cbcvebase.

Wwbn Avideo vulnerabilities

212 known vulnerabilities affecting wwbn/avideo.

Total CVEs
212
CISA KEV
0
Public exploits
10
Exploited in wild
2
Severity breakdown
CRITICAL25HIGH78MEDIUM108LOW1

Vulnerabilities

Page 4 of 11
CVE-2022-33148P3HIGHCVSS 8.8v11.6vdev master commit 3f7c03642022-08-22
CVE-2022-33148 [HIGH] CWE-89 CVE-2022-33148: A sql injection vulnerability exists in the ObjectYPT functionality of WWBN AVideo 11.6 and dev mast A sql injection vulnerability exists in the ObjectYPT functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to a SQL injection. An attacker can send an HTTP request to trigger this vulnerability.This vulnerability exists in the Live Schedules plugin, allowing an attacker to inject SQL by manipulatin
nvd
CVE-2022-34652P3HIGHCVSS 8.8v11.6vdev master commit 3f7c03642022-08-22
CVE-2022-34652 [HIGH] CWE-89 CVE-2022-34652: A sql injection vulnerability exists in the ObjectYPT functionality of WWBN AVideo 11.6 and dev mast A sql injection vulnerability exists in the ObjectYPT functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to a SQL injection. An attacker can send an HTTP request to trigger this vulnerability.This vulnerability exists in the Live Schedules plugin, allowing an attacker to inject SQL by manipulatin
nvd
CVE-2026-41058P3HIGHCVSS 8.1≤ 29.02026-04-21
CVE-2026-41058 [HIGH] CVE-2026-41058: WWBN AVideo is an open source video platform. In versions 29.0 and below, the incomplete fix for AVi WWBN AVideo is an open source video platform. In versions 29.0 and below, the incomplete fix for AVideo's CloneSite `deleteDump` parameter does not apply path traversal filtering, allowing `unlink()` of arbitrary files via `../../` sequences in the GET parameter. Commit 3c729717c26f160014a5c86b0b6accdbd613e7b2 contains an updated fix.
nvd
CVE-2026-41056P3HIGHCVSS 8.1≤ 29.02026-04-21
CVE-2026-41056 [HIGH] CWE-942 CVE-2026-41056: WWBN AVideo is an open source video platform. In versions 29.0 and below, the `allowOrigin($allowAll WWBN AVideo is an open source video platform. In versions 29.0 and below, the `allowOrigin($allowAll=true)` function in `objects/functions.php` reflects any arbitrary `Origin` header back in `Access-Control-Allow-Origin` along with `Access-Control-Allow-Credentials: true`. This function is called by both `plugin/API/get.json.php` and `plugin/API/set.j
nvd
CVE-2026-33493P3HIGHCVSS 8.1≤ 26.02026-03-23
CVE-2026-33493 [HIGH] CWE-22 CVE-2026-33493: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/imp WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/import.json.php` endpoint accepts a user-controlled `fileURI` POST parameter with only a regex check that the value ends in `.mp4`. Unlike `objects/listFiles.json.php`, which was hardened with a `realpath()` + directory prefix check to restrict paths to the
ghsanvdosv
CVE-2022-30605P3HIGHCVSS 8.8v11.6vdev master commit 3f7c03642022-08-22
CVE-2022-30605 [HIGH] CWE-384 CVE-2022-30605: A privilege escalation vulnerability exists in the session id functionality of WWBN AVideo 11.6 and A privilege escalation vulnerability exists in the session id functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to increased privileges. An attacker can get an authenticated user to send a crafted HTTP request to trigger this vulnerability.
nvd
CVE-2026-33292P3HIGHCVSS 7.5fixed in 26.02026-03-22
CVE-2026-33292 [HIGH] CWE-22 CVE-2026-33292: WWBN AVideo is an open source video platform. Prior to version 26.0, the HLS streaming endpoint (`vi WWBN AVideo is an open source video platform. Prior to version 26.0, the HLS streaming endpoint (`view/hls.php`) is vulnerable to a path traversal attack that allows an unauthenticated attacker to stream any private or paid video on the platform. The `videoDirectory` GET parameter is used in two divergent code paths — one for authorization (which trunc
ghsanvdosv
CVE-2026-33483P3HIGHCVSS 7.5≤ 26.02026-03-23
CVE-2026-33483 [HIGH] CWE-770 CVE-2026-33483: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `aVideoEncod WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `aVideoEncoderChunk.json.php` endpoint is a completely standalone PHP script with no authentication, no framework includes, and no resource limits. An unauthenticated remote attacker can send arbitrary POST data which is written to persistent temp files in `/tmp/`
ghsanvdosv
CVE-2021-21286P3HIGHCVSS 8.8fixed in 10.22021-02-01
CVE-2021-21286 [HIGH] CWE-863 CVE-2021-21286: AVideo Platform is an open-source Audio and Video platform. It is similar to a self-hosted YouTube. AVideo Platform is an open-source Audio and Video platform. It is similar to a self-hosted YouTube. In AVideo Platform before version 10.2 there is an authorization bypass vulnerability which enables an ordinary user to get admin control. This is fixed in version 10.2. All queries now remove the pass hash and the recoverPass hash.
nvd
CVE-2026-33488P3HIGHCVSS 8.1≤ 26.02026-03-23
CVE-2026-33488 [HIGH] CWE-326 CVE-2026-33488: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `createKeys( WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `createKeys()` function in the LoginControl plugin's PGP 2FA system generates 512-bit RSA keys, which have been publicly factorable since 1999. An attacker who obtains a target user's public key can factor the 512-bit RSA modulus on commodity hardware in hours, der
