Every CVE whose affected-product data names Wwbn Avideo, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (190)
CVE-2026-33478 — CVSS 10.0 (critical): WWBN AVideo is an open source video platform. In versions up to and including 26.0, multiple vulnerabilities in AVideo's CloneSite plugin…
CVE-2026-40911 — CVSS 10.0 (critical): WWBN AVideo is an open source video platform. In versions 29.0 and prior, the YPTSocket plugin's WebSocket server relays attacker-supplied…
CVE-2022-30547 — CVSS 9.9 (critical): A directory traversal vulnerability exists in the unzipDirectory functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A…
CVE-2026-41304 — CVSS 9.8 (critical): WWBN AVideo is an open source video platform. In versions 29.0 and below, the `cloneServer.json.php` endpoint in the CloneSite plugin…
CVE-2026-28501 — CVSS 9.8 (critical): WWBN AVideo is an open source video platform. Prior to version 24.0, an unauthenticated SQL Injection vulnerability exists in AVideo within…
CVE-2026-33352 — CVSS 9.8 (critical): WWBN AVideo is an open source video platform. Prior to version 26.0, an unauthenticated SQL injection vulnerability exists in…
CVE-2024-31819 — CVSS 9.8 (critical): An issue in WWBN AVideo v.12.4 through v.14.2 allows a remote attacker to execute arbitrary code via the systemRootPath parameter of the…
CVE-2026-33770 — CVSS 9.8 (critical): WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `fixCleanTitle()` static method in…
CVE-2023-49599 — CVSS 9.8 (critical): An insufficient entropy vulnerability exists in the salt generation functionality of WWBN AVideo dev master commit 15fed957fb. A specially…
CVE-2023-47862 — CVSS 9.8 (critical): A local file inclusion vulnerability exists in the getLanguageFromBrowser functionality of WWBN AVideo dev master commit 15fed957fb. A…
CVE-2023-25313 — CVSS 9.8 (critical): OS injection vulnerability in World Wide Broadcast Network AVideo version before 12.4, allows attackers to execute arbitrary code via the…
CVE-2025-41420 — CVSS 9.6 (critical): A cross-site scripting (xss) vulnerability exists in the userLogin cancelUri parameter functionality of WWBN AVideo 14.4 and dev master…
CVE-2025-50128 — CVSS 9.6 (critical): A cross-site scripting (xss) vulnerability exists in the videoNotFound 404ErrorMsg parameter functionality of WWBN AVideo 14.4 and dev…
CVE-2022-26842 — CVSS 9.6 (critical): A reflected cross-site scripting (xss) vulnerability exists in the charts tab selection functionality of WWBN AVideo 11.6 and dev master…
CVE-2023-48728 — CVSS 9.6 (critical): A cross-site scripting (xss) vulnerability exists in the functiongetOpenGraph videoName functionality of WWBN AVideo 11.6 and dev master…
CVE-2025-46410 — CVSS 9.6 (critical): A cross-site scripting (xss) vulnerability exists in the managerPlaylists PlaylistOwnerUsersId parameter functionality of WWBN AVideo 14.4…
CVE-2026-33716 — CVSS 9.4 (critical): WWBN AVideo is an open source video platform. In versions up to and including 26.0, the standalone live stream control endpoint at…
CVE-2026-41064 — CVSS 9.3 (critical): WWBN AVideo is an open source video platform. In versions up to and including 29.0, an incomplete fix for AVideo's `test.php` adds…
CVE-2026-33502 — CVSS 9.3 (critical): WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated server-side request forgery…
CVE-2026-33351 — CVSS 9.1 (critical): WWBN AVideo is an open source video platform. Prior to version 26.0, a Server-Side Request Forgery (SSRF) vulnerability exists in…
CVE-2026-34374 — CVSS 9.1 (critical): WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `Live_schedule::keyExists()` method constructs a…
CVE-2026-33297 — CVSS 9.1 (critical): WWBN AVideo is an open source video platform. Prior to version 26.0, the `setPassword.json.php` endpoint in the CustomizeUser plugin allows…
