CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

59 matches found

CVE-2026-45619

WWBN AVideo is an open source video platform. In 29.0 and earlier, EpgParser.php, plugin/AI/receiveAsync.json.php, and other locations do not use the $resolvedIP out-param of isSSRFSafeURL for DNS pinning via CURLOPTRESOLVE, opening DNS-rebinding TOCTOU...

6.5CVSS5.4AI score0.00038EPSS

Exploits0References1

RedhatCVE•added yesterday•4 views

CVE-2026-41872

"Kura Sushi Official App" provided by EPG, Inc. is vulnerable to improper certificate validation. A man-in-the-middle attack may allow eavesdropping on, or altering, the communication on push notifications between the affected application and the relevant server...

9.1CVSS7.1AI score0.0002EPSS

Exploits0References1

Cvelist•added 2026/05/29 1:11 p.m.•30 views

CVE-2026-45619 AVideo CVE-2026-43884 incomplete fix - `isSSRFSafeURL()` call sites still discard the `$resolvedIP` out-param at master HEAD post

6.5CVSS0.00038EPSS

Exploits0References1

CNNVD•added 2026/05/29 12:0 a.m.•4 views

WWBN AVideo 代码问题漏洞

WWBN AVideo is a video platform building system developed by the WWBN team using PHP. Versions of WWBN AVideo prior to 29.0 contained code vulnerabilities. These vulnerabilities stemmed from the lack of using the $resolvedIP output parameter from functions like EpgParser.php and...

6.5CVSS5.9AI score0.00038EPSS

Exploits0References1

Positive Technologies•added 2026/05/15 12:0 a.m.•5 views

PT-2026-43463

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions 29.0 and earlier Description Certain components, including EpgParser.php and plugin/AI/receiveAsync.json.php, fail to utilize the $resolvedIP out-parameter of the isSSRFSafeURL function for DNS pinning via CURLOPT RESOLVE...

6.5CVSS5.8AI score0.00038EPSS

Exploits0References5

Cvelist•added 2026/05/12 5:21 a.m.•31 views

CVE-2026-41872

9.1CVSS0.0002EPSS

Exploits0References3

RedhatCVE•added 2026/04/08 7:57 p.m.•2 views

CVE-2026-39367

WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's EPG Electronic Program Guide feature parses XML from user-controlled URLs and renders programme titles directly into HTML without any sanitization or escaping. A user with upload permission can set a video's epglin...

5.4CVSS5.8AI score0.00034EPSS

Exploits0References1

EUVD•added 2026/04/08 12:8 a.m.•2 views

EUVD-2026-19879

WWBN AVideo has Stored XSS via Malicious EPG XML Program Titles in AVideo EPG Page...

5.4CVSS5.9AI score0.00034EPSS

Exploits0References3

OSV•added 2026/04/08 12:8 a.m.•1 views

GHSA-RQP3-GF5H-MRQX WWBN AVideo has Stored XSS via Malicious EPG XML Program Titles in AVideo EPG Page

Summary AVideo's EPG Electronic Program Guide feature parses XML from user-controlled URLs and renders programme titles directly into HTML without any sanitization or escaping. A user with upload permission can set a video's epglink to a malicious XML file whose elements contain JavaScript. This...

5.4CVSS5.8AI score0.00034EPSS

Exploits0References4

CVE•added 2026/04/07 7:22 p.m.•2 views

CVE-2026-39367

WWBN AVideo (versions 26.0 and earlier) has a stored XSS vector in the EPG page. The EPG feature parses XML from user-controlled URLs and renders elements directly into HTML without sanitization, allowing a user with upload permission to point epg_link to a malicious XML to trigger JavaScript ex...

5.4CVSS5.8AI score0.00034EPSS

Exploits0References2Affected Software1

CNNVD•added 2026/04/07 12:0 a.m.•3 views

WWBN AVideo 跨站脚本漏洞

WWBN AVideo is a video platform building system developed by the WWBN team using PHP. Versions of WWBN AVideo prior to 26.0 contained a cross-site scripting vulnerability. This vulnerability stemmed from insufficient cleaning and escaping of XML inputs controlled by the EPG function, which could...

5.4CVSS5.7AI score0.00034EPSS

Exploits0References2

Positive Technologies•added 2026/04/07 12:0 a.m.•3 views

PT-2026-30986

5.4CVSS5.8AI score0.00034EPSS

Exploits0References5

Snyk•added 2026/04/01 9:8 p.m.•2 views

Server-side Request Forgery (SSRF)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the EPG link processing, which fails to properly validate URLs using the intended isSSRFSafeURL function. An attacker can caus...

7.1CVSS5.9AI score0.00012EPSS

Exploits1References2

Github Security Blog•added 2026/04/01 9:8 p.m.•5 views

AVideo: Stored SSRF via Video EPG Link Missing isSSRFSafeURL() Validation

Summary The EPG Electronic Program Guide link feature in AVideo allows authenticated users with upload permissions to store arbitrary URLs that the server fetches on every EPG page visit. The URL is validated only with PHP's FILTERVALIDATEURL, which accepts internal network addresses. Although...

6.5CVSS6.1AI score0.00012EPSS

Exploits1References4Affected Software1

OSV•added 2026/04/01 9:8 p.m.•3 views

GHSA-X5VX-VRPF-R45F AVideo: Stored SSRF via Video EPG Link Missing isSSRFSafeURL() Validation

6.5CVSS6.1AI score0.00012EPSS

Exploits1References4

NVD•added 2026/03/31 9:16 p.m.•2 views

CVE-2026-34740

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the EPG Electronic Program Guide link feature in AVideo allows authenticated users with upload permissions to store arbitrary URLs that the server fetches on every EPG page visit. The URL is validated only with PHP's...

6.5CVSS0.00012EPSS

Exploits1References1

Cvelist•added 2026/03/31 8:57 p.m.•18 views

CVE-2026-34740 AVideo: Stored SSRF via Video EPG Link Missing isSSRFSafeURL() Validation

6.5CVSS0.00012EPSS

Exploits1References1