7 matches found
CVE-2026-43885 WWBN AVideo: Exposure of Sensitive Information to an Unauthorized Actor and Missing Authorization
WWBN AVideo is an open source video platform. In versions up to and including 29.0, an unauthenticated user can read APISecret from objects/plugins.json.php and use it to call protected API endpoints e.g. userslist without logging in. Commit 1c36f229d0a103528fb9f64d0a1cc0e1e8f5999b contains an...
CVE-2026-33293
WWBN AVideo is an open source video platform. Prior to version 26.0, the deleteDump parameter in plugin/CloneSite/cloneServer.json.php is passed directly to unlink without any path sanitization. An attacker with valid clone credentials can use path traversal sequences e.g., ../../ to delete...
CVE-2023-25313
OS injection vulnerability in World Wide Broadcast Network AVideo version before 12.4, allows attackers to execute arbitrary code via the video link field to the Embed a video link feature...
EUVD-2023-0761
Malicious code in bioql PyPI...
EUVD-2022-36196
Malicious code in bioql PyPI...
CVE-2023-25314
Cross Site Scripting XSS vulnerability in World Wide Broadcast Network AVideo before 12.4, allows attackers to gain sensitive information via the success parameter to /user...
CVE-2023-25313
OS injection vulnerability in World Wide Broadcast Network AVideo version before 12.4, allows attackers to execute arbitrary code via the video link field to the Embed a video link feature...