CRITICAL10.0CVE-2026-40911WWBN AVideo YPTSocket WebSocket Broadcast Relay Leads to Unauthenticated Cross-User JavaScript Execution via Client-Side eval() Sinks from 0, <= 29.0
CRITICAL10.0CVE-2026-33478AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection from 0, <= 26.0
from 0, <= 29.0
CRITICAL9.8AVideo has an Unauthenticated SQL Injection via `doNotShowCats` Parameter (Backslash Escape Bypass)
from 0, <= 26.0
CRITICAL9.8WWBN AVideo is vulnerable to unauthenticated OS Command Injection via base64Url in objects/getImage.php
from 0, < 7.0.0
CRITICAL9.8AVideo has Unauthenticated SQL Injection via JSON Request Bypass in objects/videos.json.php
from 0, <= 21.0.0
CRITICAL9.8WWBN AVideo Remote Code Execution
>= 12.4, < 14.3
CRITICAL9.8WWBN AVideo Insufficient Entropy vulnerbaility
from 0, <= 12.4
CRITICAL9.6AVideo contains Command injection when embedding a video link
from 0, < 12.4
CRITICAL9.4AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php
from 0, <= 26.0
CRITICAL9.3WWBN AVideo has an incomplete fix for CVE-2026-33502: Command Injection
from 0, <= 29.0
CRITICAL9.3AVideo has Unauthenticated SSRF via plugin/Live/test.php
from 0, <= 26.0
CRITICAL9.1AVideo has Unauthenticated SSRF via `webSiteRootURL` Parameter in saveDVR.json.php, Chaining to Verification Bypass
from 0, <= 26.0
HIGH8.8AVideo: Remote Code Execution via PHP Temp File in Encoder downloadURL
from 0, <= 26.0
HIGH8.8AVideo Vulnerable to OS Command Injection via Unsanitized `users_id` and `liveTransmitionHistory_id` in Restreamer Log File Path
from 0, <= 26.0
HIGH8.8AVideo Vulnerable to Remote Code Execution via MIME/Extension Mismatch in ImageGallery File Upload
from 0, <= 26.0
HIGH8.8AVideo Affected by CSRF on Plugin Import Endpoint Enables Unauthenticated Remote Code Execution via Malicious Plugin Upload
from 0, <= 26.0
HIGH8.8AVideo has PHP Code Injection via eval() in Gallery saveSort.json.php Exploitable Through CSRF Against Admin
from 0, <= 26.0
HIGH8.8WWBN AVideo command injection vulnerability
from 0, <= 12.4
HIGH8.8Remote code injection in wwbn/avideo
from 0, < 12.4
HIGH8.8AVideo vulnerable to Improper Privilege Management
from 0, < 8.9
HIGH8.7WWBN AVideo has a Path Traversal in Locale Save Endpoint Enables Arbitrary PHP File Write to Any Web-Accessible Directory (RCE)
from 0, <= 29.0
HIGH8.6AVideo: Unauthenticated CDN Configuration Takeover via Empty Default Key Bypass and Mass-Assignment
from 0, <= 26.0
HIGH8.6AVideo has an Unauthenticated Local File Inclusion in API locale (RCE possible with writable PHP)
from 0, <= 26.0
HIGH8.6AVideo has a SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in Unauthenticated LiveLinks Proxy
from 0, <= 26.0
HIGH8.6AVideo vulnerable to unauthenticated SSRF via HTTP redirect bypass in LiveLinks proxy
from 0, <= 25.0
HIGH8.3WWBN AVideo has CSRF in configurationUpdate.json.php Enables Full Site Configuration Takeover Including Encoder URL and SMTP Credentials
from 0, <= 29.0
HIGH8.2AVideo Vulnerable to Reflected XSS via Unsanitized plugin Parameter in YPTWallet Stripe Payment Page
