Wwbn Avideo vulnerabilities
212 known vulnerabilities affecting wwbn/avideo.
Total CVEs
212
CISA KEV
0
Public exploits
10
Exploited in wild
2
Severity breakdown
CRITICAL25HIGH78MEDIUM108LOW1
Vulnerabilities
Page 1 of 11
CVE-2026-33478P1CRITICALCVSS 10.0ExploitedPoC≤ 26.02026-03-23
CVE-2026-33478 [CRITICAL] CWE-78 CVE-2026-33478: WWBN AVideo is an open source video platform. In versions up to and including 26.0, multiple vulnera
WWBN AVideo is an open source video platform. In versions up to and including 26.0, multiple vulnerabilities in AVideo's CloneSite plugin chain together to allow a completely unauthenticated attacker to achieve remote code execution. The `clones.json.php` endpoint exposes clone secret keys without authentication, which can be used to trigger a full
ghsanvdosv
CVE-2023-48728P2MEDIUMCVSS 6.1ExploitedPoCv3c6bb3ffv11.6+1 more2024-01-10
CVE-2023-48728 [MEDIUM] CWE-79 CVE-2023-48728: A cross-site scripting (xss) vulnerability exists in the functiongetOpenGraph videoName functionalit
A cross-site scripting (xss) vulnerability exists in the functiongetOpenGraph videoName functionality of WWBN AVideo 11.6 and dev master commit 3c6bb3ff. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit a webpage to trigger this vulnerability.
nvd
CVE-2024-31819P2CRITICALCVSS 9.8PoC≥ 12.4, ≤ 14.22024-04-10
CVE-2024-31819 [CRITICAL] CWE-94 CVE-2024-31819: An issue in WWBN AVideo v.12.4 through v.14.2 allows a remote attacker to execute arbitrary code via
An issue in WWBN AVideo v.12.4 through v.14.2 allows a remote attacker to execute arbitrary code via the systemRootPath parameter of the submitIndex.php component.
ghsanvdosv
CVE-2026-29058P1CRITICALPoC≥ 0, < 7.0.02026-03-03
CVE-2026-29058 [CRITICAL] CWE-78 WWBN AVideo is vulnerable to unauthenticated OS Command Injection via base64Url in objects/getImage.php
WWBN AVideo is vulnerable to unauthenticated OS Command Injection via base64Url in objects/getImage.php
## Impact
An unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the `base64Url` GET parameter. This can lead to full server compromise, data exfiltration (e.g., configuration secrets, intern
ghsaosv
CVE-2026-28501P2CRITICALCVSS 9.8PoCfixed in 24.02026-03-06
CVE-2026-28501 [CRITICAL] CWE-89 CVE-2026-28501: WWBN AVideo is an open source video platform. Prior to version 24.0, an unauthenticated SQL Injectio
WWBN AVideo is an open source video platform. Prior to version 24.0, an unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php components. The application fails to properly sanitize the catName parameter when it is supplied via a JSON-formatted POST request body. Because JSON input is p
ghsanvdosv
CVE-2022-30547P2CRITICALCVSS 9.9v11.6vdev master commit 3f7c03642022-08-22
CVE-2022-30547 [CRITICAL] CWE-22 CVE-2022-30547: A directory traversal vulnerability exists in the unzipDirectory functionality of WWBN AVideo 11.6 a
A directory traversal vulnerability exists in the unzipDirectory functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.
nvd
CVE-2022-30534P2HIGHCVSS 8.8v11.6vdev master commit 3f7c03642022-08-22
CVE-2022-30534 [HIGH] CWE-78 CVE-2022-30534: An OS command injection vulnerability exists in the aVideoEncoder chunkfile functionality of WWBN AV
An OS command injection vulnerability exists in the aVideoEncoder chunkfile functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.
nvd
CVE-2025-34441P3HIGHCVSS 7.5PoCfixed in 20.02025-12-17
CVE-2025-34441 [HIGH] CWE-359 CVE-2025-34441: AVideo versions prior to 20.1 expose sensitive user information through an unauthenticated public AP
AVideo versions prior to 20.1 expose sensitive user information through an unauthenticated public API endpoint. Responses include emails, usernames, administrative status, and last login times, enabling user enumeration and privacy violations.
nvd
CVE-2025-34442P3HIGHCVSS 7.5PoCfixed in 20.02025-12-17
CVE-2025-34442 [HIGH] CWE-497 CVE-2025-34442: AVideo versions prior to 20.1 disclose absolute filesystem paths via multiple public API endpoints.
