Lucene search
K

45 matches found

RedhatCVE
RedhatCVE
added 2026/03/28 4:59 p.m.6 views

CVE-2026-33764

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the AI plugin's save.json.php endpoint loads AI response objects using an attacker-controlled $REQUEST'id' parameter without validating that the AI response belongs to the specified video. An authenticated user wi...

4.3CVSS5.9AI score0.00214EPSS
Exploits1References1
NVD
NVD
added 2026/03/27 3:16 p.m.6 views

CVE-2026-33764

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the AI plugin's save.json.php endpoint loads AI response objects using an attacker-controlled $REQUEST'id' parameter without validating that the AI response belongs to the specified video. An authenticated user wi...

4.3CVSS0.00214EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/03/27 2:29 p.m.5 views

CVE-2026-33764

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the AI plugin's save.json.php endpoint loads AI response objects using an attacker-controlled $REQUEST'id' parameter without validating that the AI response belongs to the specified video. An authenticated user wi...

4.3CVSS5.9AI score0.00214EPSS
Exploits1References3Affected Software1
RedhatCVE
RedhatCVE
added 2026/03/26 3:0 p.m.3 views

CVE-2026-33493

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the objects/import.json.php endpoint accepts a user-controlled fileURI POST parameter with only a regex check that the value ends in .mp4. Unlike objects/listFiles.json.php, which was hardened with a realpath +...

8.1CVSS5.8AI score0.00335EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/03/26 12:0 a.m.17 views

PT-2026-28534

Name of the Vulnerable Software and Affected Versions AVideo versions up to and including 26.0 Description The AVideo platform’s AI plugin contains a flaw in the save.json.php endpoint. This endpoint loads AI response objects using the $ REQUEST'id' parameter, which is controlled by the attacker,...

4.3CVSS5.9AI score0.00214EPSS
Exploits1References5
NVD
NVD
added 2026/03/23 4:16 p.m.12 views

CVE-2026-33493

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the objects/import.json.php endpoint accepts a user-controlled fileURI POST parameter with only a regex check that the value ends in .mp4. Unlike objects/listFiles.json.php, which was hardened with a realpath +...

8.1CVSS0.00335EPSS
Exploits1References2
OSV
OSV
added 2026/03/23 3:52 p.m.4 views

CVE-2026-33493 AVideo has a Path Traversal in import.json.php that Allows Private Video Theft and Arbitrary File Read/Deletion via fileURI Parameter

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the objects/import.json.php endpoint accepts a user-controlled fileURI POST parameter with only a regex check that the value ends in .mp4. Unlike objects/listFiles.json.php, which was hardened with a realpath +...

7.1CVSS5.9AI score0.00335EPSS
Exploits1References4
CVE
CVE
added 2026/03/23 3:52 p.m.11 views

CVE-2026-33493

CVE-2026-33493 affects WWBN AVideo (versions up to and including 26.0). The vulnerability is rooted in objects/import.json.php, which only validates fileURI ends with .mp4 and imposes no directory restriction. An authenticated user with upload permission can abuse this to: (1) import another user...

8.1CVSS5.8AI score0.00335EPSS
Exploits1References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/03/23 3:52 p.m.5 views

CVE-2026-33493

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the objects/import.json.php endpoint accepts a user-controlled fileURI POST parameter with only a regex check that the value ends in .mp4. Unlike objects/listFiles.json.php, which was hardened with a realpath +...

7.1CVSS5.8AI score0.00335EPSS
Exploits1References3Affected Software1
NVD
NVD
added 2026/03/22 5:17 p.m.8 views

CVE-2026-33292

WWBN AVideo is an open source video platform. Prior to version 26.0, the HLS streaming endpoint view/hls.php is vulnerable to a path traversal attack that allows an unauthenticated attacker to stream any private or paid video on the platform. The videoDirectory GET parameter is used in two...

7.5CVSS0.00688EPSS
Exploits1References2
OSV
OSV
added 2026/03/22 4:26 p.m.4 views

CVE-2026-33292 AVideo has Authorization Bypass via Path Traversal in HLS Endpoint Allows Streaming Private/Paid Videos

WWBN AVideo is an open source video platform. Prior to version 26.0, the HLS streaming endpoint view/hls.php is vulnerable to a path traversal attack that allows an unauthenticated attacker to stream any private or paid video on the platform. The videoDirectory GET parameter is used in two...

