CVE-2026-43873

The CVE describes an Information Exposure in WWBN AVideo’s CloneSite feature. In versions up to 29.0, cloneClient.json.php echoes the local CloneSite secret (myKey) on unauthenticated requests, exposing a static per-installation key derived from systemRootPath and salt. When a victim site has a r...

VulnCheck KEV: CVE-2026-33478

WWBN AVideo is an open source video platform. In versions up to and including 26.0, multiple vulnerabilities in AVideo's CloneSite plugin chain together to allow a completely unauthenticated attacker to achieve remote code execution. The clones.json.php endpoint exposes clone secret keys without...

CVE-2026-41304

CVE-2026-41304 affects WWBN AVideo (versions 29.0 and earlier) via the CloneSite plugin’s cloneServer.json.php. The endpoint builds a shell command by directly concatenating user-supplied input from the url parameter into a wget command and executes it with exec(), enabling command injection. Thi...

Command Injection

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Command Injection in the cloneServer.json.php endpoint of the CloneSite plugin, where user-controlled input is concatenated into a shell command without proper...

Directory Traversal

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Directory Traversal via the deleteDump parameter in the cloneServer.json.php process. An attacker can delete arbitrary files on the server by supplying path...

CVE-2026-33293

WWBN AVideo is an open source video platform. Prior to version 26.0, the deleteDump parameter in plugin/CloneSite/cloneServer.json.php is passed directly to unlink without any path sanitization. An attacker with valid clone credentials can use path traversal sequences e.g., ../../ to delete...