cbcvebase.

Wwbn Avideo vulnerabilities

212 known vulnerabilities affecting wwbn/avideo.

Total CVEs
212
CISA KEV
0
Public exploits
10
Exploited in wild
2
Severity breakdown
CRITICAL25HIGH78MEDIUM108LOW1

Vulnerabilities

Page 2 of 11
CVE-2026-33716P2CRITICALCVSS 9.4≤ 26.02026-03-23
CVE-2026-33716 [CRITICAL] CWE-287 CVE-2026-33716: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the standalone l WWBN AVideo is an open source video platform. In versions up to and including 26.0, the standalone live stream control endpoint at `plugin/Live/standAloneFiles/control.json.php` accepts a user-supplied `streamerURL` parameter that overrides where the server sends token verification requests. An attacker can redirect token verification to a server
ghsanvdosv
CVE-2020-37172P3CRITICALCVSS 9.8v8.12026-02-11
CVE-2020-37172 [CRITICAL] CWE-640 CVE-2020-37172: AVideo Platform 8.1 contains a cross-site request forgery vulnerability that allows attackers to res AVideo Platform 8.1 contains a cross-site request forgery vulnerability that allows attackers to reset user passwords by exploiting the password recovery mechanism. Attackers can craft malicious requests to the recoverPass endpoint using the user's recovery token to change account credentials without authentication.
nvd
CVE-2026-29093P3CRITICALCVSS 9.8fixed in 24.02026-03-06
CVE-2026-29093 [CRITICAL] CWE-287 CVE-2026-29093: WWBN AVideo is an open source video platform. Prior to version 24.0, the official docker-compose.yml WWBN AVideo is an open source video platform. Prior to version 24.0, the official docker-compose.yml publishes the memcached service on host port 11211 (0.0.0.0:11211) with no authentication, while the Dockerfile configures PHP to store all user sessions in that memcached instance. An attacker who can reach port 11211 can read, modify, or flush se
ghsanvdosv
CVE-2022-32770P3MEDIUMCVSS 6.1PoCv11.6vdev master commit 3f7c03642022-08-22
CVE-2022-32770 [MEDIUM] CWE-79 CVE-2022-32770: A cross-site scripting (xss) vulnerability exists in the footer alerts functionality of WWBN AVideo A cross-site scripting (xss) vulnerability exists in the footer alerts functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get an authenticated user to send a crafted HTTP request to trigger this vulnerability.This vulnerability arrises from the
nvd
CVE-2022-32771P3MEDIUMCVSS 6.1PoCv11.6vdev master commit 3f7c03642022-08-22
CVE-2022-32771 [MEDIUM] CWE-79 CVE-2022-32771: A cross-site scripting (xss) vulnerability exists in the footer alerts functionality of WWBN AVideo A cross-site scripting (xss) vulnerability exists in the footer alerts functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get an authenticated user to send a crafted HTTP request to trigger this vulnerability.This vulnerability arrises from the
nvd
CVE-2022-32772P3MEDIUMCVSS 6.1PoCv11.6vdev master commit 3f7c03642022-08-22
CVE-2022-32772 [MEDIUM] CWE-79 CVE-2022-32772: A cross-site scripting (xss) vulnerability exists in the footer alerts functionality of WWBN AVideo A cross-site scripting (xss) vulnerability exists in the footer alerts functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get an authenticated user to send a crafted HTTP request to trigger this vulnerability.This vulnerability arrises from the
nvd
CVE-2026-33767P3HIGHCVSS 8.8≤ 26.02026-03-27
CVE-2026-33767 [HIGH] CWE-89 CVE-2026-33767: WWBN AVideo is an open source video platform. In versions up to and including 26.0, in `objects/like WWBN AVideo is an open source video platform. In versions up to and including 26.0, in `objects/like.php`, the `getLike()` method constructs a SQL query using a prepared statement placeholder (`?`) for `users_id` but directly concatenates `$this->videos_id` into the query string without parameterization. An attacker who can control the `videos_id` valu
ghsanvdosv
CVE-2026-45578P3HIGHCVSS 8.8≤ 29.02026-05-29
CVE-2026-45578 [HIGH] CWE-78 CVE-2026-45578: WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a classic shell-metachar WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a classic shell-metacharacter injection. The YPTSocket notification branch in plugin/Live/on_publish.php builds an execAsync() command line by string concatenation, single-quoting each argument but never calling escapeshellarg(). A ' in any of the three interpolated values ($us
ghsanvd
CVE-2026-33719P3HIGHCVSS 8.6≤ 26.02026-03-23
CVE-2026-33719 [HIGH] CWE-306 CVE-2026-33719: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the CDN plugin e WWBN AVideo is an open source video platform. In versions up to and including 26.0, the CDN plugin endpoints `plugin/CDN/status.json.php` and `plugin/CDN/disable.json.php` use key-based authentication with an empty string default key. When the CDN plugin is enabled but the key has not been configured (the default state), the key validation check is co
ghsanvdosv
CVE-2026-33770P3CRITICALCVSS 9.8≤ 26.02026-03-27
CVE-2026-33770 [CRITICAL] CWE-89 CVE-2026-33770: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `fixCleanTit WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `fixCleanTitle()` static method in `objects/category.php` constructs a SQL SELECT query by directly interpolating both `$clean_title` and `$id` into the query string without using prepared statements or parameterized queries. An attacker who can trigger category