from 0, <= 26.0
HIGH8.1WWBN AVideo has an incomplete fix for CVE-2026-33293: Path Traversal
from 0, <= 29.0
HIGH8.1WWBN AVideo has CORS Origin Reflection with Credentials on Sensitive API Endpoints Enables Cross-Origin Account Takeover
from 0, <= 29.0
HIGH8.1AVideo's CSRF on Admin Plugin Configuration Enables Payment Credential Hijacking
from 0, <= 26.0
HIGH8.1AVideo has a Blind SQL Injection in Live Schedule Reminder via Unsanitized live_schedule_id in Scheduler_commands::getAllActiveOrToRepeat()
from 0, <= 26.0
HIGH8.1AVideo's GET-Based CSRF in setPermission.json.php Enables Privilege Escalation via Arbitrary Permission Modification
from 0, <= 26.0
HIGH8.1AVideo has an OS Command Injection via $() Shell Substitution Bypass in sanitizeFFmpegCommand()
from 0, <= 26.0
HIGH8.1AVideo Affected by Arbitrary File Deletion via Path Traversal in CloneSite deleteDump Parameter
from 0, <= 25.0
HIGH8.1AVideo affected by Session Hijacking via Unauthenticated Session ID Disclosure with Permissive CORS
from 0, <= 25.0
HIGH8.1AVideo affected by unauthenticated application takeover via exposed web installer on uninitialized deployments
from 0, <= 25.0
HIGH8.1AVideo: Unauthenticated PHP session store exposed to host network via published memcached port
from 0, <= 21.0
HIGH8.1AVideo has Authenticated Server-Side Request Forgery via downloadURL in aVideoEncoder.json.php
from 0, <= 21.0.0
HIGH8.0WWBN/AVideo stored XSS vulnerability leads to takeover of any user's account, including admin's account
from 0, < 12.4
HIGH7.7AVideo has SSRF Protection Bypass via HTTP Redirect and DNS Rebinding in isSSRFSafeURL()
from 0, <= 29.0
HIGH7.7WWBN AVideo has a SSRF via same-domain hostname with alternate port bypasses isSSRFSafeURL
from 0, <= 29.0
HIGH7.6AVideo: Video Moderator Privilege Escalation via Ownership Transfer Enables Arbitrary Video Deletion
from 0, <= 26.0
HIGH7.6AVideo has an authenticated arbitrary local file read via `chunkFile` path injection in `aVideoEncoder.json.php`
from 0, <= 26.0
HIGH7.5AVideo: Unauthenticated Disclosure of CloneSite `myKey` via Error Echo in `cloneClient.json.php` Enables Cross-Site DB Dump of the Configured Clone Server
from 0, <= 29.0
HIGH7.5AVideo: Unauthenticated Live Stream Termination via RTMP Callback on_publish_done.php
from 0, <= 26.0
HIGH7.5AVideo has an unauthenticated decrypt oracle leaking any ciphertext
from 0, <= 26.0
HIGH7.5AVideo has an Unauthenticated Blind SQL Injection in RTMP on_publish Callback via Stream Name Parameter
from 0, <= 26.0
HIGH7.5AVideo Affected by Unauthenticated Disk Space Exhaustion via Unlimited Temp File Creation in aVideoEncoderChunk.json.php
from 0, <= 26.0
HIGH7.5AVideo has an Authorization Bypass via Path Traversal in HLS Endpoint Allows Streaming Private/Paid Videos
from 0, <= 25.0
HIGH7.4AVideo has a PGP 2FA Bypass via Cryptographically Broken 512-bit RSA Key Generation in LoginControl Plugin
from 0, <= 26.0
HIGH7.3AVideo has Session Fixation via GET PHPSESSID Parameter With Disabled Login Session Regeneration
from 0, <= 26.0
