Lucene search
K

9 matches found

NVD
NVD
added 2026/03/27 3:16 p.m.8 views

CVE-2026-33759

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the objects/playlistsVideos.json.php endpoint returns the full video contents of any playlist by ID without any authentication or authorization check. Private playlists including watchlater and favorite types are...

5.3CVSS0.00295EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/03/27 2:18 p.m.30 views

CVE-2026-33759 AVideo: Unauthenticated IDOR in playlistsVideos.json.php Exposes Private Playlist Contents

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the objects/playlistsVideos.json.php endpoint returns the full video contents of any playlist by ID without any authentication or authorization check. Private playlists including watchlater and favorite types are...

5.3CVSS0.00295EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/03/27 2:18 p.m.3 views

CVE-2026-33759 AVideo: Unauthenticated IDOR in playlistsVideos.json.php Exposes Private Playlist Contents

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the objects/playlistsVideos.json.php endpoint returns the full video contents of any playlist by ID without any authentication or authorization check. Private playlists including watchlater and favorite types are...

5.3CVSS5.9AI score0.00295EPSS
Exploits1References2
OSV
OSV
added 2026/03/26 6:5 p.m.2 views

GHSA-75QQ-68M8-PVFR AVideo: Unauthenticated IDOR in playlistsVideos.json.php Exposes Private Playlist Contents

Summary The objects/playlistsVideos.json.php endpoint returns the full video contents of any playlist by ID without any authentication or authorization check. Private playlists including watchlater and favorite types are correctly hidden from listing endpoints via playlistsFromUser.json.php, but...

5.3CVSS6AI score0.00295EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/03/26 6:5 p.m.7 views

AVideo: Unauthenticated IDOR in playlistsVideos.json.php Exposes Private Playlist Contents

Summary The objects/playlistsVideos.json.php endpoint returns the full video contents of any playlist by ID without any authentication or authorization check. Private playlists including watchlater and favorite types are correctly hidden from listing endpoints via playlistsFromUser.json.php, but...

5.3CVSS5.9AI score0.00295EPSS
Exploits1References4Affected Software1
Snyk
Snyk
added 2026/03/02 8:49 p.m.2 views

SQL Injection

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to SQL Injection via the catName parameter in JSON-formatted POST requests to objects/videos.json.php and objects/video.php. An attacker can execute arbitrary SQL...

9.8CVSS6.2AI score0.0151EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/03/02 8:49 p.m.16 views

AVideo has Unauthenticated SQL Injection via JSON Request Bypass in objects/videos.json.php

Impact An unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php components. The application fails to properly sanitize the catName parameter when it is supplied via a JSON-formatted POST request body. Because JSON input is parsed and...

9.8CVSS6AI score0.0151EPSS
Exploits1References5Affected Software1
NVD
NVD
added 2025/09/02 6:15 p.m.14 views

CVE-2025-55476

FireShare FileShare 1.2.25 contains a time-based blind SQL injection vulnerability in the sort parameter of the endpoint: GET /api/videos/public?sort= This parameter is unsafely evaluated in a SQL ORDER BY clause without proper sanitization, allowing an attacker to inject arbitrary SQL subqueries...

6.5CVSS0.00239EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2023/11/30 12:0 a.m.8 views

PT-2023-32649 · Unknown · Voovi Social Networking Script

Name of the Vulnerable Software and Affected Versions: Voovi Social Networking Script version 1.0 Description: A SQL injection vulnerability has been reported, affecting the videos.php endpoint in the id parameter. This could allow a remote attacker to send a specially crafted SQL query to the...

9.8CVSS7.7AI score0.00831EPSS
Exploits0References4
Rows per page
Query Builder