CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

163 matches found

Positive Technologies•added 2026/06/09 12:0 a.m.•12 views

PT-2026-48238

21 zero-day vulnerabilities in FFmpeg, the world’s most widely deployed media processing library, including a critical RCE-capable heap buffer overflow reachable with a single 183-byte network packet. The autonomous agent discovered vulnerabilities spanning the TS demuxer, VP9 decoder, RTP...

6.1AI score

Exploits0References1

Positive Technologies•added 2026/06/09 12:0 a.m.•10 views

PT-2026-48237

6.1AI score

Exploits0References1

Positive Technologies•added 2026/06/09 12:0 a.m.•13 views

PT-2026-48234

6.1AI score

Exploits0References1

Positive Technologies•added 2026/06/09 12:0 a.m.•11 views

PT-2026-48240

6.1AI score

Exploits0References1

Positive Technologies•added 2026/06/09 12:0 a.m.•14 views

PT-2026-48239

6.1AI score

Exploits0References1

OSV•added 2026/05/04 1:12 p.m.•3 views

JLSEC-2026-398

curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTPS URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request HTTP...

8.1CVSS6.9AI score0.02927EPSS

Exploits0References20

Vulnrichment•added 2026/03/31 8:50 p.m.•0 views

CVE-2026-34731 AVideo: Unauthenticated Live Stream Termination via RTMP Callback on_publish_done.php

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo onpublishdone.php endpoint in the Live plugin allows unauthenticated users to terminate any active live stream. The endpoint processes RTMP callback events to mark streams as finished in the database, but perform...

7.5CVSS6AI score0.00479EPSS

Exploits1References1

Cvelist•added 2026/03/31 8:50 p.m.•24 views

CVE-2026-34731 AVideo: Unauthenticated Live Stream Termination via RTMP Callback on_publish_done.php

7.5CVSS0.00479EPSS

Exploits1References1

ATTACKERKB•added 2026/03/31 8:50 p.m.•1 views

CVE-2026-34731

7.5CVSS6AI score0.00479EPSS

Exploits1References2Affected Software1

Positive Technologies•added 2026/03/31 12:0 a.m.•3 views

PT-2026-29361

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo on publish done.php endpoint in the Live plugin allows unauthenticated users to terminate any active live stream. The endpoint processes RTMP callback events to mark streams as finished in the database, but...

7.5CVSS6AI score0.00479EPSS

Exploits1References3

RedhatCVE•added 2026/03/28 11:9 p.m.•2 views

CVE-2026-34374

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the Liveschedule::keyExists method constructs a SQL query by interpolating a stream key directly into the query string without parameterization. This method is called as a fallback from LiveTransmition::keyExists...

9.1CVSS5.9AI score0.00344EPSS

Exploits1References1

NVD•added 2026/03/27 7:16 p.m.•7 views

CVE-2026-34374

9.1CVSS0.00344EPSS

Exploits1References1

Positive Technologies•added 2026/03/27 12:0 a.m.•1 views

PT-2026-28624

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions up to and including 26.0 Description WWBN AVideo is an open source video platform. In versions up to and including 26.0, the Live schedule::keyExists method builds a SQL query by directly inserting a stream key into the...

9.1CVSS5.8AI score0.00344EPSS

Exploits1References8

RedhatCVE•added 2026/03/26 3:0 p.m.•3 views

CVE-2026-33485

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the RTMP onpublish callback at plugin/Live/onpublish.php is accessible without authentication. The $POST'name' parameter stream key is interpolated directly into SQL queries in two locations —...

7.5CVSS5.8AI score0.00468EPSS

Exploits1References1

NVD•added 2026/03/23 3:16 p.m.•2 views

CVE-2026-33485

7.5CVSS0.00468EPSS

Exploits1References2

CVE•added 2026/03/23 2:14 p.m.•8 views

CVE-2026-33485

CVE-2026-33485 affects WWBN/AVideo up to version 26.0, where the RTMP on_publish.php endpoint is reachable without authentication. The attack relies on the stream key in $_POST['name'], which is interpolated directly into SQL in two places: LiveTransmitionHistory::getLatest() and LiveTransmition:...

7.5CVSS5.8AI score0.00468EPSS

Exploits1References2Affected Software1

ATTACKERKB•added 2026/03/23 2:14 p.m.•3 views

CVE-2026-33485

7.5CVSS5.8AI score0.00468EPSS

Exploits1References3Affected Software1

Vulnrichment•added 2026/03/23 2:14 p.m.•2 views

CVE-2026-33485 AVideo has an Unauthenticated Blind SQL Injection in RTMP on_publish Callback via Stream Name Parameter

7.5CVSS5.8AI score0.00468EPSS

Exploits1References2

OSV•added 2026/03/23 2:14 p.m.•3 views

CVE-2026-33485 AVideo has an Unauthenticated Blind SQL Injection in RTMP on_publish Callback via Stream Name Parameter

7.5CVSS5.9AI score0.00468EPSS

Exploits1References4

OSV•added 2026/03/20 8:47 p.m.•3 views

GHSA-8P58-35C3-CCXX AVideo has an Unauthenticated Blind SQL Injection in RTMP on_publish Callback via Stream Name Parameter

Summary The RTMP onpublish callback at plugin/Live/onpublish.php is accessible without authentication. The $POST'name' parameter stream key is interpolated directly into SQL queries in two locations — LiveTransmitionHistory::getLatest and LiveTransmition::keyExists — without parameterized binding...

7.5CVSS6AI score0.00468EPSS

Exploits1References4

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by