CVE-2025-34434 — CVSS 9.1 (critical): AVideo versions prior to 20.1 with the ImageGallery plugin enabled is vulnerable to unauthenticated file upload and deletion. Plugin…
CVE-2025-53084 — CVSS 9.0 (critical): A cross-site scripting (xss) vulnerability exists in the videosList page parameter functionality of WWBN AVideo 14.4 and dev master commit…
CVE-2022-28712 — CVSS 9.0 (critical): A cross-site scripting (xss) vulnerability exists in the videoAddNew functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A…
CVE-2023-47861 — CVSS 9.0 (critical): A cross-site scripting (xss) vulnerability exists in the channelBody.php user name functionality of WWBN AVideo 11.6 and dev master commit…
CVE-2022-33149 — CVSS 8.8 (high): A sql injection vulnerability exists in the ObjectYPT functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted…
CVE-2022-34652 — CVSS 8.8 (high): A sql injection vulnerability exists in the ObjectYPT functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted…
CVE-2026-28502 — CVSS 8.8 (high): WWBN AVideo is an open source video platform. Prior to version 24.0, an authenticated Remote Code Execution (RCE) vulnerability was…
CVE-2026-33479 — CVSS 8.8 (high): WWBN AVideo is an open source video platform. In versions up to and including 26.0, the Gallery plugin's `saveSort.json.php` endpoint…
CVE-2023-30854 — CVSS 8.8 (high): AVideo is an open source video platform. Prior to version 12.4, an OS Command Injection vulnerability in an authenticated endpoint…
CVE-2023-32073 — CVSS 8.8 (high): WWBN AVideo is an open source video platform. In versions 12.4 and prior, a command injection vulnerability exists at…
CVE-2026-33647 — CVSS 8.8 (high): WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `ImageGallery::saveFile()` method validates…
CVE-2022-30605 — CVSS 8.8 (high): A privilege escalation vulnerability exists in the session id functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A…
CVE-2022-30534 — CVSS 8.8 (high): An OS command injection vulnerability exists in the aVideoEncoder chunkfile functionality of WWBN AVideo 11.6 and dev master commit…
CVE-2023-49589 — CVSS 8.8 (high): An insufficient entropy vulnerability exists in the userRecoverPass.php recoverPass generation functionality of WWBN AVideo dev master…
CVE-2022-29468 — CVSS 8.8 (high): A cross-site request forgery (CSRF) vulnerability exists in WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP…
CVE-2026-33648 — CVSS 8.8 (high): WWBN AVideo is an open source video platform. In versions up to and including 26.0, the restreamer endpoint constructs a log file path by…
CVE-2026-33767 — CVSS 8.8 (high): WWBN AVideo is an open source video platform. In versions up to and including 26.0, in `objects/like.php`, the `getLike()` method…
CVE-2022-32572 — CVSS 8.8 (high): An os command injection vulnerability exists in the aVideoEncoder wget functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A…
CVE-2026-33717 — CVSS 8.8 (high): WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `downloadVideoFromDownloadURL()` function in…
CVE-2025-34437 — CVSS 8.8 (high): AVideo versions prior to 20.1 permit any authenticated user to upload comment images to videos owned by other users. The endpoint validates…
CVE-2025-34436 — CVSS 8.8 (high): AVideo versions prior to 20.1 allow any authenticated user to upload files into directories belonging to other users due to an insecure…
CVE-2026-33507 — CVSS 8.8 (high): WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/pluginImport.json.php` endpoint allows…
CVE-2020-23489 — CVSS 8.8 (high): The import.json.php file before 8.9 for Avideo is vulnerable to a File Deletion vulnerability. This allows the deletion of…
CVE-2022-32282 — CVSS 8.8 (high): An improper password check exists in the login functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. An attacker that owns a…
