cbcvebase.

Wwbn Avideo vulnerabilities

212 known vulnerabilities affecting wwbn/avideo.

Total CVEs
212
CISA KEV
0
Public exploits
10
Exploited in wild
2
Severity breakdown
CRITICAL25HIGH78MEDIUM108LOW1

Vulnerabilities

Page 10 of 11
CVE-2026-33296P4MEDIUMCVSS 6.1fixed in 26.02026-03-22
CVE-2026-33296 [MEDIUM] CWE-601 CVE-2026-33296: WWBN AVideo is an open source video platform. Prior to version 26.0, WWBN/AVideo contains an open re WWBN AVideo is an open source video platform. Prior to version 26.0, WWBN/AVideo contains an open redirect vulnerability in the login flow where a user-supplied redirectUri parameter is reflected directly into a JavaScript `document.location` assignment without JavaScript-safe encoding. After a user completes the login popup flow, a timer callback e
ghsanvdosv
CVE-2025-34440P4MEDIUMCVSS 6.1fixed in 20.02025-12-17
CVE-2025-34440 [MEDIUM] CWE-601 CVE-2025-34440: AVideo versions prior to 20.1 contain an open redirect vulnerability caused by insufficient validati AVideo versions prior to 20.1 contain an open redirect vulnerability caused by insufficient validation of the siteRedirectUri parameter during user registration. Attackers can redirect users to external sites, facilitating phishing attacks.
nvd
CVE-2023-47861P4MEDIUMCVSS 5.4v11.6v15fed957fb+1 more2024-01-10
CVE-2023-47861 [MEDIUM] CWE-79 CVE-2023-47861: A cross-site scripting (xss) vulnerability exists in the channelBody.php user name functionality of A cross-site scripting (xss) vulnerability exists in the channelBody.php user name functionality of WWBN AVideo 11.6 and dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit a webpage to trigger this vulnerability.
nvd
CVE-2026-41063P4MEDIUMCVSS 5.4≤ 29.02026-04-21
CVE-2026-41063 [MEDIUM] CVE-2026-41063: WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete XSS fix in A WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete XSS fix in AVideo's `ParsedownSafeWithLinks` class overrides `inlineMarkup` for raw HTML but does not override `inlineLink()` or `inlineUrlTag()`, allowing `javascript:` URLs in markdown link syntax to bypass sanitization. Commit cae8f0dadbdd962c89b91d0095c76edb8aadcacf
nvd
CVE-2026-33295P4MEDIUMCVSS 5.4fixed in 26.02026-03-22
CVE-2026-33295 [MEDIUM] CWE-79 CVE-2026-33295: WWBN AVideo is an open source video platform. Prior to version 26.0, WWBN/AVideo contains a stored c WWBN AVideo is an open source video platform. Prior to version 26.0, WWBN/AVideo contains a stored cross-site scripting vulnerability in the CDN plugin's download buttons component. The `clean_title` field of a video record is interpolated directly into a JavaScript string literal without any escaping, allowing an attacker who can create or modify a
ghsanvdosv
CVE-2026-41061P4MEDIUMCVSS 5.4≤ 29.02026-04-21
CVE-2026-41061 [MEDIUM] CWE-79 CVE-2026-41061: WWBN AVideo is an open source video platform. In versions 29.0 and below, the `isValidDuration()` re WWBN AVideo is an open source video platform. In versions 29.0 and below, the `isValidDuration()` regex at `objects/video.php:918` uses `/^[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}/` without a `$` end anchor, allowing arbitrary HTML/JavaScript to be appended after a valid duration prefix. The crafted duration is stored in the database and rendered without HTM
nvd
CVE-2026-40928P4MEDIUMCVSS 5.4≤ 29.02026-04-21
CVE-2026-40928 [MEDIUM] CWE-352 CVE-2026-40928: WWBN AVideo is an open source video platform. In versions 29.0 and prior, multiple AVideo JSON endpo WWBN AVideo is an open source video platform. In versions 29.0 and prior, multiple AVideo JSON endpoints under `objects/` accept state-changing requests via `$_REQUEST`/`$_GET` and persist changes tied to the caller's session user, without any anti-CSRF token, origin check, or referer check. A malicious page visited by a logged-in victim can silentl
nvd
CVE-2023-25314P4MEDIUMCVSS 6.1fixed in 12.42023-04-25
CVE-2023-25314 [MEDIUM] CWE-79 CVE-2023-25314: Cross Site Scripting (XSS) vulnerability in World Wide Broadcast Network AVideo before 12.4, allows Cross Site Scripting (XSS) vulnerability in World Wide Broadcast Network AVideo before 12.4, allows attackers to gain sensitive information via the success parameter to /user.
nvd
CVE-2026-56347P4MEDIUMCVSS 6.1≤ 26.02026-06-20
CVE-2026-56347 [MEDIUM] CWE-79 CVE-2026-56347: AVideo TopMenu plugin through version 26.0 contains a stored cross-site scripting vulnerability in m AVideo TopMenu plugin through version 26.0 contains a stored cross-site scripting vulnerability in menu item rendering due to missing output encoding of icon classes, URLs, and text labels. Attackers can inject malicious JavaScript through unescaped menu item fields that execute for all site visitors, potentially stealing session cookies or performin
nvd
CVE-2023-48730P4MEDIUMCVSS 5.4v15fed957fbvdev master commit 15fed957fb2024-01-10
