Wwbn Avideo vulnerabilities

CVE-2026-33759 [MEDIUM] CWE-639 CVE-2026-33759: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/pla WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/playlistsVideos.json.php` endpoint returns the full video contents of any playlist by ID without any authentication or authorization check. Private playlists (including `watch_later` and `favorite` types) are correctly hidden from listing endpoints via `

CVE-2026-33351 [CRITICAL] CWE-918 CVE-2026-33351: WWBN AVideo is an open source video platform. Prior to version 26.0, a Server-Side Request Forgery ( WWBN AVideo is an open source video platform. Prior to version 26.0, a Server-Side Request Forgery (SSRF) vulnerability exists in `plugin/Live/standAloneFiles/saveDVR.json.php`. When the AVideo Live plugin is deployed in standalone mode (the intended configuration for this file), the `$_REQUEST['webSiteRootURL']` parameter is used directly to cons

CVE-2026-33716 [CRITICAL] CWE-287 CVE-2026-33716: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the standalone l WWBN AVideo is an open source video platform. In versions up to and including 26.0, the standalone live stream control endpoint at `plugin/Live/standAloneFiles/control.json.php` accepts a user-supplied `streamerURL` parameter that overrides where the server sends token verification requests. An attacker can redirect token verification to a server

CVE-2026-33478 [CRITICAL] CWE-78 CVE-2026-33478: WWBN AVideo is an open source video platform. In versions up to and including 26.0, multiple vulnera WWBN AVideo is an open source video platform. In versions up to and including 26.0, multiple vulnerabilities in AVideo's CloneSite plugin chain together to allow a completely unauthenticated attacker to achieve remote code execution. The `clones.json.php` endpoint exposes clone secret keys without authentication, which can be used to trigger a full

CVE-2026-33352 [CRITICAL] CWE-89 CVE-2026-33352: WWBN AVideo is an open source video platform. Prior to version 26.0, an unauthenticated SQL injectio WWBN AVideo is an open source video platform. Prior to version 26.0, an unauthenticated SQL injection vulnerability exists in `objects/category.php` in the `getAllCategories()` method. The `doNotShowCats` request parameter is sanitized only by stripping single-quote characters (`str_replace("'", '', ...)`), but this is trivially bypassed using a ba

CVE-2026-33502 [HIGH] CWE-918 CVE-2026-33502: WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticat WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated server-side request forgery vulnerability in `plugin/Live/test.php` allows any remote user to make the AVideo server send HTTP requests to arbitrary URLs. This can be used to probe localhost/internal services and, when reachable, access internal HTTP

CVE-2026-33492 [HIGH] CWE-384 CVE-2026-33492: WWBN AVideo is an open source video platform. In versions up to and including 26.0, AVideo's `_sessi WWBN AVideo is an open source video platform. In versions up to and including 26.0, AVideo's `_session_start()` function accepts arbitrary session IDs via the `PHPSESSID` GET parameter and sets them as the active PHP session. A session regeneration bypass exists for specific blacklisted endpoints when the request originates from the same domain. Combi

CVE-2026-33681 [HIGH] CWE-22 CVE-2026-33681: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/plu WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/pluginRunDatabaseScript.json.php` endpoint accepts a `name` parameter via POST and passes it to `Plugin::getDatabaseFileName()` without any path traversal sanitization. This allows an authenticated admin (or an attacker via CSRF) to traverse outside the plu

CVE-2026-33483 [HIGH] CWE-770 CVE-2026-33483: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `aVideoEncod WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `aVideoEncoderChunk.json.php` endpoint is a completely standalone PHP script with no authentication, no framework includes, and no resource limits. An unauthenticated remote attacker can send arbitrary POST data which is written to persistent temp files in `/tmp/`

CVE-2026-33488 [HIGH] CWE-326 CVE-2026-33488: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `createKeys( WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `createKeys()` function in the LoginControl plugin's PGP 2FA system generates 512-bit RSA keys, which have been publicly factorable since 1999. An attacker who obtains a target user's public key can factor the 512-bit RSA modulus on commodity hardware in hours, der