CVE-2026-45578 — CVSS 8.8 (high): WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a classic shell-metacharacter injection. The YPTSocket…
CVE-2022-33147 — CVSS 8.8 (high): A sql injection vulnerability exists in the ObjectYPT functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted…
CVE-2022-33148 — CVSS 8.8 (high): A sql injection vulnerability exists in the ObjectYPT functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted…
CVE-2025-25214 — CVSS 8.8 (high): A race condition vulnerability exists in the aVideoEncoder.json.php unzip functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff…
CVE-2026-40909 — CVSS 8.7 (high): WWBN AVideo is an open source video platform. In versions 29.0 and prior, the locale save endpoint (`locale/save.php`) constructs a file…
CVE-2026-41055 — CVSS 8.6 (high): WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete SSRF fix in AVideo's LiveLinks proxy adds…
CVE-2026-33719 — CVSS 8.6 (high): WWBN AVideo is an open source video platform. In versions up to and including 26.0, the CDN plugin endpoints `plugin/CDN/status.json.php`…
CVE-2026-33480 — CVSS 8.6 (high): WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `isSSRFSafeURL()` function in AVideo can be…
CVE-2026-33513 — CVSS 8.6 (high): WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated API endpoint (`APIName=locale`)…
CVE-2026-33039 — CVSS 8.6 (high): WWBN AVideo is an open source video platform. In versions 25.0 and below, the plugin/LiveLinks/proxy.php endpoint validates user-supplied…
CVE-2023-48730 — CVSS 8.5 (high): A cross-site scripting (xss) vulnerability exists in the navbarMenuAndLogo.php user name functionality of WWBN AVideo dev master commit…
CVE-2026-40925 — CVSS 8.3 (high): WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/configurationUpdate.json.php` (also routed via…
CVE-2025-36548 — CVSS 8.3 (high): A cross-site scripting (xss) vulnerability exists in the LoginWordPress loginForm cancelUri parameter functionality of WWBN AVideo 14.4 and…
CVE-2026-34375 — CVSS 8.2 (high): WWBN AVideo is an open source video platform. In versions up to and including 26.0, the YPTWallet Stripe payment confirmation page directly…
CVE-2026-41058 — CVSS 8.1 (high): WWBN AVideo is an open source video platform. In versions 29.0 and below, the incomplete fix for AVideo's CloneSite `deleteDump` parameter…
CVE-2026-33649 — CVSS 8.1 (high): WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/Permissions/setPermission.json.php`…
CVE-2026-29093 — CVSS 8.1 (high): WWBN AVideo is an open source video platform. Prior to version 24.0, the official docker-compose.yml publishes the memcached service on…
CVE-2026-33043 — CVSS 8.1 (high): WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/phpsessionid.json.php exposes the current PHP session ID…
CVE-2026-33037 — CVSS 8.1 (high): WWBN AVideo is an open source video platform. In versions 25.0 and below, the official Docker deployment files (docker-compose.yml…
CVE-2026-33038 — CVSS 8.1 (high): WWBN AVideo is an open source video platform. Versions 25.0 and below are vulnerable to unauthenticated application takeover through the…
CVE-2026-33651 — CVSS 8.1 (high): WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `remindMe.json.php` endpoint passes…
CVE-2025-34438 — CVSS 8.1 (high): AVideo versions prior to 20.1 contain an insecure direct object reference vulnerability allowing users with upload permissions to modify…
CVE-2026-33293 — CVSS 8.1 (high): WWBN AVideo is an open source video platform. Prior to version 26.0, the `deleteDump` parameter in `plugin/CloneSite/cloneServer.json.php`…
CVE-2026-33482 — CVSS 8.1 (high): WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `sanitizeFFmpegCommand()` function in…