HIGH7.3WWBN AVideo Improper Restriction of Excessive Authentication Attempts vulnerability
from 0, <= 12.4
HIGH7.2AVideo has an Incomplete Fix for YPTSocket autoEvalCodeOnHTML Strip: Unauthenticated Cross-User JavaScript Execution via `$msg['json']` Relay Bypass
from 0, <= 29.0
HIGH7.2AVideo has Path Traversal in pluginRunDatabaseScript.json.php Enables Arbitrary SQL File Execution via Unsanitized Plugin Name
from 0, <= 26.0
HIGH7.1WWBN AVideo has a CORS Origin Reflection Bypass via plugin/API/router.php and allowOrigin(true) Exposes Authenticated API Responses
from 0, <= 29.0
HIGH7.1WWBN AVideo has Multiple CSRF Vulnerabilities in Admin JSON Endpoints (Category CRUD, Plugin Update Script)
from 0, <= 29.0
HIGH7.1AVideo is Vulnerable to SQL Injection through Subscribe Endpoint via Unsanitized user_id Parameter
from 0, <= 26.0
HIGH7.1AVideo has a Path Traversal in import.json.php Allows Private Video Theft and Arbitrary File Read/Deletion via fileURI Parameter
from 0, <= 26.0
MEDIUM6.8AVideo: Password Hash Leak in MobileManager OAuth Redirect URL Enables Account Takeover
from 0, <= 29.0
MEDIUM6.5WWBN AVideo has an Incomplete fix: Directory traversal bypass via query string in ReceiveImage downloadURL parameters
from 0, <= 29.0
MEDIUM6.5WWBN AVideo has an IDOR in Live Restreams list.json.php Exposes Other Users' Stream Keys and OAuth Tokens
from 0, <= 29.0
MEDIUM6.5WWBN AVideo Affected by a PayPal IPN Replay Attack Enabling Wallet Balance Inflation via Missing Transaction Deduplication in ipn.php
from 0, <= 26.0
MEDIUM6.5AVideo: Stored SSRF via Video EPG Link Missing isSSRFSafeURL() Validation
from 0, <= 26.0
MEDIUM6.5AVideo: Arbitrary Stripe Subscription Cancellation via Debug Endpoint and retrieveSubscriptions() Bug
from 0, <= 26.0
MEDIUM6.5AVideo: Unauthenticated File Deletion via PHP Operator Precedence Bug in CLI Guard
from 0, <= 26.0
MEDIUM6.5AVideo: CSRF on Plugin Enable/Disable Endpoint Allows Disabling Security Plugins
from 0, <= 26.0
MEDIUM6.5AVideo: CSRF on emailAllUsers.json.php Enables Mass Phishing Email to All Users
from 0, <= 26.0
MEDIUM6.5AVideo vulnerable to Mass User PII Disclosure via Missing Authorization in YPTWallet users.json.php
from 0, <= 26.0
MEDIUM6.4AVideo: HTML Injection in notifySubscribers.json.php Allows Platform-Branded Phishing Emails to Channel Subscribers
from 0, <= 29.0
MEDIUM6.4AVideo: DOM XSS via Unsanitized Display Name in WebSocket Call Notification
from 0, <= 26.0
MEDIUM6.3AVideo: Missing Authorization in Playlist Schedule Creation Allows Cross-User Broadcast Hijacking
from 0, <= 26.0
MEDIUM6.1Video: Reflected XSS in plugin/Meet/iframe.php via Unescaped user and pass Parameters in JavaScript String Literal
from 0, <= 29.0
MEDIUM6.1AVideo: Reflected XSS via Unescaped ip Parameter in User_Location testIP.php
from 0, <= 26.0
MEDIUM6.1AVideo has Stored XSS via Unescaped Plugin Configuration Values in Admin Panel
from 0, <= 26.0
MEDIUM6.1AVideo has Reflected XSS via unlockPassword Parameter in forbiddenPage.php and warningPage.php
from 0, <= 26.0
