cbcvebase.

Wwbn Avideo vulnerabilities

212 known vulnerabilities affecting wwbn/avideo.

Total CVEs
212
CISA KEV
0
Public exploits
10
Exploited in wild
2
Severity breakdown
CRITICAL25HIGH78MEDIUM108LOW1

Vulnerabilities

Page 3 of 11
CVE-2023-47862P3CRITICALCVSS 9.8v15fed957fbvdev master commit 15fed957fb2024-01-10
CVE-2023-47862 [CRITICAL] CWE-73 CVE-2023-47862: A local file inclusion vulnerability exists in the getLanguageFromBrowser functionality of WWBN AVid A local file inclusion vulnerability exists in the getLanguageFromBrowser functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary code execution. An attacker can send a series of HTTP requests to trigger this vulnerability.
nvd
CVE-2026-33479P3HIGHCVSS 8.8≤ 26.02026-03-23
CVE-2026-33479 [HIGH] CWE-94 CVE-2026-33479: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the Gallery plug WWBN AVideo is an open source video platform. In versions up to and including 26.0, the Gallery plugin's `saveSort.json.php` endpoint passes unsanitized user input from `$_REQUEST['sections']` array values directly into PHP's `eval()` function. While the endpoint is gated behind `User::isAdmin()`, it has no CSRF token validation. Combined with AVideo's
ghsanvdosv
CVE-2026-33717P3HIGHCVSS 8.8≤ 26.02026-03-23
CVE-2026-33717 [HIGH] CWE-434 CVE-2026-33717: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `downloadVid WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `downloadVideoFromDownloadURL()` function in `objects/aVideoEncoder.json.php` saves remote content to a web-accessible temporary directory using the original URL's filename and extension (including `.php`). By providing an invalid `resolution` parameter, an attacke
ghsanvdosv
CVE-2026-33649P3HIGHCVSS 8.8≤ 26.02026-03-23
CVE-2026-33649 [HIGH] CWE-352 CVE-2026-33649: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/Perm WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/Permissions/setPermission.json.php` endpoint accepts GET parameters for a state-changing operation that modifies user group permissions. The endpoint has no CSRF token validation, and the application explicitly sets `session.cookie_samesite=None` on session
ghsanvdosv
CVE-2026-33502P3HIGHCVSS 8.2≤ 26.02026-03-23
CVE-2026-33502 [HIGH] CWE-918 CVE-2026-33502: WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticat WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated server-side request forgery vulnerability in `plugin/Live/test.php` allows any remote user to make the AVideo server send HTTP requests to arbitrary URLs. This can be used to probe localhost/internal services and, when reachable, access internal HTTP
ghsanvdosv
CVE-2022-30690P3MEDIUMCVSS 6.1v11.6vdev master commit 3f7c03642022-08-22
CVE-2022-30690 [MEDIUM] CWE-79 CVE-2022-30690: A cross-site scripting (xss) vulnerability exists in the image403 functionality of WWBN AVideo 11.6 A cross-site scripting (xss) vulnerability exists in the image403 functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get an authenticated user to send a crafted HTTP request to trigger this vulnerability.
nvd
CVE-2026-41064P3CRITICALCVSS 9.3≤ 29.02026-04-22
CVE-2026-41064 [CRITICAL] CVE-2026-41064: WWBN AVideo is an open source video platform. In versions up to and including 29.0, an incomplete fi WWBN AVideo is an open source video platform. In versions up to and including 29.0, an incomplete fix for AVideo's `test.php` adds `escapeshellarg` for wget but leaves the `file_get_contents` and `curl` code paths unsanitized, and the URL validation regex `/^http/` accepts strings like `httpevil[.]com`. Commit 78bccae74634ead68aa6528d631c9ec4fd7aa536 cont
nvd
CVE-2026-33480P3HIGHCVSS 8.6≤ 26.02026-03-23
CVE-2026-33480 [HIGH] CWE-918 CVE-2026-33480: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `isSSRFSafeU WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `isSSRFSafeURL()` function in AVideo can be bypassed using IPv4-mapped IPv6 addresses (`::ffff:x.x.x.x`). The unauthenticated `plugin/LiveLinks/proxy.php` endpoint uses this function to validate URLs before fetching them with curl, but the IPv4-mapped IPv6 prefix p
ghsanvdosv
CVE-2026-33513P3HIGHCVSS 7.5≤ 26.02026-03-23
CVE-2026-33513 [HIGH] CWE-22 CVE-2026-33513: WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticat WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated API endpoint (`APIName=locale`) concatenates user input into an `include` path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files under the web root can be included. In our test this yielded confirmed file disclo
ghsanvdosv
CVE-2022-33147P3HIGHCVSS 8.8v11.6vdev master commit 3f7c03642022-08-22
CVE-2022-33147 [HIGH] CWE-89 CVE-2022-33147: A sql injection vulnerability exists in the ObjectYPT functionality of WWBN AVideo 11.6 and dev mast A sql injection vulnerability exists in the ObjectYPT functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to a SQL injection. An attacker can send an HTTP request to trigger this vulnerability.This vulnerability exists in the aVideoEncoder functionality which can be used to add new videos, allowin
nvd
CVE-2022-33149P3HIGHCVSS 8.8v11.6vdev master commit 3f7c03642022-08-22