CVE-2026-27732 — CVSS 8.1 (high): WWBN AVideo is an open source video platform. Prior to version 22.0, the `aVideoEncoder.json.php` API endpoint accepts a `downloadURL`…
CVE-2026-34394 — CVSS 8.1 (high): WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's admin plugin configuration endpoint…
CVE-2026-41056 — CVSS 8.1 (high): WWBN AVideo is an open source video platform. In versions 29.0 and below, the `allowOrigin($allowAll=true)` function in…
CVE-2023-30860 — CVSS 8.0 (high): WWBN AVideo is an open source video platform. In AVideo prior to version 12.4, a normal user can make a Meeting Schedule where the user can…
CVE-2021-21286 — CVSS 7.7 (high): AVideo Platform is an open-source Audio and Video platform. It is similar to a self-hosted YouTube. In AVideo Platform before version 10.2…
CVE-2026-41060 — CVSS 7.7 (high): WWBN AVideo is an open source video platform. In versions 29.0 and below, the `isSSRFSafeURL()` function in `objects/functions.php`…
CVE-2026-33354 — CVSS 7.6 (high): WWBN AVideo is an open source video platform. In versions up to and including 26.0, `POST /objects/aVideoEncoder.json.php` accepts a…
CVE-2026-39369 — CVSS 7.6 (high): WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoderReceiveImage.json.php allowed an…
CVE-2026-33650 — CVSS 7.6 (high): WWBN AVideo is an open source video platform. In versions up to and including 26.0, a user with the "Videos Moderator" permission can…
CVE-2026-34731 — CVSS 7.5 (high): WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo on_publish_done.php endpoint in the Live plugin allows…
CVE-2020-23490 — CVSS 7.5 (high): There was a local file disclosure vulnerability in AVideo < 8.9 via the proxy streaming. An unauthenticated attacker can exploit this issue…
CVE-2020-37173 — CVSS 7.5 (high): AVideo Platform 8.1 contains an information disclosure vulnerability that allows attackers to enumerate user details through the…
CVE-2022-32777 — CVSS 7.5 (high): An information disclosure vulnerability exists in the cookie functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. The session…
CVE-2022-32778 — CVSS 7.5 (high): An information disclosure vulnerability exists in the cookie functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. The session…
CVE-2023-49738 — CVSS 7.5 (high): An information disclosure vulnerability exists in the image404Raw.php functionality of WWBN AVideo dev master commit 15fed957fb. A…
CVE-2025-34441 — CVSS 7.5 (high): AVideo versions prior to 20.1 expose sensitive user information through an unauthenticated public API endpoint. Responses include emails…
CVE-2025-34442 — CVSS 7.5 (high): AVideo versions prior to 20.1 disclose absolute filesystem paths via multiple public API endpoints. Returned metadata includes full server…
CVE-2026-33292 — CVSS 7.5 (high): WWBN AVideo is an open source video platform. Prior to version 26.0, the HLS streaming endpoint (`view/hls.php`) is vulnerable to a path…
CVE-2026-33483 — CVSS 7.5 (high): WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `aVideoEncoderChunk.json.php` endpoint is a…
CVE-2026-33485 — CVSS 7.5 (high): WWBN AVideo is an open source video platform. In versions up to and including 26.0, the RTMP `on_publish` callback at…
CVE-2026-33512 — CVSS 7.5 (high): WWBN AVideo is an open source video platform. In versions up to and including 26.0, the API plugin exposes a `decryptString` action without…
CVE-2026-33867 — CVSS 7.5 (high): WWBN AVideo is an open source video platform. In versions up to and including 26.0, AVideo allows content owners to password-protect…
CVE-2026-33488 — CVSS 7.4 (high): WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `createKeys()` function in the LoginControl…
CVE-2023-49810 — CVSS 7.3 (high): A login attempt restriction bypass vulnerability exists in the checkLoginAttempts functionality of WWBN AVideo dev master commit…
