Wwbn Avideo vulnerabilities
212 known vulnerabilities affecting wwbn/avideo.
Total CVEs
212
CISA KEV
0
Public exploits
10
Exploited in wild
2
Severity breakdown
CRITICAL25HIGH78MEDIUM108LOW1
Vulnerabilities
Page 11 of 11
CVE-2026-33764P4MEDIUMCVSS 4.3≤ 26.02026-03-27
CVE-2026-33764 [MEDIUM] CWE-639 CVE-2026-33764: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the AI plugin's
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the AI plugin's `save.json.php` endpoint loads AI response objects using an attacker-controlled `$_REQUEST['id']` parameter without validating that the AI response belongs to the specified video. An authenticated user with AI permissions can reference any AI response
ghsanvdosv
CVE-2026-35180P4MEDIUMCVSS 4.3≤ 26.02026-04-06
CVE-2026-35180 [MEDIUM] CWE-352 CVE-2026-35180: WWBN AVideo is an open source video platform. In versions 26.0 and prior, the site customization end
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the site customization endpoint at admin/customize_settings_nativeUpdate.json.php lacks CSRF token validation and writes uploaded logo files to disk before the ORM's domain-based security check executes. Combined with SameSite=None cookie policy, a cross-origin POST can overwr
nvd
CVE-2026-35181P4MEDIUMCVSS 4.3≤ 26.02026-04-06
CVE-2026-35181 [MEDIUM] CWE-352 CVE-2026-35181: WWBN AVideo is an open source video platform. In versions 26.0 and prior, the player skin configurat
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the player skin configuration endpoint at admin/playerUpdate.json.php does not validate CSRF tokens. The plugins table is explicitly excluded from the ORM's domain-based security check via ignoreTableSecurityCheck(), removing the only other layer of defense. Combined with Same
ghsanvdosv
CVE-2026-43883P4MEDIUMCVSS 4.2≤ 29.02026-05-11
CVE-2026-43883 [MEDIUM] CWE-639 CVE-2026-43883: WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/PayPalYPT
WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/PayPalYPT/agreementCancel.json.php cancels a PayPal billing agreement using an attacker-supplied agreement parameter without verifying that the authenticated user owns the agreement. A low-privilege authenticated user who learns or obtains another user's PayPa
ghsanvd
CVE-2026-35448P4LOWCVSS 3.7≤ 26.02026-04-06
CVE-2026-35448 [LOW] CWE-862 CVE-2026-35448: WWBN AVideo is an open source video platform. In versions 26.0 and prior, the BlockonomicsYPT plugin
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the BlockonomicsYPT plugin's check.php endpoint returns payment order data for any Bitcoin address without requiring authentication. The endpoint was designed as an AJAX polling helper for the authenticated invoice.php page, but it performs no access control checks of its own. Si
ghsanvdosv
CVE-2026-55173HIGHCVSS 8.1≥ 0, ≤ 29.02026-06-23
CVE-2026-55173 [HIGH] CWE-78 AVideo has an incomplete fix of CVE-2026-33482: sanitizeFFmpegCommand still allows a single '&' (background operator), giving OS command execution at the same execAsync sh -c sink
AVideo has an incomplete fix of CVE-2026-33482: sanitizeFFmpegCommand still allows a single '&' (background operator), giving OS command execution at the same execAsync sh -c sink
### Summary
The fix for CVE-2026-33482 (GHSA-pmj8-r2j7-xg6c) is incomplete. That advisory reported that `sani
ghsa
CVE-2026-49279HIGHCVSS 7.2≥ 0, ≤ 29.02026-06-04
CVE-2026-49279 [HIGH] CWE-79 WWBN AVideo: Stored XSS via autoEvalCodeOnHTML Bypass in MessageSQLite WebSocket Handler (CVE-2026-43874 Bypass)
WWBN AVideo: Stored XSS via autoEvalCodeOnHTML Bypass in MessageSQLite WebSocket Handler (CVE-2026-43874 Bypass)
# AVideo: Stored XSS via `autoEvalCodeOnHTML` in MessageSQLite WebSocket Handler
## Summary
AVideo has a stored XSS vulnerability in the WebSocket messaging system. The `MessageSQLite.php` handler only strips `autoEvalCodeOnHTML` from `$json[
ghsa
CVE-2026-33692HIGH≥ 0, < 29.02026-06-22
CVE-2026-33692 [HIGH] CWE-20 AVideo Vulnerable to Unauthenticated .env File Exposure via Official Docker Compose Configuration
AVideo Vulnerable to Unauthenticated .env File Exposure via Official Docker Compose Configuration
## Vulnerability Details
**CWE**: CWE-538 - Insertion of Sensitive Information into Externally-Accessible File or Directory
The official `docker-compose.yml` (line 61) mounts the entire project root directory as the Apache document root:
```yaml
volumes:
- "./:/var/www/h
ghsa
CVE-2026-33731MEDIUM≥ 0, < 29.02026-06-22
CVE-2026-33731 [MEDIUM] CWE-345 AVideo has an Authorize.Net Webhook Signature Bypass that Enables Wallet Balance Inflation via Forged Payment Data
AVideo has an Authorize.Net Webhook Signature Bypass that Enables Wallet Balance Inflation via Forged Payment Data
## Summary
The Authorize.Net webhook handler at `plugin/AuthorizeNet/webhook.php` contains a signature verification bypass that allows an attacker to forge webhook requests with arbitrary payment amounts and target user IDs. By supplyin
ghsa
CVE-2026-33684MEDIUM≥ 0, < 29.02026-06-22
CVE-2026-33684 [MEDIUM] CWE-862 AVideo's Privilege Escalation via Unguarded Permission Parameters in signUp API Allows Self-Granting Upload/Stream/Meet Permissions
AVideo's Privilege Escalation via Unguarded Permission Parameters in signUp API Allows Self-Granting Upload/Stream/Meet Permissions
## Summary
The `set_api_signUp` method in the API plugin accepts `emailVerified`, `canUpload`, `canStream`, and `canCreateMeet` parameters from user-supplied input and applies them to newly created acco
ghsa
CVE-2026-50182MEDIUM≥ 0, ≤ 29.02026-06-04
CVE-2026-50182 [MEDIUM] CWE-79 WWBN AVideo: Unauthenticated Reflected XSS via $_GET['search'] in AVideo YouTubeAPI Gallery Pagination
WWBN AVideo: Unauthenticated Reflected XSS via $_GET['search'] in AVideo YouTubeAPI Gallery Pagination
# Unauthenticated Reflected XSS via `$_GET['search']` in AVideo YouTubeAPI Gallery Pagination
## Summary
A reflected Cross-Site Scripting vulnerability (CWE-79) in the AVideo YouTubeAPI plugin allows any unauthenticated attacker to execute arbitrary JavaScript
ghsa
CVE-2026-50183MEDIUM≥ 0, ≤ 29.02026-06-04
CVE-2026-50183 [MEDIUM] CWE-79 WWBN AVideo: Stored XSS via Hostile YouTube Video Title in AVideo YouTubeAPI Gallery Section
WWBN AVideo: Stored XSS via Hostile YouTube Video Title in AVideo YouTubeAPI Gallery Section
# Stored XSS via Hostile YouTube Video Title in AVideo YouTubeAPI Gallery Section
## Summary
A stored Cross-Site Scripting vulnerability (CWE-79; chained CWE-829, Inclusion of Functionality from Untrusted Control Sphere) in the AVideo YouTubeAPI plugin renders the `snippet.title`
ghsa
← Previous11 / 11