Wwbn Avideo vulnerabilities

CVE-2026-39370 [HIGH] CWE-918 WWBN AVideo has an Allowlisted downloadURL media extensions bypass SSRF protection and enable internal response exfiltration (Incomplete fix for CVE-2026-27732) WWBN AVideo has an Allowlisted downloadURL media extensions bypass SSRF protection and enable internal response exfiltration (Incomplete fix for CVE-2026-27732) ## Summary The fix for [CVE-2026-27732](https://github.com/WWBN/AVideo/security/advisories/GHSA-h39h-7cvg-q7j6) is incomplete. `objects/aVideoEnc

CVE-2026-39369 [HIGH] CWE-22 CVE-2026-39369: WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoderRecei WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoderReceiveImage.json.php allowed an authenticated uploader to fetch attacker-controlled same-origin /videos/... URLs, bypass traversal scrubbing, and expose server-local files through the GIF poster storage path. The vulnerable GIF branch could be abused to read

CVE-2026-39368 [MEDIUM] CWE-918 CVE-2026-39368: WWBN AVideo is an open source video platform. In versions 26.0 and prior, the Live restream log call WWBN AVideo is an open source video platform. In versions 26.0 and prior, the Live restream log callback flow accepted an attacker-controlled restreamerURL and later fetched that stored URL server-side, enabling stored SSRF for authenticated streamers. The vulnerable flow allowed a low-privilege user with streaming permission to store an arbitrary c

CVE-2026-39366 [MEDIUM] CWE-345 CVE-2026-39366: WWBN AVideo is an open source video platform. In versions 26.0 and prior, the PayPal IPN v1 handler WWBN AVideo is an open source video platform. In versions 26.0 and prior, the PayPal IPN v1 handler at plugin/PayPalYPT/ipn.php lacks transaction deduplication, allowing an attacker to replay a single legitimate IPN notification to repeatedly inflate their wallet balance and renew subscriptions. The newer ipnV2.php and webhook.php handlers correctly

CVE-2026-39367 [MEDIUM] CWE-79 CVE-2026-39367: WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's EPG (Electronic P WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's EPG (Electronic Program Guide) feature parses XML from user-controlled URLs and renders programme titles directly into HTML without any sanitization or escaping. A user with upload permission can set a video's epg_link to a malicious XML file whose elements contain Jav

CVE-2026-35179 [MEDIUM] CWE-862 CVE-2026-35179: WWBN AVideo is an open source video platform. In versions 26.0 and prior, the SocialMediaPublisher p WWBN AVideo is an open source video platform. In versions 26.0 and prior, the SocialMediaPublisher plugin exposes a publishInstagram.json.php endpoint that acts as an unauthenticated proxy to the Facebook/Instagram Graph API. The endpoint accepts user-controlled parameters including an access token, container ID, and Instagram account ID, and passes

CVE-2026-35452 [MEDIUM] CWE-200 CVE-2026-35452: WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/CloneSite/clien WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/CloneSite/client.log.php endpoint serves the clone operation log file without any authentication. Every other endpoint in the CloneSite plugin directory enforces User::isAdmin(). The log contains internal filesystem paths, remote server URLs, and SSH connection meta

CVE-2026-35180 [MEDIUM] CWE-352 CVE-2026-35180: WWBN AVideo is an open source video platform. In versions 26.0 and prior, the site customization end WWBN AVideo is an open source video platform. In versions 26.0 and prior, the site customization endpoint at admin/customize_settings_nativeUpdate.json.php lacks CSRF token validation and writes uploaded logo files to disk before the ORM's domain-based security check executes. Combined with SameSite=None cookie policy, a cross-origin POST can overwr

CVE-2026-35181 [MEDIUM] CWE-352 CVE-2026-35181: WWBN AVideo is an open source video platform. In versions 26.0 and prior, the player skin configurat WWBN AVideo is an open source video platform. In versions 26.0 and prior, the player skin configuration endpoint at admin/playerUpdate.json.php does not validate CSRF tokens. The plugins table is explicitly excluded from the ORM's domain-based security check via ignoreTableSecurityCheck(), removing the only other layer of defense. Combined with Same