CVE-2025-48732 — CVSS 7.3 (high): An incomplete blacklist exists in the .htaccess sample of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request…
CVE-2026-33492 — CVSS 7.3 (high): WWBN AVideo is an open source video platform. In versions up to and including 26.0, AVideo's `_session_start()` function accepts arbitrary…
CVE-2026-33681 — CVSS 7.2 (high): WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/pluginRunDatabaseScript.json.php` endpoint…
CVE-2026-41057 — CVSS 7.1 (high): WWBN AVideo is an open source video platform. In versions 29.0 and below, the CORS origin validation fix in commit `986e64aad` is…
CVE-2026-40926 — CVSS 7.1 (high): WWBN AVideo is an open source video platform. In versions 29.0 and prior, three admin-only JSON endpoints — `objects/categoryAddNew.json.p…
CVE-2026-39370 — CVSS 7.1 (high): WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoder.json.php still allows attacker-controlled…
CVE-2026-33493 — CVSS 7.1 (high): WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/import.json.php` endpoint accepts a…
CVE-2026-33723 — CVSS 7.1 (high): WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `Subscribe::save()` method in…
CVE-2026-34737 — CVSS 6.5 (medium): WWBN AVideo is an open source video platform. In versions 26.0 and prior, the StripeYPT plugin includes a test.php debug endpoint that is…
CVE-2026-34733 — CVSS 6.5 (medium): WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo installation script install/deleteSystemdPrivate.php…
CVE-2022-32761 — CVSS 6.5 (medium): An information disclosure vulnerability exists in the aVideoEncoderReceiveImage functionality of WWBN AVideo 11.6 and dev master commit…
CVE-2026-39368 — CVSS 6.5 (medium): WWBN AVideo is an open source video platform. In versions 26.0 and prior, the Live restream log callback flow accepted an…
CVE-2022-28710 — CVSS 6.5 (medium): An information disclosure vulnerability exists in the chunkFile functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A…
CVE-2025-34435 — CVSS 6.5 (medium): AVideo versions prior to 20.1 are vulnerable to an insecure direct object reference (IDOR) that allows any authenticated user to delete…
CVE-2023-49864 — CVSS 6.5 (medium): An information disclosure vulnerability exists in the aVideoEncoderReceiveImage.json.php image upload functionality of WWBN AVideo dev…
CVE-2023-49863 — CVSS 6.5 (medium): An information disclosure vulnerability exists in the aVideoEncoderReceiveImage.json.php image upload functionality of WWBN AVideo dev…
CVE-2026-34613 — CVSS 6.5 (medium): WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/pluginSwitch.json.php allows…
CVE-2026-34395 — CVSS 6.5 (medium): WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/YPTWallet/view/users.json.php endpoint returns all…
CVE-2026-33766 — CVSS 6.5 (medium): WWBN AVideo is an open source video platform. In versions up to and including 26.0, `isSSRFSafeURL()` validates URLs against…
CVE-2023-49862 — CVSS 6.5 (medium): An information disclosure vulnerability exists in the aVideoEncoderReceiveImage.json.php image upload functionality of WWBN AVideo dev…
CVE-2026-45619 — CVSS 6.5 (medium): WWBN AVideo is an open source video platform. In 29.0 and earlier, EpgParser.php, plugin/AI/receiveAsync.json.php, and other locations do…
CVE-2023-47171 — CVSS 6.5 (medium): An information disclosure vulnerability exists in the aVideoEncoder.json.php chunkFile path functionality of WWBN AVideo 11.6 and dev…
CVE-2026-40907 — CVSS 6.5 (medium): WWBN AVideo is an open source video platform. In versions 29.0 and prior, the endpoint `plugin/Live/view/Live_restreams/list.json.php`…
CVE-2026-39366 — CVSS 6.5 (medium): WWBN AVideo is an open source video platform. In versions 26.0 and prior, the PayPal IPN v1 handler at plugin/PayPalYPT/ipn.php lacks…
