Lucene search
K

4 matches found

NVD
NVD
added 2026/03/23 3:16 p.m.4 views

CVE-2026-33485

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the RTMP onpublish callback at plugin/Live/onpublish.php is accessible without authentication. The $POST'name' parameter stream key is interpolated directly into SQL queries in two locations —...

7.5CVSS0.00468EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/03/23 2:14 p.m.3 views

CVE-2026-33485 AVideo has an Unauthenticated Blind SQL Injection in RTMP on_publish Callback via Stream Name Parameter

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the RTMP onpublish callback at plugin/Live/onpublish.php is accessible without authentication. The $POST'name' parameter stream key is interpolated directly into SQL queries in two locations —...

7.5CVSS5.8AI score0.00468EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/03/23 2:14 p.m.5 views

CVE-2026-33485

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the RTMP onpublish callback at plugin/Live/onpublish.php is accessible without authentication. The $POST'name' parameter stream key is interpolated directly into SQL queries in two locations —...

7.5CVSS5.8AI score0.00468EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2026/03/20 8:47 p.m.4 views

GHSA-8P58-35C3-CCXX AVideo has an Unauthenticated Blind SQL Injection in RTMP on_publish Callback via Stream Name Parameter

Summary The RTMP onpublish callback at plugin/Live/onpublish.php is accessible without authentication. The $POST'name' parameter stream key is interpolated directly into SQL queries in two locations — LiveTransmitionHistory::getLatest and LiveTransmition::keyExists — without parameterized binding...

7.5CVSS6AI score0.00468EPSS
Exploits1References4
Rows per page
Query Builder