CVE-2022-33149 [HIGH] CWE-89 CVE-2022-33149: A sql injection vulnerability exists in the ObjectYPT functionality of WWBN AVideo 11.6 and dev mast A sql injection vulnerability exists in the ObjectYPT functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to a SQL injection. An attacker can send an HTTP request to trigger this vulnerability.This vulnerability exists in the CloneSite plugin, allowing an attacker to inject SQL by manipulating the
nvd
CVE-2023-49589P3HIGHCVSS 8.8v15fed957fbvdev master commit 15fed957fb2024-01-10
CVE-2023-49589 [HIGH] CWE-640 CVE-2023-49589: An insufficient entropy vulnerability exists in the userRecoverPass.php recoverPass generation funct An insufficient entropy vulnerability exists in the userRecoverPass.php recoverPass generation functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to an arbitrary user password recovery. An attacker can send an HTTP request to trigger this vulnerability.
nvd
CVE-2026-33507P3HIGHCVSS 8.8≤ 26.02026-03-23
CVE-2026-33507 [HIGH] CWE-352 CVE-2026-33507: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/plu WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/pluginImport.json.php` endpoint allows admin users to upload and install plugin ZIP files containing executable PHP code, but lacks any CSRF protection. Combined with the application explicitly setting `session.cookie_samesite = 'None'` for HTTPS connectio
ghsanvdosv
CVE-2026-33038P3HIGHCVSS 8.1fixed in 26.02026-03-20
CVE-2026-33038 [HIGH] CWE-306 CVE-2026-33038: WWBN AVideo is an open source video platform. Versions 25.0 and below are vulnerable to unauthentica WWBN AVideo is an open source video platform. Versions 25.0 and below are vulnerable to unauthenticated application takeover through the install/checkConfiguration.php endpoint. install/checkConfiguration.php performs full application initialization: database setup, admin account creation, and configuration file write, all from an unauthenticated POST
ghsanvdosv
CVE-2022-32282P3HIGHCVSS 8.8v11.6vdev master commit 3f7c03642022-08-22
CVE-2022-32282 [HIGH] CWE-836 CVE-2022-32282: An improper password check exists in the login functionality of WWBN AVideo 11.6 and dev master comm An improper password check exists in the login functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. An attacker that owns a users' password hash will be able to use it to directly login into the account, leading to increased privileges.
nvd
CVE-2026-33039P3HIGHCVSS 8.6fixed in 26.02026-03-20
CVE-2026-33039 [HIGH] CWE-918 CVE-2026-33039: WWBN AVideo is an open source video platform. In versions 25.0 and below, the plugin/LiveLinks/proxy WWBN AVideo is an open source video platform. In versions 25.0 and below, the plugin/LiveLinks/proxy.php endpoint validates user-supplied URLs against internal/private networks using isSSRFSafeURL(), but only checks the initial URL. When the initial URL responds with an HTTP redirect (Location header), the redirect target is fetched via fakeBrowser()
ghsanvdosv
CVE-2026-33293P3HIGHCVSS 8.1fixed in 26.0≤ 29.02026-03-22
CVE-2026-33293 [HIGH] CWE-22 CVE-2026-33293: WWBN AVideo is an open source video platform. Prior to version 26.0, the `deleteDump` parameter in ` WWBN AVideo is an open source video platform. Prior to version 26.0, the `deleteDump` parameter in `plugin/CloneSite/cloneServer.json.php` is passed directly to `unlink()` without any path sanitization. An attacker with valid clone credentials can use path traversal sequences (e.g., `../../`) to delete arbitrary files on the server, including critical
ghsanvdosv
CVE-2026-27732P3HIGHCVSS 8.1fixed in 22.0≤ 26.02026-02-24
CVE-2026-27732 [HIGH] CWE-918 CVE-2026-27732: WWBN AVideo is an open source video platform. Prior to version 22.0, the `aVideoEncoder.json.php` AP WWBN AVideo is an open source video platform. Prior to version 22.0, the `aVideoEncoder.json.php` API endpoint accepts a `downloadURL` parameter and fetches the referenced resource server-side without proper validation or an allow-list. This allows authenticated users to trigger server-side requests to arbitrary URLs (including internal network endpoi
ghsanvdosv
CVE-2023-49599P3CRITICALCVSS 9.8v15fed957fbvdev master commit 15fed957fb2024-01-10
CVE-2023-49599 [CRITICAL] CWE-331 CVE-2023-49599: An insufficient entropy vulnerability exists in the salt generation functionality of WWBN AVideo dev An insufficient entropy vulnerability exists in the salt generation functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted series of HTTP requests can lead to privilege escalation. An attacker can gather system information via HTTP requests and brute force the salt offline, leading to forging a legitimate password recovery
ghsanvdosv
CVE-2026-33319P3HIGHCVSS 7.5fixed in 26.02026-03-22
CVE-2026-33319 [HIGH] CWE-78 CVE-2026-33319: WWBN AVideo is an open source video platform. Prior to version 26.0, the `uploadVideoToLinkedIn()` m WWBN AVideo is an open source video platform. Prior to version 26.0, the `uploadVideoToLinkedIn()` method in the SocialMediaPublisher plugin constructs a shell command by directly interpolating an upload URL received from LinkedIn's API response, without sanitization via `escapeshellarg()`. If an attacker can influence the LinkedIn API response (via MI
ghsanvdosv
Wwbn Avideo vulnerabilities | cvebase