CVE-2023-48730 [MEDIUM] CWE-79 CVE-2023-48730: A cross-site scripting (xss) vulnerability exists in the navbarMenuAndLogo.php user name functionali A cross-site scripting (xss) vulnerability exists in the navbarMenuAndLogo.php user name functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit a webpage to trigger this vulnerability.
nvd
CVE-2026-45580P4MEDIUMCVSS 5.4≤ 29.02026-05-29
CVE-2026-45580 [MEDIUM] CWE-79 CVE-2026-45580: WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a stored cross-site scri WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a stored cross-site scripting vulnerability. The Live plugin's "YouTube-style" view renders the live transmission's stream key into an HTML class attribute by raw echo, without htmlspecialchars(). A canStream user can persist a key containing " plus an event handler via plugi
ghsanvd
CVE-2026-40929P4MEDIUMCVSS 5.4≤ 29.02026-04-21
CVE-2026-40929 [MEDIUM] CWE-352 CVE-2026-40929: WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/commentDelete.jso WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/commentDelete.json.php` is a state-mutating JSON endpoint that deletes comments but performs no CSRF validation. It does not call `forbidIfIsUntrustedRequest()`, does not verify a CSRF/global token, and does not check `Origin`/`Referer`. Because AVideo intentionally s
nvd
CVE-2026-33294P4MEDIUMCVSS 4.3fixed in 26.02026-03-22
CVE-2026-33294 [MEDIUM] CWE-918 CVE-2026-33294: WWBN AVideo is an open source video platform. Prior to version 26.0, the BulkEmbed plugin's save end WWBN AVideo is an open source video platform. Prior to version 26.0, the BulkEmbed plugin's save endpoint (`plugin/BulkEmbed/save.json.php`) fetches user-supplied thumbnail URLs via `url_get_contents()` without SSRF protection. Unlike all six other URL-fetching endpoints in AVideo that were hardened with `isSSRFSafeURL()`, this code path was missed.
ghsanvdosv
CVE-2026-47696P4MEDIUMCVSS 4.3≤ 29.02026-05-29
CVE-2026-47696 [MEDIUM] CWE-345 CVE-2026-47696: WWBN AVideo is an open source video platform. In 29.0 and earlier, plugin/AuthorizeNet/processPaymen WWBN AVideo is an open source video platform. In 29.0 and earlier, plugin/AuthorizeNet/processPayment.json.php credits the logged-in user's wallet based only on the attacker-controlled amount POST parameter. The endpoint contains a TODO for real Authorize.Net charging, hardcodes $paymentSuccess = true, and then calls YPTWallet::addBalance() without
ghsanvd
CVE-2026-43882P4MEDIUMCVSS 4.3≤ 29.02026-05-11
CVE-2026-43882 [MEDIUM] CWE-93 CVE-2026-43882: WWBN AVideo is an open source video platform. In versions up to and including 29.0, the unauthentica WWBN AVideo is an open source video platform. In versions up to and including 29.0, the unauthenticated plugin/Scheduler/downloadICS.php endpoint passes attacker-controlled title, description, and joinURL parameters into Scheduler::downloadICS(), which builds an ICS calendar file via the ICS helper class. ICS::escape_string() (objects/ICS.php:167-169
ghsanvd
CVE-2022-27462P4MEDIUMCVSS 6.1≤ 11.62022-04-05
CVE-2022-27462 [MEDIUM] CWE-79 CVE-2022-27462: Cross Site Scripting (XSS) vulnerability in objects/function.php in function getDeviceID in WWBN AVi Cross Site Scripting (XSS) vulnerability in objects/function.php in function getDeviceID in WWBN AVideo through 11.6, via the yptDevice parameter to view/include/head.php.
nvd
CVE-2024-34899P4MEDIUMCVSS 5.4≥ 10.4, ≤ 12.42024-05-14
CVE-2024-34899 [MEDIUM] CWE-79 CVE-2024-34899: WWBN AVideo 12.4 is vulnerable to Cross Site Scripting (XSS). WWBN AVideo 12.4 is vulnerable to Cross Site Scripting (XSS).
ghsanvdosv
CVE-2022-32768P4MEDIUMCVSS 4.2v11.6vdev master commit 3f7c03642022-08-22
CVE-2022-32768 [MEDIUM] CWE-862 CVE-2022-32768: Multiple authentication bypass vulnerabilities exist in the objects id handling functionality of WWB Multiple authentication bypass vulnerabilities exist in the objects id handling functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request by an authenticated user can lead to unauthorized access and takeover of resources. An attacker can send an HTTP request to trigger this vulnerability.This vulnerability ex
nvd
CVE-2026-34738P4MEDIUMCVSS 4.3≤ 26.02026-03-31
CVE-2026-34738 [MEDIUM] CWE-285 CVE-2026-34738: WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's video processing WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's video processing pipeline accepts an overrideStatus request parameter that allows any uploader to set a video's status to any valid state, including "active" (a). This bypasses the admin-controlled moderation and draft workflows. The setStatus() method validates the st
ghsanvdosv
CVE-2022-27463P4MEDIUMCVSS 6.1≤ 11.62022-04-05
CVE-2022-27463 [MEDIUM] CWE-601 CVE-2022-27463: Open redirect vulnerability in objects/login.json.php in WWBN AVideo through 11.6, allows attackers Open redirect vulnerability in objects/login.json.php in WWBN AVideo through 11.6, allows attackers to arbitrarily redirect users from a crafted url to the login page.
ghsanvdosv
Wwbn Avideo vulnerabilities | cvebase