Wwbn Avideo vulnerabilities
212 known vulnerabilities affecting wwbn/avideo.
Total CVEs
212
CISA KEV
0
Public exploits
10
Exploited in wild
2
Severity breakdown
CRITICAL25HIGH78MEDIUM108LOW1
Vulnerabilities
Page 5 of 11
CVE-2026-34733P3HIGHCVSS 7.3≤ 26.02026-03-31
CVE-2026-34733 [HIGH] CWE-284 CVE-2026-34733: WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo installation sc
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo installation script install/deleteSystemdPrivate.php contains a PHP operator precedence bug in its CLI-only access guard. The script is intended to run exclusively from the command line, but the guard condition !php_sapi_name() === 'cli' never evaluates to true due to
ghsanvdosv
CVE-2025-34438P3HIGHCVSS 8.1fixed in 20.02025-12-17
CVE-2025-34438 [HIGH] CWE-639 CVE-2025-34438: AVideo versions prior to 20.1 contain an insecure direct object reference vulnerability allowing use
AVideo versions prior to 20.1 contain an insecure direct object reference vulnerability allowing users with upload permissions to modify the rotation metadata of any video. The endpoint verifies upload capability but fails to enforce ownership or management rights for the targeted video.
nvd
CVE-2026-39369P3HIGHCVSS 7.6≤ 26.02026-04-07
CVE-2026-39369 [HIGH] CWE-22 CVE-2026-39369: WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoderRecei
WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoderReceiveImage.json.php allowed an authenticated uploader to fetch attacker-controlled same-origin /videos/... URLs, bypass traversal scrubbing, and expose server-local files through the GIF poster storage path. The vulnerable GIF branch could be abused to read
ghsanvd
CVE-2026-33512P3HIGHCVSS 7.5≤ 26.02026-03-23
CVE-2026-33512 [HIGH] CWE-287 CVE-2026-33512: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the API plugin e
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the API plugin exposes a `decryptString` action without any authentication. Anyone can submit ciphertext and receive plaintext. Ciphertext is issued publicly (e.g., `view/url2Embed.json.php`), so any user can recover protected tokens/metadata. Commit 3fdeecef37bb88967a
ghsanvdosv
CVE-2026-33867P3HIGHCVSS 7.5≤ 26.02026-03-27
CVE-2026-33867 [HIGH] CWE-312 CVE-2026-33867: WWBN AVideo is an open source video platform. In versions up to and including 26.0, AVideo allows co
WWBN AVideo is an open source video platform. In versions up to and including 26.0, AVideo allows content owners to password-protect individual videos. The video password is stored in the database in plaintext — no hashing, salting, or encryption is applied. If an attacker gains read access to the database (via SQL injection, a database backup, or mis
ghsanvdosv
CVE-2026-34394P3HIGHCVSS 8.1≤ 26.02026-03-31
CVE-2026-34394 [HIGH] CWE-352 CVE-2026-34394: WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's admin plugin conf
WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's admin plugin configuration endpoint (admin/save.json.php) lacks any CSRF token validation. There is no call to isGlobalTokenValid() or verifyToken() before processing the request. Combined with the application's explicit SameSite=None cookie policy, an attacker can forg
ghsanvdosv
CVE-2026-33681P3HIGHCVSS 7.2≤ 26.02026-03-23
CVE-2026-33681 [HIGH] CWE-22 CVE-2026-33681: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/plu
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/pluginRunDatabaseScript.json.php` endpoint accepts a `name` parameter via POST and passes it to `Plugin::getDatabaseFileName()` without any path traversal sanitization. This allows an authenticated admin (or an attacker via CSRF) to traverse outside the plu
ghsanvdosv
CVE-2026-40909P3MEDIUMCVSS 6.5≤ 29.02026-04-21
CVE-2026-40909 [MEDIUM] CWE-22 CVE-2026-40909: WWBN AVideo is an open source video platform. In versions 29.0 and prior, the locale save endpoint (
WWBN AVideo is an open source video platform. In versions 29.0 and prior, the locale save endpoint (`locale/save.php`) constructs a file path by directly concatenating `$_POST['flag']` into the path at line 30 without any sanitization. The `$_POST['code']` parameter is then written verbatim to that path via `fwrite()` at line 40. An admin attacker (o
nvd
CVE-2020-23490P3HIGHCVSS 7.5fixed in 8.92020-11-16
CVE-2020-23490 [HIGH] CVE-2020-23490: There was a local file disclosure vulnerability in AVideo < 8.9 via the proxy streaming. An unauthen
There was a local file disclosure vulnerability in AVideo < 8.9 via the proxy streaming. An unauthenticated attacker can exploit this issue to read an arbitrary file on the server. Which could leak database credentials or other sensitive information such as /etc/passwd file.