CVE-2026-35449 [MEDIUM] CWE-200 CVE-2026-35449: WWBN AVideo is an open source video platform. In versions 26.0 and prior, the install/test.php diagn WWBN AVideo is an open source video platform. In versions 26.0 and prior, the install/test.php diagnostic script has its CLI-only access guard disabled by commenting out the die() statement. The script remains accessible via HTTP after installation, exposing video viewer statistics including IP addresses, session IDs, and user agents to unauthentica

CVE-2026-35450 [MEDIUM] CWE-306 CVE-2026-35450: WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/API/check.ffmpe WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/API/check.ffmpeg.json.php endpoint probes the FFmpeg remote server configuration and returns connectivity status without any authentication. All sibling FFmpeg management endpoints (kill.ffmpeg.json.php, list.ffmpeg.json.php, ffmpeg.php) require User::isAdmin().

CVE-2026-35448 [LOW] CWE-862 CVE-2026-35448: WWBN AVideo is an open source video platform. In versions 26.0 and prior, the BlockonomicsYPT plugin WWBN AVideo is an open source video platform. In versions 26.0 and prior, the BlockonomicsYPT plugin's check.php endpoint returns payment order data for any Bitcoin address without requiring authentication. The endpoint was designed as an AJAX polling helper for the authenticated invoice.php page, but it performs no access control checks of its own. Si

CVE-2026-34733 [HIGH] CWE-284 CVE-2026-34733: WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo installation sc WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo installation script install/deleteSystemdPrivate.php contains a PHP operator precedence bug in its CLI-only access guard. The script is intended to run exclusively from the command line, but the guard condition !php_sapi_name() === 'cli' never evaluates to true due to

CVE-2026-34732 [HIGH] CWE-306 CVE-2026-34732: WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo CreatePlugin te WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo CreatePlugin template for list.json.php does not include any authentication or authorization check. While the companion templates add.json.php and delete.json.php both require admin privileges, the list.json.php template was shipped without this guard. Every plugin th

CVE-2026-34731 [HIGH] CWE-306 CVE-2026-34731: WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo on_publish_done WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo on_publish_done.php endpoint in the Live plugin allows unauthenticated users to terminate any active live stream. The endpoint processes RTMP callback events to mark streams as finished in the database, but performs no authentication or authorization checks before doi

CVE-2026-34394 [HIGH] CWE-352 CVE-2026-34394: WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's admin plugin conf WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's admin plugin configuration endpoint (admin/save.json.php) lacks any CSRF token validation. There is no call to isGlobalTokenValid() or verifyToken() before processing the request. Combined with the application's explicit SameSite=None cookie policy, an attacker can forg

CVE-2026-34740 [MEDIUM] CWE-918 CVE-2026-34740: WWBN AVideo is an open source video platform. In versions 26.0 and prior, the EPG (Electronic Progra WWBN AVideo is an open source video platform. In versions 26.0 and prior, the EPG (Electronic Program Guide) link feature in AVideo allows authenticated users with upload permissions to store arbitrary URLs that the server fetches on every EPG page visit. The URL is validated only with PHP's FILTER_VALIDATE_URL, which accepts internal network addres

CVE-2026-34737 [MEDIUM] CWE-862 CVE-2026-34737: WWBN AVideo is an open source video platform. In versions 26.0 and prior, the StripeYPT plugin inclu WWBN AVideo is an open source video platform. In versions 26.0 and prior, the StripeYPT plugin includes a test.php debug endpoint that is accessible to any logged-in user, not just administrators. This endpoint processes Stripe webhook-style payloads and triggers subscription operations, including cancellation. Due to a bug in the retrieveSubscripti

CVE-2026-34613 [MEDIUM] CWE-352 CVE-2026-34613: WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint object WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/pluginSwitch.json.php allows administrators to enable or disable any installed plugin. The endpoint checks for an active admin session but does not validate a CSRF token. Additionally, the plugins database table is explicitly listed in ignoreTableSe

CVE-2026-34739 [MEDIUM] CWE-79 CVE-2026-34739: WWBN AVideo is an open source video platform. In versions 26.0 and prior, the User_Location plugin's WWBN AVideo is an open source video platform. In versions 26.0 and prior, the User_Location plugin's testIP.php page reflects the ip request parameter directly into an HTML input element without applying htmlspecialchars() or any other output encoding. This allows an attacker to inject arbitrary HTML and JavaScript via a crafted URL. Although the pag