ghsanvdosv
CVE-2026-34374P3CRITICALCVSS 9.1≤ 26.02026-03-27
CVE-2026-34374 [CRITICAL] CWE-89 CVE-2026-34374: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `Live_schedu WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `Live_schedule::keyExists()` method constructs a SQL query by interpolating a stream key directly into the query string without parameterization. This method is called as a fallback from `LiveTransmition::keyExists()` when the initial parameterized lookup return
nvd
CVE-2025-34436P3HIGHCVSS 8.8fixed in 20.02025-12-17
CVE-2025-34436 [HIGH] CWE-639 CVE-2025-34436: AVideo versions prior to 20.1 allow any authenticated user to upload files into directories belongin AVideo versions prior to 20.1 allow any authenticated user to upload files into directories belonging to other users due to an insecure direct object reference. The upload functionality verifies authentication but does not enforce ownership checks.
nvd
CVE-2023-25313P3CRITICALCVSS 9.8fixed in 12.42023-04-25
CVE-2023-25313 [CRITICAL] CWE-78 CVE-2023-25313: OS injection vulnerability in World Wide Broadcast Network AVideo version before 12.4, allows attack OS injection vulnerability in World Wide Broadcast Network AVideo version before 12.4, allows attackers to execute arbitrary code via the video link field to the Embed a video link feature.
ghsanvdosv
CVE-2025-48732P3CRITICALCVSS 9.8v14.4vdev master commit 8a8954ff2025-07-24
CVE-2025-48732 [CRITICAL] CWE-184 CVE-2025-48732: An incomplete blacklist exists in the .htaccess sample of WWBN AVideo 14.4 and dev master commit 8a8 An incomplete blacklist exists in the .htaccess sample of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request can lead to a arbitrary code execution. An attacker can request a .phar file to trigger this vulnerability.
nvd
CVE-2026-33352P3CRITICALCVSS 9.8fixed in 26.02026-03-23
CVE-2026-33352 [CRITICAL] CWE-89 CVE-2026-33352: WWBN AVideo is an open source video platform. Prior to version 26.0, an unauthenticated SQL injectio WWBN AVideo is an open source video platform. Prior to version 26.0, an unauthenticated SQL injection vulnerability exists in `objects/category.php` in the `getAllCategories()` method. The `doNotShowCats` request parameter is sanitized only by stripping single-quote characters (`str_replace("'", '', ...)`), but this is trivially bypassed using a ba
ghsanvdosv
CVE-2026-33351P3CRITICALCVSS 9.1fixed in 26.02026-03-23
CVE-2026-33351 [CRITICAL] CWE-918 CVE-2026-33351: WWBN AVideo is an open source video platform. Prior to version 26.0, a Server-Side Request Forgery ( WWBN AVideo is an open source video platform. Prior to version 26.0, a Server-Side Request Forgery (SSRF) vulnerability exists in `plugin/Live/standAloneFiles/saveDVR.json.php`. When the AVideo Live plugin is deployed in standalone mode (the intended configuration for this file), the `$_REQUEST['webSiteRootURL']` parameter is used directly to cons
ghsanvdosv
CVE-2026-33297P3CRITICALCVSS 9.1fixed in 26.02026-03-23
CVE-2026-33297 [CRITICAL] CWE-639 CVE-2026-33297: WWBN AVideo is an open source video platform. Prior to version 26.0, the `setPassword.json.php` endp WWBN AVideo is an open source video platform. Prior to version 26.0, the `setPassword.json.php` endpoint in the CustomizeUser plugin allows administrators to set a channel password for any user. Due to a logic error in how the submitted password value is processed, any password containing non-numeric characters is silently coerced to the integer z
ghsanvdosv
CVE-2026-33651P3HIGHCVSS 8.8≤ 26.02026-03-23
CVE-2026-33651 [HIGH] CWE-89 CVE-2026-33651: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `remindMe.js WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `remindMe.json.php` endpoint passes `$_REQUEST['live_schedule_id']` through multiple functions without sanitization until it reaches `Scheduler_commands::getAllActiveOrToRepeat()`, which directly concatenates it into a SQL `LIKE` clause. Although intermediate functi
ghsanvdosv
CVE-2026-33037P3HIGHCVSS 8.1fixed in 26.02026-03-20
CVE-2026-33037 [HIGH] CWE-1188 CVE-2026-33037: WWBN AVideo is an open source video platform. In versions 25.0 and below, the official Docker deploy WWBN AVideo is an open source video platform. In versions 25.0 and below, the official Docker deployment files (docker-compose.yml, env.example) ship with the admin password set to "password", which is automatically used to seed the admin account during installation, meaning any instance deployed without overriding SYSTEM_ADMIN_PASSWORD is immediatel
nvd
CVE-2023-49715P3HIGHCVSS 8.8v15fed957fbvdev master commit 15fed957fb2024-01-10
CVE-2023-49715 [HIGH] CWE-434 CVE-2023-49715: A unrestricted php file upload vulnerability exists in the import.json.php temporary copy functional A unrestricted php file upload vulnerability exists in the import.json.php temporary copy functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary code execution when chained with an LFI vulnerability. An attacker can send a series of HTTP requests to trigger this vulnerability.
nvd
Wwbn Avideo vulnerabilities | cvebase