions up to and including 26.0, POST /objects/aVideoEncoder.json.php accepts a requester-controlled chunkFile parameter intended for staged upload chunks. Instead of restricting that path to trusted server-generated chunk locations, the endpoint...

CVE-2026-33354 AVideo has an authenticated arbitrary local file read via `chunkFile` path injection in `aVideoEncoder.json.php`

WWBN AVideo is an open source video platform. In versions up to and including 26.0, POST /objects/aVideoEncoder.json.php accepts a requester-controlled chunkFile parameter intended for staged upload chunks. Instead of restricting that path to trusted server-generated chunk locations, the endpoint...

GHSA-4JW9-5HRC-M4J6 AVideo has an authenticated arbitrary local file read via `chunkFile` path injection in `aVideoEncoder.json.php`

Summary POST /objects/aVideoEncoder.json.php accepts a requester-controlled chunkFile parameter intended for staged upload chunks. Instead of restricting that path to trusted server-generated chunk locations, the endpoint accepts arbitrary local filesystem paths that pass isValidURLOrPath. That...

GHSA-H39H-7CVG-Q7J6 AVideo has Authenticated Server-Side Request Forgery via downloadURL in aVideoEncoder.json.php

Vulnerability Type Authenticated Server-Side Request Forgery SSRF Affected Product/Versions AVideo versions prior to 22 tested on AVideo 21.x. Root Cause Summary The aVideoEncoder.json.php API endpoint accepts a downloadURL parameter and fetches the referenced resource server-side without proper...

EUVD-2026-8527

AVideo has Authenticated Server-Side Request Forgery via downloadURL in aVideoEncoder.json.php...

AVideo has Authenticated Server-Side Request Forgery via downloadURL in aVideoEncoder.json.php

Vulnerability Type Authenticated Server-Side Request Forgery SSRF Affected Product/Versions AVideo versions prior to 22 tested on AVideo 21.x. Root Cause Summary The aVideoEncoder.json.php API endpoint accepts a downloadURL parameter and fetches the referenced resource server-side without proper...

CVE-2026-27732

WWBN AVideo is an open source video platform. Prior to version 22.0, the aVideoEncoder.json.php API endpoint accepts a downloadURL parameter and fetches the referenced resource server-side without proper validation or an allow-list. This allows authenticated users to trigger server-side requests ...

CVE-2026-27732

WWBN AVideo contains an SSRF vulnerability in the aVideoEncoder.json.php endpoint prior to version 22.0. The endpoint accepts a downloadURL parameter and fetches the referenced resource server-side without proper validation or an allow-list, enabling authenticated users to trigger requests to arb...

WWBN AVideo 代码问题漏洞

WWBN AVideo is a video platform building system developed by the WWBN team using PHP. Versions of WWBN AVideo prior to 22.0 contained code vulnerabilities. These vulnerabilities stemmed from the aVideoEncoder.json.php API endpoint’s acceptance of downloadURL parameters and its ability to retrieve...

CVE-2025-25214

A race condition vulnerability exists in the aVideoEncoder.json.php unzip functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A series of specially crafted HTTP request can lead to arbitrary code execution...

WWBN AVideo 竞争条件问题漏洞

WWBN AVideo is a video platform builder written in PHP by WWBN team. A competitive condition issue vulnerability exists in WWBN AVideo version 14.4, which stems from a competitive condition in the aVideoEncoder.json.php decompression function that could lead to arbitrary code execution...

PT-2024-13424 · Wwbn · Avideo

Name of the Vulnerable Software and Affected Versions: WWBN AVideo versions 11.6 and dev master commit 15fed957fb Description: An information disclosure issue exists in the aVideoEncoder.json.php chunkFile path functionality. A specially crafted HTTP request can lead to arbitrary file read...

WWBN AVideo Security Breach

WWBN AVideo is a video platform builder written in PHP by the WWBN team. A security vulnerability exists in WWBN AVideo, which originates from an information disclosure vulnerability in the chunkFile path method of the aVideoEncoder.json.php page...