cbcvebase.

Wwbn Avideo vulnerabilities

212 known vulnerabilities affecting wwbn/avideo.

Total CVEs
212
CISA KEV
0
Public exploits
10
Exploited in wild
2
Severity breakdown
CRITICAL25HIGH78MEDIUM108LOW1

Vulnerabilities

Page 11 of 11
CVE-2026-33764P4MEDIUMCVSS 4.3≤ 26.02026-03-27
CVE-2026-33764 [MEDIUM] CWE-639 CVE-2026-33764: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the AI plugin's WWBN AVideo is an open source video platform. In versions up to and including 26.0, the AI plugin's `save.json.php` endpoint loads AI response objects using an attacker-controlled `$_REQUEST['id']` parameter without validating that the AI response belongs to the specified video. An authenticated user with AI permissions can reference any AI response
ghsanvdosv
CVE-2026-35180P4MEDIUMCVSS 4.3≤ 26.02026-04-06
CVE-2026-35180 [MEDIUM] CWE-352 CVE-2026-35180: WWBN AVideo is an open source video platform. In versions 26.0 and prior, the site customization end WWBN AVideo is an open source video platform. In versions 26.0 and prior, the site customization endpoint at admin/customize_settings_nativeUpdate.json.php lacks CSRF token validation and writes uploaded logo files to disk before the ORM's domain-based security check executes. Combined with SameSite=None cookie policy, a cross-origin POST can overwr
nvd
CVE-2026-35181P4MEDIUMCVSS 4.3≤ 26.02026-04-06
CVE-2026-35181 [MEDIUM] CWE-352 CVE-2026-35181: WWBN AVideo is an open source video platform. In versions 26.0 and prior, the player skin configurat WWBN AVideo is an open source video platform. In versions 26.0 and prior, the player skin configuration endpoint at admin/playerUpdate.json.php does not validate CSRF tokens. The plugins table is explicitly excluded from the ORM's domain-based security check via ignoreTableSecurityCheck(), removing the only other layer of defense. Combined with Same
ghsanvdosv
CVE-2026-43883P4MEDIUMCVSS 4.2≤ 29.02026-05-11
CVE-2026-43883 [MEDIUM] CWE-639 CVE-2026-43883: WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/PayPalYPT WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/PayPalYPT/agreementCancel.json.php cancels a PayPal billing agreement using an attacker-supplied agreement parameter without verifying that the authenticated user owns the agreement. A low-privilege authenticated user who learns or obtains another user's PayPa
ghsanvd
CVE-2026-35448P4LOWCVSS 3.7≤ 26.02026-04-06
CVE-2026-35448 [LOW] CWE-862 CVE-2026-35448: WWBN AVideo is an open source video platform. In versions 26.0 and prior, the BlockonomicsYPT plugin WWBN AVideo is an open source video platform. In versions 26.0 and prior, the BlockonomicsYPT plugin's check.php endpoint returns payment order data for any Bitcoin address without requiring authentication. The endpoint was designed as an AJAX polling helper for the authenticated invoice.php page, but it performs no access control checks of its own. Si
ghsanvdosv
CVE-2026-55173HIGHCVSS 8.1≥ 0, ≤ 29.02026-06-23
CVE-2026-55173 [HIGH] CWE-78 AVideo has an incomplete fix of CVE-2026-33482: sanitizeFFmpegCommand still allows a single '&' (background operator), giving OS command execution at the same execAsync sh -c sink AVideo has an incomplete fix of CVE-2026-33482: sanitizeFFmpegCommand still allows a single '&' (background operator), giving OS command execution at the same execAsync sh -c sink ### Summary The fix for CVE-2026-33482 (GHSA-pmj8-r2j7-xg6c) is incomplete. That advisory reported that `sani