CVE-2026-34740 — CVSS 6.5 (medium): WWBN AVideo is an open source video platform. In versions 26.0 and prior, the EPG (Electronic Program Guide) link feature in AVideo allows…
CVE-2026-41062 — CVSS 6.5 (medium): WWBN AVideo is an open source video platform. In versions 29.0 and below, the directory traversal fix introduced in commit 2375eb5e0 for…
CVE-2026-34611 — CVSS 6.5 (medium): WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/emailAllUsers.json.php allows…
CVE-2026-34716 — CVSS 6.4 (medium): WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo YPTSocket plugin's caller feature renders incoming…
CVE-2026-34245 — CVSS 6.3 (medium): WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/PlayLists/View/Playlists_schedules/add.json…
CVE-2025-34440 — CVSS 6.1 (medium): AVideo versions prior to 20.1 contain an open redirect vulnerability caused by insufficient validation of the siteRedirectUri parameter…
CVE-2025-34439 — CVSS 6.1 (medium): AVideo versions prior to 20.1 are vulnerable to an open redirect flaw due to missing validation of the cancelUri parameter during user…
CVE-2022-32771 — CVSS 6.1 (medium): A cross-site scripting (xss) vulnerability exists in the footer alerts functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A…
CVE-2022-32770 — CVSS 6.1 (medium): A cross-site scripting (xss) vulnerability exists in the footer alerts functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A…
CVE-2022-27463 — CVSS 6.1 (medium): Open redirect vulnerability in objects/login.json.php in WWBN AVideo through 11.6, allows attackers to arbitrarily redirect users from a…
CVE-2022-30690 — CVSS 6.1 (medium): A cross-site scripting (xss) vulnerability exists in the image403 functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A…
CVE-2026-33296 — CVSS 6.1 (medium): WWBN AVideo is an open source video platform. Prior to version 26.0, WWBN/AVideo contains an open redirect vulnerability in the login flow…
CVE-2026-33499 — CVSS 6.1 (medium): WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `view/forbiddenPage.php` and `view/warningPage.php`…
CVE-2026-33035 — CVSS 6.1 (medium): WWBN AVideo is an open source video platform. In versions 25.0 and below, there is a reflected XSS vulnerability that allows…
CVE-2023-25314 — CVSS 6.1 (medium): Cross Site Scripting (XSS) vulnerability in World Wide Broadcast Network AVideo before 12.4, allows attackers to gain sensitive information…
CVE-2026-34396 — CVSS 6.1 (medium): WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo admin panel renders plugin configuration values in…
CVE-2022-32772 — CVSS 6.1 (medium): A cross-site scripting (xss) vulnerability exists in the footer alerts functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A…
CVE-2026-27568 — CVSS 6.1 (medium): WWBN AVideo is an open source video platform. Prior to version 21.0, AVideo allows Markdown in video comments and uses Parsedown (v1.7.4)…
CVE-2026-34739 — CVSS 6.1 (medium): WWBN AVideo is an open source video platform. In versions 26.0 and prior, the User_Location plugin's testIP.php page reflects the ip…
CVE-2022-27462 — CVSS 6.1 (medium): Cross Site Scripting (XSS) vulnerability in objects/function.php in function getDeviceID in WWBN AVideo through 11.6, via the yptDevice…
CVE-2026-33319 — CVSS 5.9 (medium): WWBN AVideo is an open source video platform. Prior to version 26.0, the `uploadVideoToLinkedIn()` method in the SocialMediaPublisher…
CVE-2026-45610 — CVSS 5.7 (medium): WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a cross-site request forgery vulnerability on the 2FA toggle…
CVE-2026-33237 — CVSS 5.5 (medium): WWBN AVideo is an open source video platform. Prior to version 26.0, the Scheduler plugin's `run()` function in `plugin/Scheduler/Scheduler…