ghsanvdosv
CVE-2026-34731P3HIGHCVSS 7.5≤ 26.02026-03-31
CVE-2026-34731 [HIGH] CWE-306 CVE-2026-34731: WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo on_publish_done WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo on_publish_done.php endpoint in the Live plugin allows unauthenticated users to terminate any active live stream. The endpoint processes RTMP callback events to mark streams as finished in the database, but performs no authentication or authorization checks before doi
ghsanvdosv
CVE-2020-23489P3HIGHCVSS 8.8fixed in 8.92020-11-16
CVE-2020-23489 [HIGH] CWE-862 CVE-2020-23489: The import.json.php file before 8.9 for Avideo is vulnerable to a File Deletion vulnerability. This The import.json.php file before 8.9 for Avideo is vulnerable to a File Deletion vulnerability. This allows the deletion of configuration.php, which leads to certain privilege checks not being in place, and therefore a user can escalate privileges to admin.
ghsanvdosv
CVE-2026-33485P3HIGHCVSS 7.5≤ 26.02026-03-23
CVE-2026-33485 [HIGH] CWE-89 CVE-2026-33485: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the RTMP `on_pub WWBN AVideo is an open source video platform. In versions up to and including 26.0, the RTMP `on_publish` callback at `plugin/Live/on_publish.php` is accessible without authentication. The `$_POST['name']` parameter (stream key) is interpolated directly into SQL queries in two locations — `LiveTransmitionHistory::getLatest()` and `LiveTransmition::keyE
ghsanvdosv
CVE-2026-43873P3HIGHCVSS 7.5≤ 29.02026-05-11
CVE-2026-43873 [HIGH] CWE-209 CVE-2026-43873: WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/CloneSite WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/CloneSite/cloneClient.json.php echoes the local CloneSite shared secret ($objClone->myKey, a constant md5($global['systemRootPath'] . $global['salt'])) into the HTTP response body on every unauthenticated request. The unauthenticated error branch was intended to
ghsanvd
CVE-2020-37158P3HIGHCVSS 8.8v8.12026-02-11
CVE-2020-37158 [HIGH] CWE-352 CVE-2020-37158: AVideo Platform 8.1 contains a cross-site request forgery vulnerability that allows attackers to res AVideo Platform 8.1 contains a cross-site request forgery vulnerability that allows attackers to reset user passwords by exploiting the password recovery mechanism. Attackers can craft malicious requests to the recoverPass endpoint using the user's recovery token to change account credentials without authentication.
nvd
CVE-2026-33043P3HIGHCVSS 8.1fixed in 26.02026-03-20
CVE-2026-33043 [HIGH] CWE-942 CVE-2026-33043: WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/phpsessionid.json WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/phpsessionid.json.php exposes the current PHP session ID to any unauthenticated request. The allowOrigin() function reflects any Origin header back in Access-Control-Allow-Origin with Access-Control-Allow-Credentials: true, enabling cross-origin session theft and full a
ghsanvdosv
CVE-2025-25214P3HIGHCVSS 7.5v14.4vdev master commit 8a8954ff2025-07-24
CVE-2025-25214 [HIGH] CWE-362 CVE-2025-25214: A race condition vulnerability exists in the aVideoEncoder.json.php unzip functionality of WWBN AVid A race condition vulnerability exists in the aVideoEncoder.json.php unzip functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A series of specially crafted HTTP request can lead to arbitrary code execution.
nvd
CVE-2026-43885P3HIGHCVSS 7.7≤ 29.02026-05-11
CVE-2026-43885 [HIGH] CWE-200 CVE-2026-43885: WWBN AVideo is an open source video platform. In versions up to and including 29.0, an unauthenticat WWBN AVideo is an open source video platform. In versions up to and including 29.0, an unauthenticated user can read APISecret from objects/plugins.json.php and use it to call protected API endpoints (e.g. users_list) without logging in. Commit 1c36f229d0a103528fb9f64d0a1cc0e1e8f5999b contains an updated fix.
ghsanvd
CVE-2026-33650P3HIGHCVSS 7.6≤ 26.02026-03-23
CVE-2026-33650 [HIGH] CWE-863 CVE-2026-33650: WWBN AVideo is an open source video platform. In versions up to and including 26.0, a user with the WWBN AVideo is an open source video platform. In versions up to and including 26.0, a user with the "Videos Moderator" permission can escalate privileges to perform full video management operations — including ownership transfer and deletion of any video — despite the permission being documented as only allowing video publicity changes (Active, Inactiv
ghsanvdosv
CVE-2026-34732P3HIGHCVSS 7.5≤ 26.02026-03-31
CVE-2026-34732 [HIGH] CWE-306 CVE-2026-34732: WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo CreatePlugin te WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo CreatePlugin template for list.json.php does not include any authentication or authorization check. While the companion templates add.json.php and delete.json.php both require admin privileges, the list.json.php template was shipped without this guard. Every plugin th
ghsanvdosv
Wwbn Avideo vulnerabilities | cvebase