ghsa
CVE-2026-49279HIGHCVSS 7.2≥ 0, ≤ 29.02026-06-04
CVE-2026-49279 [HIGH] CWE-79 WWBN AVideo: Stored XSS via autoEvalCodeOnHTML Bypass in MessageSQLite WebSocket Handler (CVE-2026-43874 Bypass) WWBN AVideo: Stored XSS via autoEvalCodeOnHTML Bypass in MessageSQLite WebSocket Handler (CVE-2026-43874 Bypass) # AVideo: Stored XSS via `autoEvalCodeOnHTML` in MessageSQLite WebSocket Handler ## Summary AVideo has a stored XSS vulnerability in the WebSocket messaging system. The `MessageSQLite.php` handler only strips `autoEvalCodeOnHTML` from `$json[
ghsa
CVE-2026-33692HIGH≥ 0, < 29.02026-06-22
CVE-2026-33692 [HIGH] CWE-20 AVideo Vulnerable to Unauthenticated .env File Exposure via Official Docker Compose Configuration AVideo Vulnerable to Unauthenticated .env File Exposure via Official Docker Compose Configuration ## Vulnerability Details **CWE**: CWE-538 - Insertion of Sensitive Information into Externally-Accessible File or Directory The official `docker-compose.yml` (line 61) mounts the entire project root directory as the Apache document root: ```yaml volumes: - "./:/var/www/h
ghsa
CVE-2026-33731MEDIUM≥ 0, < 29.02026-06-22
CVE-2026-33731 [MEDIUM] CWE-345 AVideo has an Authorize.Net Webhook Signature Bypass that Enables Wallet Balance Inflation via Forged Payment Data AVideo has an Authorize.Net Webhook Signature Bypass that Enables Wallet Balance Inflation via Forged Payment Data ## Summary The Authorize.Net webhook handler at `plugin/AuthorizeNet/webhook.php` contains a signature verification bypass that allows an attacker to forge webhook requests with arbitrary payment amounts and target user IDs. By supplyin
ghsa
CVE-2026-33684MEDIUM≥ 0, < 29.02026-06-22
CVE-2026-33684 [MEDIUM] CWE-862 AVideo's Privilege Escalation via Unguarded Permission Parameters in signUp API Allows Self-Granting Upload/Stream/Meet Permissions AVideo's Privilege Escalation via Unguarded Permission Parameters in signUp API Allows Self-Granting Upload/Stream/Meet Permissions ## Summary The `set_api_signUp` method in the API plugin accepts `emailVerified`, `canUpload`, `canStream`, and `canCreateMeet` parameters from user-supplied input and applies them to newly created acco
ghsa
CVE-2026-50182MEDIUM≥ 0, ≤ 29.02026-06-04
CVE-2026-50182 [MEDIUM] CWE-79 WWBN AVideo: Unauthenticated Reflected XSS via $_GET['search'] in AVideo YouTubeAPI Gallery Pagination WWBN AVideo: Unauthenticated Reflected XSS via $_GET['search'] in AVideo YouTubeAPI Gallery Pagination # Unauthenticated Reflected XSS via `$_GET['search']` in AVideo YouTubeAPI Gallery Pagination ## Summary A reflected Cross-Site Scripting vulnerability (CWE-79) in the AVideo YouTubeAPI plugin allows any unauthenticated attacker to execute arbitrary JavaScript
ghsa
CVE-2026-50183MEDIUM≥ 0, ≤ 29.02026-06-04
CVE-2026-50183 [MEDIUM] CWE-79 WWBN AVideo: Stored XSS via Hostile YouTube Video Title in AVideo YouTubeAPI Gallery Section WWBN AVideo: Stored XSS via Hostile YouTube Video Title in AVideo YouTubeAPI Gallery Section # Stored XSS via Hostile YouTube Video Title in AVideo YouTubeAPI Gallery Section ## Summary A stored Cross-Site Scripting vulnerability (CWE-79; chained CWE-829, Inclusion of Functionality from Untrusted Control Sphere) in the AVideo YouTubeAPI plugin renders the `snippet.title`
ghsa
Wwbn Avideo vulnerabilities | cvebase