7.5CVSS6AI score0.00688EPSS
Exploits1References4
ATTACKERKB
ATTACKERKB
added 2026/03/22 4:26 p.m.2 views

CVE-2026-33292

WWBN AVideo is an open source video platform. Prior to version 26.0, the HLS streaming endpoint view/hls.php is vulnerable to a path traversal attack that allows an unauthenticated attacker to stream any private or paid video on the platform. The videoDirectory GET parameter is used in two...

7.5CVSS5.9AI score0.00688EPSS
Exploits1References3Affected Software1
Cvelist
Cvelist
added 2026/03/22 4:26 p.m.29 views

CVE-2026-33292 AVideo has Authorization Bypass via Path Traversal in HLS Endpoint Allows Streaming Private/Paid Videos

WWBN AVideo is an open source video platform. Prior to version 26.0, the HLS streaming endpoint view/hls.php is vulnerable to a path traversal attack that allows an unauthenticated attacker to stream any private or paid video on the platform. The videoDirectory GET parameter is used in two...

7.5CVSS0.00688EPSS
Exploits1References2
CVE
CVE
added 2026/03/22 4:26 p.m.17 views

CVE-2026-33292

Summary (CVE-2026-33292) : WWBN AVideo is vulnerable prior to 26.0 due to a path traversal split-oracle in the HLS endpoint view/hls.php. The GET parameter videoDirectory is processed in two code paths: an authorization path that truncates after the first slash, and a file-access path that preser...

7.5CVSS5.9AI score0.00688EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/22 4:26 p.m.2 views

CVE-2026-33292 AVideo has Authorization Bypass via Path Traversal in HLS Endpoint Allows Streaming Private/Paid Videos

WWBN AVideo is an open source video platform. Prior to version 26.0, the HLS streaming endpoint view/hls.php is vulnerable to a path traversal attack that allows an unauthenticated attacker to stream any private or paid video on the platform. The videoDirectory GET parameter is used in two...

7.5CVSS5.9AI score0.00688EPSS
Exploits1References2
CNNVD
CNNVD
added 2026/03/22 12:0 a.m.7 views

WWBN AVideo 路径遍历漏洞

WWBN AVideo is a video platform building system written in PHP, developed by the WWBN team. Versions of WWBN AVideo prior to 26.0 contained a path traversal vulnerability. This vulnerability stemmed from path traversal in the HLS streaming endpoint, which could allow unauthenticated attackers to...

7.5CVSS5.8AI score0.00688EPSS
Exploits1References2
OSV
OSV
added 2026/03/20 8:49 p.m.3 views

GHSA-83XQ-8JXJ-4RXM AVideo has a Path Traversal in import.json.php Allows Private Video Theft and Arbitrary File Read/Deletion via fileURI Parameter

Summary The objects/import.json.php endpoint accepts a user-controlled fileURI POST parameter with only a regex check that the value ends in .mp4. Unlike objects/listFiles.json.php, which was hardened with a realpath + directory prefix check to restrict paths to the videos/ directory,...

7.1CVSS6AI score0.00335EPSS
Exploits1References4
Snyk
Snyk
added 2026/03/20 8:49 p.m.7 views

Directory Traversal

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Directory Traversal in the import.json.php endpoint when handling the fileURI parameter. An authenticated user with upload permissions can access and copy private...

8.1CVSS6.3AI score0.00335EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/03/20 8:49 p.m.9 views

AVideo has a Path Traversal in import.json.php Allows Private Video Theft and Arbitrary File Read/Deletion via fileURI Parameter

Summary The objects/import.json.php endpoint accepts a user-controlled fileURI POST parameter with only a regex check that the value ends in .mp4. Unlike objects/listFiles.json.php, which was hardened with a realpath + directory prefix check to restrict paths to the videos/ directory,...

8.1CVSS6AI score0.00335EPSS
Exploits1References4Affected Software1
Snyk
Snyk
added 2026/03/19 4:43 p.m.3 views

Directory Traversal

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Directory Traversal via the videoDirectory parameter in the hls.php file. An attacker can access and stream private or paid video content by supplying a crafted pa...

8.7CVSS6.4AI score0.00688EPSS
Exploits1References2
Rows per page
Query Builder