CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

EUVD•added 2026/04/21 10:49 p.m.•2 views

EUVD-2026-24539

WWBN AVideo is an open source video platform. In versions 29.0 and below, the isValidDuration regex at objects/video.php:918 uses /^0-91,2:0-91,2:0-91,2/ without a $ end anchor, allowing arbitrary HTML/JavaScript to be appended after a valid duration prefix. The crafted duration is stored in the...

5.4CVSS5.4AI score0.00035EPSS

ATTACKERKB•added 2026/04/21 10:44 p.m.•2 views

CVE-2026-41060

WWBN AVideo is an open source video platform. In versions 29.0 and below, the isSSRFSafeURL function in objects/functions.php contains a same-domain shortcircuit lines 4290-4296 that allows any URL whose hostname matches webSiteRootURL to bypass all SSRF protections. Because the check compares on...

7.7CVSS5.9AI score0.0004EPSS

Exploits1References3Affected Software1

Vulnrichment•added 2026/04/21 10:43 p.m.•0 views

CVE-2026-41058 AVideo has an incomplete fix for CVE-2026-33293 (Path Traversal) in AVideo

WWBN AVideo is an open source video platform. In versions 29.0 and below, the incomplete fix for AVideo's CloneSite deleteDump parameter does not apply path traversal filtering, allowing unlink of arbitrary files via ../../ sequences in the GET parameter. Commit...

8.1CVSS5.8AI score0.00105EPSS

EUVD•added 2026/04/21 10:43 p.m.•1 views

EUVD-2026-24535

8.1CVSS5.9AI score0.00105EPSS

Cvelist•added 2026/04/21 10:43 p.m.•28 views

CVE-2026-41058 AVideo has an incomplete fix for CVE-2026-33293 (Path Traversal) in AVideo

8.1CVSS0.00105EPSS

CVE•added 2026/04/21 10:35 p.m.•12 views

CVE-2026-41056

WWBN AVideo (versions 29.0 and below) is affected by a cross-origin vulnerability where allowOrigin($allowAll=true) reflects arbitrary Origin headers in Access-Control-Allow-Origin together with Access-Control-Allow-Credentials: true. The reflection occurs in objects/functions.php and is invoked ...

8.1CVSS5.9AI score0.00108EPSS

Exploits1References2Affected Software1

NVD•added 2026/04/21 8:17 p.m.•2 views

CVE-2026-40908

WWBN AVideo is an open source video platform. In versions 29.0 and prior, the file git.json.php at the web root executes git log -1 and returns the full output as JSON to any unauthenticated user. This exposes the exact deployed commit hash enabling version fingerprinting against known CVEs,...

5.3CVSS0.00088EPSS

OSV•added 2026/04/21 8:17 p.m.•1 views

DEBIAN-CVE-2026-40890

The package github.com/gomarkdown/markdown is a Go library for parsing Markdown text and rendering as HTML. Processing a malformed input containing a character anywhere in the remaining text with a SmartypantsRenderer will lead to Out of Bounds read or a panic. This vulnerability is fixed with...

7.5CVSS5.3AI score0.00074EPSS

NVD•added 2026/04/21 8:17 p.m.•3 views

CVE-2026-40890

7.5CVSS0.00074EPSS

Vulnrichment•added 2026/04/21 7:55 p.m.•3 views

CVE-2026-40911 WWBN AVideo YPTSocket WebSocket Broadcast Relay Leads to Unauthenticated Cross-User JavaScript Execution via Client-Side eval() Sinks

WWBN AVideo is an open source video platform. In versions 29.0 and prior, the YPTSocket plugin's WebSocket server relays attacker-supplied JSON message bodies to every connected client without sanitizing the msg or callback fields. On the client side, plugin/YPTSocket/script.js contains two eval...

10CVSS5.9AI score0.00422EPSS

Cvelist•added 2026/04/21 7:52 p.m.•28 views

CVE-2026-40908 WWBN AVideo has an Unauthenticated Information Disclosure via git.json.php that Exposes Developer Emails and Deployed Version

5.3CVSS0.00088EPSS

EUVD•added 2026/04/21 7:52 p.m.•1 views

EUVD-2026-24286

5.3CVSS5.7AI score0.00088EPSS

CVE•added 2026/04/21 7:52 p.m.•5 views

CVE-2026-40908

WWBN AVideo (open source video platform) contains a vulnerability in versions 29.0 and prior where the file at web root, git.json.php, executes git log -1 and returns the full output as JSON to any unauthenticated user. This exposes: the exact deployed commit hash (enables version fingerprinting ...

5.3CVSS5.7AI score0.00088EPSS

Exploits1References1Affected Software1

Vulnrichment•added 2026/04/21 7:52 p.m.•0 views

CVE-2026-40908 WWBN AVideo has an Unauthenticated Information Disclosure via git.json.php that Exposes Developer Emails and Deployed Version

5.3CVSS5.7AI score0.00088EPSS

AlpineLinux•added 2026/04/21 7:51 p.m.•0 views

CVE-2026-40890

7.5CVSS5.3AI score0.00074EPSS

Cvelist•added 2026/04/21 7:50 p.m.•28 views

CVE-2026-40907 WWBN AVideo has IDOR in Live Restreams list.json.php that Exposes Other Users' Stream Keys and OAuth Tokens

WWBN AVideo is an open source video platform. In versions 29.0 and prior, the endpoint plugin/Live/view/Liverestreams/list.json.php contains an Insecure Direct Object Reference IDOR vulnerability that allows any authenticated user with streaming permission to retrieve other users' live restream...

6.5CVSS0.00038EPSS

Positive Technologies•added 2026/04/21 12:0 a.m.•0 views

PT-2026-34208

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions 29.0 and earlier Description An incomplete fix for cross-site scripting in the ParsedownSafeWithLinks class allows the use of javascript: URLs in markdown link syntax to bypass sanitization. This occurs because the...

5.4CVSS5.6AI score0.00043EPSS

Exploits1References8

Positive Technologies•added 2026/04/21 12:0 a.m.•3 views

PT-2026-34062

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions 29.0 and earlier Description The file 'git.json.php' located at the web root executes the git log -1 command and returns the full output as JSON to unauthenticated users. This leads to the exposure of the deployed commit...

5.3CVSS5.2AI score0.00088EPSS