AVideo versions prior to 20.1 disclose absolute filesystem paths via multiple public API endpoints. Returned metadata includes full server paths to media files, revealing underlying filesystem structure and facilitating more effective attack chains.
nvd
CVE-2026-41304P2CRITICALCVSS 9.8≤ 29.02026-04-22
CVE-2026-41304 [CRITICAL] CWE-77 CVE-2026-41304: WWBN AVideo is an open source video platform. In versions 29.0 and below, the `cloneServer.json.php`
WWBN AVideo is an open source video platform. In versions 29.0 and below, the `cloneServer.json.php` endpoint in the CloneSite plugin constructs shell commands using user-controlled input (`url` parameter) without proper sanitization. The input is directly concatenated into a `wget` command executed via `exec()`, allowing command injection. An atta
nvd
CVE-2022-32572P2HIGHCVSS 8.8v11.6vdev master commit 3f7c03642022-08-22
CVE-2022-32572 [HIGH] CWE-78 CVE-2022-32572: An os command injection vulnerability exists in the aVideoEncoder wget functionality of WWBN AVideo
An os command injection vulnerability exists in the aVideoEncoder wget functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.
nvd
CVE-2026-40911P2CRITICALCVSS 10.0≤ 29.02026-04-21
CVE-2026-40911 [CRITICAL] CWE-94 CVE-2026-40911: WWBN AVideo is an open source video platform. In versions 29.0 and prior, the YPTSocket plugin's Web
WWBN AVideo is an open source video platform. In versions 29.0 and prior, the YPTSocket plugin's WebSocket server relays attacker-supplied JSON message bodies to every connected client without sanitizing the `msg` or `callback` fields. On the client side, `plugin/YPTSocket/script.js` contains two `eval()` sinks fed directly by those relayed fields
nvd
CVE-2023-32073P2HIGHCVSS 8.8≤ 12.42023-05-12
CVE-2023-32073 [HIGH] CVE-2023-32073: WWBN AVideo is an open source video platform. In versions 12.4 and prior, a command injection vulner
WWBN AVideo is an open source video platform. In versions 12.4 and prior, a command injection vulnerability exists at `plugin/CloneSite/cloneClient.json.php` which allows Remote Code Execution if you CloneSite Plugin. This is a bypass to the fix for CVE-2023-30854, which affects WWBN AVideo up to version 12.3. This issue is patched in commit 1df4af01f80d56ff2
ghsanvdosv
CVE-2026-28502P2HIGHCVSS 8.8fixed in 24.02026-03-06
CVE-2026-28502 [HIGH] CWE-434 CVE-2026-28502: WWBN AVideo is an open source video platform. Prior to version 24.0, an authenticated Remote Code Ex
WWBN AVideo is an open source video platform. Prior to version 24.0, an authenticated Remote Code Execution (RCE) vulnerability was identified in AVideo related to the plugin upload/import functionality. The issue allowed an authenticated administrator to upload a specially crafted ZIP archive containing executable server-side files. Due to insufficie
nvd
CVE-2025-34434P2CRITICALCVSS 9.1fixed in 20.02025-12-17
CVE-2025-34434 [CRITICAL] CWE-306 CVE-2025-34434: AVideo versions prior to 20.1 with the ImageGallery plugin enabled is vulnerable to unauthenticated
AVideo versions prior to 20.1 with the ImageGallery plugin enabled is vulnerable to unauthenticated file upload and deletion. Plugin endpoints responsible for managing gallery images fail to enforce authentication checks and do not validate ownership, allowing unauthenticated attackers to upload or delete images associated with any image-based vide
nvd
CVE-2023-30854P2HIGHCVSS 8.8fixed in 12.4≤ 12.42023-04-28
CVE-2023-30854 [HIGH] CWE-78 CVE-2023-30854: AVideo is an open source video platform. Prior to version 12.4, an OS Command Injection vulnerabilit
AVideo is an open source video platform. Prior to version 12.4, an OS Command Injection vulnerability in an authenticated endpoint `/plugin/CloneSite/cloneClient.json.php` allows attackers to achieve Remote Code Execution. This issue is fixed in version 12.4.
ghsanvdosv
CVE-2026-33648P2HIGHCVSS 8.8≤ 26.02026-03-23
CVE-2026-33648 [HIGH] CWE-78 CVE-2026-33648: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the restreamer e
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the restreamer endpoint constructs a log file path by embedding user-controlled `users_id` and `liveTransmitionHistory_id` values from the JSON request body without any sanitization. This log file path is then concatenated directly into shell commands passed to `exec()`
ghsanvdosv
CVE-2026-33482P2HIGHCVSS 8.1≤ 26.02026-03-23
CVE-2026-33482 [HIGH] CWE-78 CVE-2026-33482: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `sanitizeFFm
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `sanitizeFFmpegCommand()` function in `plugin/API/standAlone/functions.php` is designed to prevent OS command injection in ffmpeg commands by stripping dangerous shell metacharacters (`&&`, `;`, `|`, `` ` ``, ``). However, it fails to strip `$()` (bash command subst
ghsanvdosv
CVE-2026-33647P2HIGHCVSS 8.8≤ 26.02026-03-23
CVE-2026-33647 [HIGH] CWE-434 CVE-2026-33647: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `ImageGaller
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `ImageGallery::saveFile()` method validates uploaded file content using `finfo` MIME type detection but derives the saved filename extension from the user-supplied original filename without an allowlist check. An attacker can upload a polyglot file (valid JPEG magi
ghsanvdosv
CVE-2025-34437P2HIGHCVSS 8.8fixed in 20.02025-12-17
CVE-2025-34437 [HIGH] CWE-639 CVE-2025-34437: AVideo versions prior to 20.1 permit any authenticated user to upload comment images to videos owned
AVideo versions prior to 20.1 permit any authenticated user to upload comment images to videos owned by other users. The endpoint validates authentication but omits ownership checks, allowing attackers to perform unauthorized uploads to arbitrary video objects.
nvd
1 / 11Next →