nvd
CVE-2026-43884P3HIGHCVSS 7.7≤ 29.02026-05-11
CVE-2026-43884 [HIGH] CWE-918 CVE-2026-43884: WWBN AVideo is an open source video platform. In versions up to and including 29.0, two endpoints (p
WWBN AVideo is an open source video platform. In versions up to and including 29.0, two endpoints (plugin/AI/receiveAsync.json.php and objects/EpgParser.php) in AVideo call isSSRFSafeURL() to validate user-supplied URLs, then fetch them using bare file_get_contents() without disabling PHP's automatic redirect following. An attacker can supply a URL po
ghsanvd
CVE-2026-33492P3HIGHCVSS 7.3≤ 26.02026-03-23
CVE-2026-33492 [HIGH] CWE-384 CVE-2026-33492: WWBN AVideo is an open source video platform. In versions up to and including 26.0, AVideo's `_sessi
WWBN AVideo is an open source video platform. In versions up to and including 26.0, AVideo's `_session_start()` function accepts arbitrary session IDs via the `PHPSESSID` GET parameter and sets them as the active PHP session. A session regeneration bypass exists for specific blacklisted endpoints when the request originates from the same domain. Combi
ghsanvdosv
CVE-2022-29468P3HIGHCVSS 8.8v11.6vdev master commit 3f7c03642022-08-22
CVE-2022-29468 [HIGH] CWE-352 CVE-2022-29468: A cross-site request forgery (CSRF) vulnerability exists in WWBN AVideo 11.6 and dev master commit 3
A cross-site request forgery (CSRF) vulnerability exists in WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to increased privileges. An attacker can get an authenticated user to send a crafted HTTP request to trigger this vulnerability.
nvd
CVE-2026-41062P3MEDIUMCVSS 6.5≤ 29.02026-04-21
CVE-2026-41062 [MEDIUM] CWE-22 CVE-2026-41062: WWBN AVideo is an open source video platform. In versions 29.0 and below, the directory traversal fi
WWBN AVideo is an open source video platform. In versions 29.0 and below, the directory traversal fix introduced in commit 2375eb5e0 for `objects/aVideoEncoderReceiveImage.json.php` only checks the URL path component (via `parse_url($url, PHP_URL_PATH)`) for `..` sequences. However, the downstream function `try_get_contents_from_local()` in `objects/
nvd
CVE-2025-41420P3CRITICALCVSS 9.6v14.4vdev master commit 8a8954ff2025-07-24
CVE-2025-41420 [CRITICAL] CWE-79 CVE-2025-41420: A cross-site scripting (xss) vulnerability exists in the userLogin cancelUri parameter functionality
A cross-site scripting (xss) vulnerability exists in the userLogin cancelUri parameter functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit a webpage to trigger this vulnerability.
nvd
CVE-2025-36548P3CRITICALCVSS 9.6v14.4vdev master commit 8a8954ff2025-07-24
CVE-2025-36548 [CRITICAL] CWE-79 CVE-2025-36548: A cross-site scripting (xss) vulnerability exists in the LoginWordPress loginForm cancelUri paramete
A cross-site scripting (xss) vulnerability exists in the LoginWordPress loginForm cancelUri parameter functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit a webpage to trigger this vulnerability.
nvd
CVE-2023-49738P3HIGHCVSS 7.5v15fed957fbvdev master commit 15fed957fb2024-01-10
CVE-2023-49738 [HIGH] CWE-73 CVE-2023-49738: An information disclosure vulnerability exists in the image404Raw.php functionality of WWBN AVideo d
An information disclosure vulnerability exists in the image404Raw.php functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary file read.
nvd
CVE-2020-37173P3HIGHCVSS 7.5v8.12026-02-11
CVE-2020-37173 [HIGH] CWE-359 CVE-2020-37173: AVideo Platform 8.1 contains an information disclosure vulnerability that allows attackers to enumer
AVideo Platform 8.1 contains an information disclosure vulnerability that allows attackers to enumerate user details through the playlistsFromUser.json.php endpoint. Attackers can retrieve sensitive user information including email, password hash, and administrative status by manipulating the users_id parameter.
nvd
CVE-2022-28712P3CRITICALCVSS 9.0v11.6vdev master commit 3f7c03642022-08-22
CVE-2022-28712 [CRITICAL] CWE-79 CVE-2022-28712: A cross-site scripting (xss) vulnerability exists in the videoAddNew functionality of WWBN AVideo 11
A cross-site scripting (xss) vulnerability exists in the videoAddNew functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get an authenticated user to send a crafted HTTP request to trigger this vulnerability.
nvd
CVE-2026-34740P3MEDIUMCVSS 6.5≤ 26.02026-03-31
CVE-2026-34740 [MEDIUM] CWE-918 CVE-2026-34740: WWBN AVideo is an open source video platform. In versions 26.0 and prior, the EPG (Electronic Progra
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the EPG (Electronic Program Guide) link feature in AVideo allows authenticated users with upload permissions to store arbitrary URLs that the server fetches on every EPG page visit. The URL is validated only with PHP's FILTER_VALIDATE_URL, which accepts internal network addres
ghsanvdosv
CVE-2026-41060P3MEDIUMCVSS 6.5≤ 29.02026-04-21
CVE-2026-41060 [MEDIUM] CWE-918 CVE-2026-41060: WWBN AVideo is an open source video platform. In versions 29.0 and below, the `isSSRFSafeURL()` func
WWBN AVideo is an open source video platform. In versions 29.0 and below, the `isSSRFSafeURL()` function in `objects/functions.php` contains a same-domain shortcircuit (lines 4290-4296) that allows any URL whose hostname matches `webSiteRootURL` to bypass all SSRF protections. Because the check compares only the hostname and ignores the port, an att
nvd