9 matches found
CVE-2026-33759
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the objects/playlistsVideos.json.php endpoint returns the full video contents of any playlist by ID without any authentication or authorization check. Private playlists including watchlater and favorite types are...
CVE-2026-33759 AVideo: Unauthenticated IDOR in playlistsVideos.json.php Exposes Private Playlist Contents
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the objects/playlistsVideos.json.php endpoint returns the full video contents of any playlist by ID without any authentication or authorization check. Private playlists including watchlater and favorite types are...
CVE-2026-33759 AVideo: Unauthenticated IDOR in playlistsVideos.json.php Exposes Private Playlist Contents
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the objects/playlistsVideos.json.php endpoint returns the full video contents of any playlist by ID without any authentication or authorization check. Private playlists including watchlater and favorite types are...
GHSA-75QQ-68M8-PVFR AVideo: Unauthenticated IDOR in playlistsVideos.json.php Exposes Private Playlist Contents
Summary The objects/playlistsVideos.json.php endpoint returns the full video contents of any playlist by ID without any authentication or authorization check. Private playlists including watchlater and favorite types are correctly hidden from listing endpoints via playlistsFromUser.json.php, but...
AVideo: Unauthenticated IDOR in playlistsVideos.json.php Exposes Private Playlist Contents
Summary The objects/playlistsVideos.json.php endpoint returns the full video contents of any playlist by ID without any authentication or authorization check. Private playlists including watchlater and favorite types are correctly hidden from listing endpoints via playlistsFromUser.json.php, but...
SQL Injection
Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to SQL Injection via the catName parameter in JSON-formatted POST requests to objects/videos.json.php and objects/video.php. An attacker can execute arbitrary SQL...
AVideo has Unauthenticated SQL Injection via JSON Request Bypass in objects/videos.json.php
Impact An unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php components. The application fails to properly sanitize the catName parameter when it is supplied via a JSON-formatted POST request body. Because JSON input is parsed and...
CVE-2025-55476
FireShare FileShare 1.2.25 contains a time-based blind SQL injection vulnerability in the sort parameter of the endpoint: GET /api/videos/public?sort= This parameter is unsafely evaluated in a SQL ORDER BY clause without proper sanitization, allowing an attacker to inject arbitrary SQL subqueries...
PT-2023-32649 · Unknown · Voovi Social Networking Script
Name of the Vulnerable Software and Affected Versions: Voovi Social Networking Script version 1.0 Description: A SQL injection vulnerability has been reported, affecting the videos.php endpoint in the id parameter. This could allow a remote attacker to send a specially crafted SQL query to the...