Wwbn Avideo vulnerabilities

CVE-2026-34611 [MEDIUM] CWE-352 CVE-2026-34611: WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint object WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/emailAllUsers.json.php allows administrators to send HTML emails to every registered user on the platform. While the endpoint verifies admin session status, it does not validate a CSRF token. Because AVideo sets SameSite=None on session cookies, a c

CVE-2026-34716 [MEDIUM] CWE-79 CVE-2026-34716: WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo YPTSocket plugi WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo YPTSocket plugin's caller feature renders incoming call notifications using the jQuery Toast Plugin, passing the caller's display name directly as the heading parameter. The toast plugin constructs the heading as raw HTML ('' + heading + '') and inserts it into the D

CVE-2026-34738 [MEDIUM] CWE-285 CVE-2026-34738: WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's video processing WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's video processing pipeline accepts an overrideStatus request parameter that allows any uploader to set a video's status to any valid state, including "active" (a). This bypasses the admin-controlled moderation and draft workflows. The setStatus() method validates the st

CVE-2026-34396 [MEDIUM] CWE-79 CVE-2026-34396: WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo admin panel ren WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo admin panel renders plugin configuration values in HTML forms without applying htmlspecialchars() or any other output encoding. The jsonToFormElements() function in admin/functions.php directly interpolates user-controlled values into textarea contents, option elemen

CVE-2026-34395 [MEDIUM] CWE-862 CVE-2026-34395: WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/YPTWallet/view/ WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/YPTWallet/view/users.json.php endpoint returns all platform users with their personal information and wallet balances to any authenticated user. The endpoint checks User::isLogged() but does not check User::isAdmin(), so any registered user can dump the full user da

CVE-2026-33867 [CRITICAL] CWE-312 CVE-2026-33867: WWBN AVideo is an open source video platform. In versions up to and including 26.0, AVideo allows co WWBN AVideo is an open source video platform. In versions up to and including 26.0, AVideo allows content owners to password-protect individual videos. The video password is stored in the database in plaintext — no hashing, salting, or encryption is applied. If an attacker gains read access to the database (via SQL injection, a database backup, or

CVE-2026-34374 [CRITICAL] CWE-89 CVE-2026-34374: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `Live_schedu WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `Live_schedule::keyExists()` method constructs a SQL query by interpolating a stream key directly into the query string without parameterization. This method is called as a fallback from `LiveTransmition::keyExists()` when the initial parameterized lookup return

CVE-2026-33770 [HIGH] CWE-89 CVE-2026-33770: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `fixCleanTit WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `fixCleanTitle()` static method in `objects/category.php` constructs a SQL SELECT query by directly interpolating both `$clean_title` and `$id` into the query string without using prepared statements or parameterized queries. An attacker who can trigger category cre

CVE-2026-34375 [HIGH] CWE-79 CVE-2026-34375: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the YPTWallet St WWBN AVideo is an open source video platform. In versions up to and including 26.0, the YPTWallet Stripe payment confirmation page directly echoes the `$_REQUEST['plugin']` parameter into a JavaScript block without any encoding or sanitization. The `plugin` parameter is not included in any of the framework's input filter lists defined in `security.php`

CVE-2026-33767 [HIGH] CWE-89 CVE-2026-33767: WWBN AVideo is an open source video platform. In versions up to and including 26.0, in `objects/like WWBN AVideo is an open source video platform. In versions up to and including 26.0, in `objects/like.php`, the `getLike()` method constructs a SQL query using a prepared statement placeholder (`?`) for `users_id` but directly concatenates `$this->videos_id` into the query string without parameterization. An attacker who can control the `videos_id` valu

CVE-2026-33766 [MEDIUM] CWE-918 CVE-2026-33766: WWBN AVideo is an open source video platform. In versions up to and including 26.0, `isSSRFSafeURL() WWBN AVideo is an open source video platform. In versions up to and including 26.0, `isSSRFSafeURL()` validates URLs against private/reserved IP ranges before fetching, but `url_get_contents()` follows HTTP redirects without re-validating the redirect target. An attacker can bypass SSRF protection by redirecting from a public URL to an internal targ

CVE-2026-34364 [MEDIUM] CWE-863 CVE-2026-34364: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `categories. WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `categories.json.php` endpoint, which serves the category listing API, fails to enforce user group-based access controls on categories. In the default request path (no `?user=` parameter), user group filtering is entirely skipped, exposing all non-private categor

CVE-2026-34247 [MEDIUM] CWE-862 CVE-2026-34247: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/Live WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/Live/uploadPoster.php` endpoint allows any authenticated user to overwrite the poster image for any scheduled live stream by supplying an arbitrary `live_schedule_id`. The endpoint only checks `User::isLogged()` but never verifies that the authenticated u

CVE-2026-33763 [MEDIUM] CWE-307 CVE-2026-33763: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_vid WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_video_password_is_correct` API endpoint allows any unauthenticated user to verify whether a given password is correct for any password-protected video. The endpoint returns a boolean `passwordIsCorrect` field with no rate limiting, CAPTCHA, or authentica

CVE-2026-33764 [MEDIUM] CWE-639 CVE-2026-33764: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the AI plugin's WWBN AVideo is an open source video platform. In versions up to and including 26.0, the AI plugin's `save.json.php` endpoint loads AI response objects using an attacker-controlled `$_REQUEST['id']` parameter without validating that the AI response belongs to the specified video. An authenticated user with AI permissions can reference any AI response

CVE-2026-34368 [MEDIUM] CWE-362 CVE-2026-34368: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `transferBal WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `transferBalance()` method in `plugin/YPTWallet/YPTWallet.php` contains a Time-of-Check-Time-of-Use (TOCTOU) race condition. The method reads the sender's wallet balance, checks sufficiency in PHP, then writes the new balance — all without database transactions o

CVE-2026-34369 [MEDIUM] CWE-862 CVE-2026-34369: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_vid WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_video_file` and `get_api_video` API endpoints in AVideo return full video playback sources (direct MP4 URLs, HLS manifests) for password-protected videos without verifying the video password. While the normal web playback flow enforces password checks vi

CVE-2026-33761 [MEDIUM] CWE-200 CVE-2026-33761: WWBN AVideo is an open source video platform. In versions up to and including 26.0, three `list.json WWBN AVideo is an open source video platform. In versions up to and including 26.0, three `list.json.php` endpoints in the Scheduler plugin lack any authentication check, while every other endpoint in the same plugin directories (`add.json.php`, `delete.json.php`, `index.php`) requires `User::isAdmin()`. An unauthenticated attacker can retrieve all

CVE-2026-34362 [MEDIUM] CWE-613 CVE-2026-34362: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `verifyToken WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `verifyTokenSocket()` function in `plugin/YPTSocket/functions.php` has its token timeout validation commented out, causing WebSocket tokens to never expire despite being generated with a 12-hour timeout. This allows captured or legitimately obtained tokens to pro

CVE-2026-34245 [MEDIUM] CWE-862 CVE-2026-34245: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/Play WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/PlayLists/View/Playlists_schedules/add.json.php` endpoint allows any authenticated user with streaming permission to create or modify broadcast schedules targeting any playlist on the platform, regardless of ownership. When the schedule executes, the rebr