CVE-2026-33650 [HIGH] CWE-863 CVE-2026-33650: WWBN AVideo is an open source video platform. In versions up to and including 26.0, a user with the WWBN AVideo is an open source video platform. In versions up to and including 26.0, a user with the "Videos Moderator" permission can escalate privileges to perform full video management operations — including ownership transfer and deletion of any video — despite the permission being documented as only allowing video publicity changes (Active, Inactiv

CVE-2026-33480 [HIGH] CWE-918 CVE-2026-33480: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `isSSRFSafeU WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `isSSRFSafeURL()` function in AVideo can be bypassed using IPv4-mapped IPv6 addresses (`::ffff:x.x.x.x`). The unauthenticated `plugin/LiveLinks/proxy.php` endpoint uses this function to validate URLs before fetching them with curl, but the IPv4-mapped IPv6 prefix p

CVE-2026-33649 [HIGH] CWE-352 CVE-2026-33649: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/Perm WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/Permissions/setPermission.json.php` endpoint accepts GET parameters for a state-changing operation that modifies user group permissions. The endpoint has no CSRF token validation, and the application explicitly sets `session.cookie_samesite=None` on session

CVE-2026-33485 [HIGH] CWE-89 CVE-2026-33485: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the RTMP `on_pub WWBN AVideo is an open source video platform. In versions up to and including 26.0, the RTMP `on_publish` callback at `plugin/Live/on_publish.php` is accessible without authentication. The `$_POST['name']` parameter (stream key) is interpolated directly into SQL queries in two locations — `LiveTransmitionHistory::getLatest()` and `LiveTransmition::keyE

CVE-2026-33717 [HIGH] CWE-434 CVE-2026-33717: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `downloadVid WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `downloadVideoFromDownloadURL()` function in `objects/aVideoEncoder.json.php` saves remote content to a web-accessible temporary directory using the original URL's filename and extension (including `.php`). By providing an invalid `resolution` parameter, an attacke

CVE-2026-33513 [HIGH] CWE-22 CVE-2026-33513: WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticat WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated API endpoint (`APIName=locale`) concatenates user input into an `include` path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files under the web root can be included. In our test this yielded confirmed file disclo

CVE-2026-33648 [HIGH] CWE-78 CVE-2026-33648: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the restreamer e WWBN AVideo is an open source video platform. In versions up to and including 26.0, the restreamer endpoint constructs a log file path by embedding user-controlled `users_id` and `liveTransmitionHistory_id` values from the JSON request body without any sanitization. This log file path is then concatenated directly into shell commands passed to `exec()`

CVE-2026-33512 [HIGH] CWE-287 CVE-2026-33512: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the API plugin e WWBN AVideo is an open source video platform. In versions up to and including 26.0, the API plugin exposes a `decryptString` action without any authentication. Anyone can submit ciphertext and receive plaintext. Ciphertext is issued publicly (e.g., `view/url2Embed.json.php`), so any user can recover protected tokens/metadata. Commit 3fdeecef37bb88967a

CVE-2026-33493 [HIGH] CWE-22 CVE-2026-33493: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/imp WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/import.json.php` endpoint accepts a user-controlled `fileURI` POST parameter with only a regex check that the value ends in `.mp4`. Unlike `objects/listFiles.json.php`, which was hardened with a `realpath()` + directory prefix check to restrict paths to the

CVE-2026-33482 [HIGH] CWE-78 CVE-2026-33482: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `sanitizeFFm WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `sanitizeFFmpegCommand()` function in `plugin/API/standAlone/functions.php` is designed to prevent OS command injection in ffmpeg commands by stripping dangerous shell metacharacters (`&&`, `;`, `|`, `` ` ``, ``). However, it fails to strip `$()` (bash command subst