CVE-2026-33500 — CVSS 5.4 (medium): WWBN AVideo is an open source video platform. In versions up to and including 26.0, the fix for CVE-2026-27568 (GHSA-rcqw-6466-3mv7)…
CVE-2026-33683 — CVSS 5.4 (medium): WWBN AVideo is an open source video platform. In versions up to and including 26.0, a sanitization order-of-operations flaw in the user…
CVE-2026-39367 — CVSS 5.4 (medium): WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's EPG (Electronic Program Guide) feature parses XML from…
CVE-2026-40929 — CVSS 5.4 (medium): WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/commentDelete.json.php` is a state-mutating JSON…
CVE-2026-40928 — CVSS 5.4 (medium): WWBN AVideo is an open source video platform. In versions 29.0 and prior, multiple AVideo JSON endpoints under `objects/` accept…
CVE-2026-34362 — CVSS 5.4 (medium): WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `verifyTokenSocket()` function in…
CVE-2026-45580 — CVSS 5.4 (medium): WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a stored cross-site scripting vulnerability. The Live plugin's…
CVE-2026-47694 — CVSS 5.4 (medium): WWBN AVideo is an open source video platform. In 29.0 and earlier, AVideo stores category descriptions from user input and later renders…
CVE-2026-34247 — CVSS 5.4 (medium): WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/Live/uploadPoster.php` endpoint allows any…
CVE-2026-41063 — CVSS 5.4 (medium): WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete XSS fix in AVideo's `ParsedownSafeWithLinks` class…
CVE-2026-41061 — CVSS 5.4 (medium): WWBN AVideo is an open source video platform. In versions 29.0 and below, the `isValidDuration()` regex at `objects/video.php:918` uses…
CVE-2026-33295 — CVSS 5.4 (medium): WWBN AVideo is an open source video platform. Prior to version 26.0, WWBN/AVideo contains a stored cross-site scripting vulnerability in…
CVE-2026-33690 — CVSS 5.3 (medium): WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `getRealIpAddr()` function in…
CVE-2026-33041 — CVSS 5.3 (medium): WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/encryptPass.json.php exposes the application's password…
CVE-2026-46337 — CVSS 5.3 (medium): WWBN AVideo is an open source video platform. In 29.0 and earlier, an unauthenticated remote attacker can read arbitrary image files…
CVE-2026-33501 — CVSS 5.3 (medium): WWBN AVideo is an open source video platform. In versions up to and including 26.0, the endpoint `plugin/Permissions/View/Users_groups_permi…
CVE-2026-30885 — CVSS 5.3 (medium): WWBN AVideo is an open source video platform. Prior to 25.0, the /objects/playlistsFromUser.json.php endpoint returns all playlists for any…
CVE-2026-33685 — CVSS 5.3 (medium): WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/AD_Server/reports.json.php` endpoint…
CVE-2026-33688 — CVSS 5.3 (medium): WWBN AVideo is an open source video platform. In versions up to and including 26.0, the password recovery endpoint at…
CVE-2023-50172 — CVSS 5.3 (medium): A recovery notification bypass vulnerability exists in the userRecoverPass.php captcha validation functionality of WWBN AVideo dev master…
CVE-2026-33759 — CVSS 5.3 (medium): WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/playlistsVideos.json.php` endpoint returns…
CVE-2026-33761 — CVSS 5.3 (medium): WWBN AVideo is an open source video platform. In versions up to and including 26.0, three `list.json.php` endpoints in the Scheduler plugin…
CVE-2026-33763 — CVSS 5.3 (medium): WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_video_password_is_correct` API endpoint…
CVE-2026-34364 — CVSS 5.3 (medium): WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `categories.json.php` endpoint, which serves the…
CVE-2026-34368 — CVSS 5.3 (medium): WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `transferBalance()` method in…