MEDIUM6.1AVideo cross-site scripting vulnerability in the view/about.php page
from 0, < 14.3
MEDIUM6.1Open redirect in wwbn/avideo
from 0, <= 11.6
MEDIUM5.9AVideo has an OS Command Injection via Unescaped URL in LinkedIn Video Upload Shell Command
from 0, <= 25.0
MEDIUM5.5AVideo has SSRF in Scheduler Plugin via callbackURL Missing `isSSRFSafeURL()` Validation
from 0, < 26.0
MEDIUM5.4AVideo has Blind SSRF in YPTWallet Donation Webhook via Missing isSSRFSafeURL() Check and CURLOPT_FOLLOWLOCATION Redirect Bypass
from 0, <= 29.0
MEDIUM5.4AVideo: CSRF in userSavePhoto.php Allows Cross-Origin Overwrite of Authenticated Users' Profile Photos with Arbitrary Content
from 0, <= 29.0
MEDIUM5.4WWBN AVideo has an incomplete fix for CVE-2026-33500: XSS
from 0, <= 29.0
MEDIUM5.4WWBN AVideo has Stored XSS via Unanchored Duration Regex in Video Encoder Receiver
from 0, <= 29.0
MEDIUM5.4WWBN AVideo is missing CSRF protection in objects/commentDelete.json.php enables mass comment deletion against moderators and content creators
from 0, <= 29.0
MEDIUM5.4WWBN AVideo: Missing CSRF Protection on State-Changing JSON Endpoints Enables Forced Comment Creation, Vote Manipulation, and Category Asset Deletion
from 0, <= 29.0
MEDIUM5.4WWBN AVideo has Stored XSS via Malicious EPG XML Program Titles in AVideo EPG Page
from 0, <= 26.0
MEDIUM5.4AVideo's WebSocket Token Never Expires Due to Commented-Out Timeout Validation in verifyTokenSocket()
from 0, <= 26.0
MEDIUM5.4AVideo: IDOR in uploadPoster.php Allows Any Authenticated User to Overwrite Scheduled Live Stream Posters and Trigger False Socket Notifications
from 0, <= 26.0
MEDIUM5.4AVideo vulnerable to Stored XSS via html_entity_decode() Reversing xss_esc() Sanitization in Channel About Field
from 0, <= 26.0
MEDIUM5.4AVideo - Incomplete Fix for CVE-2026-27568: Stored XSS via Markdown `javascript:` URI Bypasses ParsedownSafeWithLinks Sanitization
from 0, <= 26.0
MEDIUM5.3AVideo: Unauthenticated User Enumeration in objects/users.json.php via isCompany Parameter Allows Bypass of the Admin-Only Listing Restriction
from 0, <= 29.0
MEDIUM5.3AVideo: Unauthenticated Arbitrary Email Sending via sendEmail.json.php Enables Phishing from the Site’s Legitimate From Address
from 0, <= 29.0
MEDIUM5.3WWBN AVideo has an incomplete fix for CVE-2026-33039: SSRF
from 0, <= 29.0
MEDIUM5.3CAPTCHA Bypass in WWBN/AVideo via Attacker-Controlled Length Parameter and Missing Token Invalidation on Failure
from 0, <= 29.0
MEDIUM5.3WWBN AVideo has an Unauthenticated Information Disclosure via git.json.php Exposes Developer Emails and Deployed Version
from 0, <= 29.0
MEDIUM5.3AVideo: Unauthenticated Information Disclosure via Missing Auth on CloneSite client.log.php
from 0, <= 26.0
MEDIUM5.3AVideo: Unauthenticated FFmpeg Remote Server Status Disclosure via check.ffmpeg.json.php
from 0, <= 26.0
MEDIUM5.3AVideo: Unauthenticated Information Disclosure via Disabled CLI Guard in install/test.php
from 0, <= 26.0
MEDIUM5.3AVideo: Unauthenticated Instagram Graph API Proxy via publishInstagram.json.php
from 0, <= 26.0