Wwbn Avideo-Encoder vulnerabilities

CVE-2026-33024 [CRITICAL] CWE-918 CVE-2026-33024: AVideo is a video-sharing Platform. Versions prior to 8.0 contain a Server-Side Request Forgery vuln AVideo is a video-sharing Platform. Versions prior to 8.0 contain a Server-Side Request Forgery vulnerability (CWE-918) in the public thumbnail endpoints getImage.php and getImageMP4.php. Both endpoints accept a base64Url GET parameter, base64-decode it, and pass the resulting URL to ffmpeg as an input source without any authentication requirement

CVE-2026-33025 [HIGH] CWE-89 CVE-2026-33025: AVideo is a video-sharing Platform. Versions prior to 8.0 contain a SQL Injection vulnerability in t AVideo is a video-sharing Platform. Versions prior to 8.0 contain a SQL Injection vulnerability in the getSqlFromPost() method of Object.php. The $_POST['sort'] array keys are used directly as SQL column identifiers inside an ORDER BY clause. Although real_escape_string() was applied, it only escapes string-context characters (quotes, null bytes) and p

CVE-2026-29058 [CRITICAL] CWE-78 CVE-2026-29058: AVideo is a video-sharing Platform software. Prior to version 7.0, an unauthenticated attacker can e AVideo is a video-sharing Platform software. Prior to version 7.0, an unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the base64Url GET parameter. This can lead to full server compromise, data exfiltration (e.g., configuration secrets, internal keys, credentials), and service dis