CVE-2026-34369 — CVSS 5.3 (medium): WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_video_file` and `get_api_video` API…
CVE-2026-34732 — CVSS 5.3 (medium): WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo CreatePlugin template for list.json.php does not…
CVE-2026-35179 — CVSS 5.3 (medium): WWBN AVideo is an open source video platform. In versions 26.0 and prior, the SocialMediaPublisher plugin exposes a publishInstagram.json.ph…
CVE-2026-35449 — CVSS 5.3 (medium): WWBN AVideo is an open source video platform. In versions 26.0 and prior, the install/test.php diagnostic script has its CLI-only access…
CVE-2026-35450 — CVSS 5.3 (medium): WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/API/check.ffmpeg.json.php endpoint probes the FFmpeg…
CVE-2026-35452 — CVSS 5.3 (medium): WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/CloneSite/client.log.php endpoint serves the clone…
CVE-2026-40908 — CVSS 5.3 (medium): WWBN AVideo is an open source video platform. In versions 29.0 and prior, the file `git.json.php` at the web root executes `git log -1` and…
CVE-2026-40935 — CVSS 5.3 (medium): WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/getCaptcha.php` accepts the CAPTCHA length (`ql`)…
CVE-2020-37172 — CVSS 5.3 (medium): AVideo Platform 8.1 contains a cross-site request forgery vulnerability that allows attackers to reset user passwords by exploiting the…
CVE-2020-37158 — CVSS 5.3 (medium): AVideo Platform 8.1 contains a cross-site request forgery vulnerability that allows attackers to reset user passwords by exploiting the…
CVE-2026-45620 — CVSS 5.3 (medium): WWBN AVideo is an open source video platform. In 29.0 and earlier, objects/mention.json.php has no User::loginCheck() or admin gate. It…
CVE-2026-33294 — CVSS 5.0 (medium): WWBN AVideo is an open source video platform. Prior to version 26.0, the BulkEmbed plugin's save endpoint (`plugin/BulkEmbed/save.json.php`)…
CVE-2022-32769 — CVSS 5.0 (medium): Multiple authentication bypass vulnerabilities exist in the objects id handling functionality of WWBN AVideo 11.6 and dev master commit…
CVE-2026-45731 — CVSS 4.9 (medium): WWBN AVideo is an open source video platform. In 29.0 and earlier, view/update.php reads $_POST['updateFile'] as a relative path under…
CVE-2026-34738 — CVSS 4.3 (medium): WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's video processing pipeline accepts an overrideStatus…
CVE-2023-49715 — CVSS 4.3 (medium): A unrestricted php file upload vulnerability exists in the import.json.php temporary copy functionality of WWBN AVideo dev master commit…
CVE-2026-47696 — CVSS 4.3 (medium): WWBN AVideo is an open source video platform. In 29.0 and earlier, plugin/AuthorizeNet/processPayment.json.php credits the logged-in user's…
CVE-2026-33764 — CVSS 4.3 (medium): WWBN AVideo is an open source video platform. In versions up to and including 26.0, the AI plugin's `save.json.php` endpoint loads AI…
CVE-2026-35181 — CVSS 4.3 (medium): WWBN AVideo is an open source video platform. In versions 26.0 and prior, the player skin configuration endpoint at admin/playerUpdate.json…
CVE-2026-35180 — CVSS 4.3 (medium): WWBN AVideo is an open source video platform. In versions 26.0 and prior, the site customization endpoint at admin/customize_settings_native…
CVE-2026-33238 — CVSS 4.3 (medium): WWBN AVideo is an open source video platform. Prior to version 26.0, the `listFiles.json.php` endpoint accepts a `path` POST parameter and…
CVE-2022-32768 — CVSS 4.2 (medium): Multiple authentication bypass vulnerabilities exist in the objects id handling functionality of WWBN AVideo 11.6 and dev master commit…
CVE-2026-35448 — CVSS 3.7 (low): WWBN AVideo is an open source video platform. In versions 26.0 and prior, the BlockonomicsYPT plugin's check.php endpoint returns payment…