Wwbn Avideo vulnerabilities

CVE-2026-33651 [HIGH] CWE-89 CVE-2026-33651: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `remindMe.js WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `remindMe.json.php` endpoint passes `$_REQUEST['live_schedule_id']` through multiple functions without sanitization until it reaches `Scheduler_commands::getAllActiveOrToRepeat()`, which directly concatenates it into a SQL `LIKE` clause. Although intermediate functi

CVE-2026-33479 [HIGH] CWE-94 CVE-2026-33479: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the Gallery plug WWBN AVideo is an open source video platform. In versions up to and including 26.0, the Gallery plugin's `saveSort.json.php` endpoint passes unsanitized user input from `$_REQUEST['sections']` array values directly into PHP's `eval()` function. While the endpoint is gated behind `User::isAdmin()`, it has no CSRF token validation. Combined with AVideo's

CVE-2026-33719 [HIGH] CWE-306 CVE-2026-33719: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the CDN plugin e WWBN AVideo is an open source video platform. In versions up to and including 26.0, the CDN plugin endpoints `plugin/CDN/status.json.php` and `plugin/CDN/disable.json.php` use key-based authentication with an empty string default key. When the CDN plugin is enabled but the key has not been configured (the default state), the key validation check is co

CVE-2026-33647 [HIGH] CWE-434 CVE-2026-33647: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `ImageGaller WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `ImageGallery::saveFile()` method validates uploaded file content using `finfo` MIME type detection but derives the saved filename extension from the user-supplied original filename without an allowlist check. An attacker can upload a polyglot file (valid JPEG magi

CVE-2026-33507 [HIGH] CWE-352 CVE-2026-33507: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/plu WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/pluginImport.json.php` endpoint allows admin users to upload and install plugin ZIP files containing executable PHP code, but lacks any CSRF protection. Combined with the application explicitly setting `session.cookie_samesite = 'None'` for HTTPS connectio

CVE-2026-33500 [MEDIUM] CVE-2026-33500: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the fix for CVE- WWBN AVideo is an open source video platform. In versions up to and including 26.0, the fix for CVE-2026-27568 (GHSA-rcqw-6466-3mv7) introduced a custom `ParsedownSafeWithLinks` class that sanitizes raw HTML `` and `` tags in comments, but explicitly disables Parsedown's `safeMode`. This creates a bypass: markdown link syntax `[text](javascript:alert(1))` i

CVE-2026-33685 [MEDIUM] CWE-862 CVE-2026-33685: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/AD_S WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/AD_Server/reports.json.php` endpoint performs no authentication or authorization checks, allowing any unauthenticated attacker to extract ad campaign analytics data including video titles, user channel names, user IDs, ad campaign names, and impression/cl

CVE-2026-33690 [MEDIUM] CWE-348 CVE-2026-33690: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `getRealIpAd WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `getRealIpAddr()` function in `objects/functions.php` trusts user-controlled HTTP headers to determine the client's IP address. An attacker can spoof their IP address by sending forged headers, bypassing any IP-based access controls or audit logging. Commit 1a1df

CVE-2026-33297 [MEDIUM] CWE-639 CVE-2026-33297: WWBN AVideo is an open source video platform. Prior to version 26.0, the `setPassword.json.php` endp WWBN AVideo is an open source video platform. Prior to version 26.0, the `setPassword.json.php` endpoint in the CustomizeUser plugin allows administrators to set a channel password for any user. Due to a logic error in how the submitted password value is processed, any password containing non-numeric characters is silently coerced to the integer zer

CVE-2026-33499 [MEDIUM] CWE-79 CVE-2026-33499: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `view/forbid WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `view/forbiddenPage.php` and `view/warningPage.php` templates reflect the `$_REQUEST['unlockPassword']` parameter directly into an HTML `` tag's attributes without any output encoding or sanitization. An attacker can craft a URL that breaks out of the `value` attr

CVE-2026-33354 [MEDIUM] CWE-73 CVE-2026-33354: WWBN AVideo is an open source video platform. In versions up to and including 26.0, `POST /objects/a WWBN AVideo is an open source video platform. In versions up to and including 26.0, `POST /objects/aVideoEncoder.json.php` accepts a requester-controlled `chunkFile` parameter intended for staged upload chunks. Instead of restricting that path to trusted server-generated chunk locations, the endpoint accepts arbitrary local filesystem paths that pass

CVE-2026-33501 [MEDIUM] CWE-862 CVE-2026-33501: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the endpoint `pl WWBN AVideo is an open source video platform. In versions up to and including 26.0, the endpoint `plugin/Permissions/View/Users_groups_permissions/list.json.php` lacks any authentication or authorization check, allowing unauthenticated users to retrieve the complete permission matrix mapping user groups to plugins. All sibling endpoints in the same

CVE-2026-33688 [MEDIUM] CWE-204 CVE-2026-33688: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the password rec WWBN AVideo is an open source video platform. In versions up to and including 26.0, the password recovery endpoint at `objects/userRecoverPass.php` performs user existence and account status checks before validating the captcha. This allows an unauthenticated attacker to enumerate valid usernames and determine whether accounts are active, inactive,

CVE-2026-33723 [MEDIUM] CWE-89 CVE-2026-33723: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `Subscribe:: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `Subscribe::save()` method in `objects/subscribe.php` concatenates the `$this->users_id` property directly into an INSERT SQL query without sanitization or parameterized binding. This property originates from `$_POST['user_id']` in both `subscribe.json.php` and `s

CVE-2026-33683 [MEDIUM] CWE-79 CVE-2026-33683: WWBN AVideo is an open source video platform. In versions up to and including 26.0, a sanitization o WWBN AVideo is an open source video platform. In versions up to and including 26.0, a sanitization order-of-operations flaw in the user profile "about" field allows any registered user to inject arbitrary JavaScript that executes when other users visit their channel page. The `xss_esc()` function entity-encodes input before `strip_specific_tags()` ca

CVE-2026-33292 [HIGH] CWE-22 CVE-2026-33292: WWBN AVideo is an open source video platform. Prior to version 26.0, the HLS streaming endpoint (`vi WWBN AVideo is an open source video platform. Prior to version 26.0, the HLS streaming endpoint (`view/hls.php`) is vulnerable to a path traversal attack that allows an unauthenticated attacker to stream any private or paid video on the platform. The `videoDirectory` GET parameter is used in two divergent code paths — one for authorization (which trunc

CVE-2026-33295 [HIGH] CWE-79 CVE-2026-33295: WWBN AVideo is an open source video platform. Prior to version 26.0, WWBN/AVideo contains a stored c WWBN AVideo is an open source video platform. Prior to version 26.0, WWBN/AVideo contains a stored cross-site scripting vulnerability in the CDN plugin's download buttons component. The `clean_title` field of a video record is interpolated directly into a JavaScript string literal without any escaping, allowing an attacker who can create or modify a vi

CVE-2026-33293 [HIGH] CWE-22 CVE-2026-33293: WWBN AVideo is an open source video platform. Prior to version 26.0, the `deleteDump` parameter in ` WWBN AVideo is an open source video platform. Prior to version 26.0, the `deleteDump` parameter in `plugin/CloneSite/cloneServer.json.php` is passed directly to `unlink()` without any path sanitization. An attacker with valid clone credentials can use path traversal sequences (e.g., `../../`) to delete arbitrary files on the server, including critical

CVE-2026-33319 [HIGH] CWE-78 CVE-2026-33319: WWBN AVideo is an open source video platform. Prior to version 26.0, the `uploadVideoToLinkedIn()` m WWBN AVideo is an open source video platform. Prior to version 26.0, the `uploadVideoToLinkedIn()` method in the SocialMediaPublisher plugin constructs a shell command by directly interpolating an upload URL received from LinkedIn's API response, without sanitization via `escapeshellarg()`. If an attacker can influence the LinkedIn API response (via MI

CVE-2026-33294 [MEDIUM] CWE-918 CVE-2026-33294: WWBN AVideo is an open source video platform. Prior to version 26.0, the BulkEmbed plugin's save end WWBN AVideo is an open source video platform. Prior to version 26.0, the BulkEmbed plugin's save endpoint (`plugin/BulkEmbed/save.json.php`) fetches user-supplied thumbnail URLs via `url_get_contents()` without SSRF protection. Unlike all six other URL-fetching endpoints in AVideo that were hardened with `isSSRFSafeURL()`, this code path was missed.