Wwbn Avideo vulnerabilities

CVE-2026-33296 [LOW] CWE-601 CVE-2026-33296: WWBN AVideo is an open source video platform. Prior to version 26.0, WWBN/AVideo contains an open re WWBN AVideo is an open source video platform. Prior to version 26.0, WWBN/AVideo contains an open redirect vulnerability in the login flow where a user-supplied redirectUri parameter is reflected directly into a JavaScript `document.location` assignment without JavaScript-safe encoding. After a user completes the login popup flow, a timer callback exec

CVE-2026-33238 [MEDIUM] CWE-22 CVE-2026-33238: WWBN AVideo is an open source video platform. Prior to version 26.0, the `listFiles.json.php` endpoi WWBN AVideo is an open source video platform. Prior to version 26.0, the `listFiles.json.php` endpoint accepts a `path` POST parameter and passes it directly to `glob()` without restricting the path to an allowed base directory. An authenticated uploader can traverse the entire server filesystem by supplying arbitrary absolute paths, enumerating `.mp

CVE-2026-33237 [MEDIUM] CWE-918 CVE-2026-33237: WWBN AVideo is an open source video platform. Prior to version 26.0, the Scheduler plugin's `run()` WWBN AVideo is an open source video platform. Prior to version 26.0, the Scheduler plugin's `run()` function in `plugin/Scheduler/Scheduler.php` calls `url_get_contents()` with an admin-configurable `callbackURL` that is validated only by `isValidURL()` (URL format check). Unlike other AVideo endpoints that were recently patched for SSRF (GHSA-9x67-f

CVE-2026-33043 [HIGH] CWE-942 CVE-2026-33043: WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/phpsessionid.json WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/phpsessionid.json.php exposes the current PHP session ID to any unauthenticated request. The allowOrigin() function reflects any Origin header back in Access-Control-Allow-Origin with Access-Control-Allow-Credentials: true, enabling cross-origin session theft and full a

CVE-2026-33037 [HIGH] CWE-1188 CVE-2026-33037: WWBN AVideo is an open source video platform. In versions 25.0 and below, the official Docker deploy WWBN AVideo is an open source video platform. In versions 25.0 and below, the official Docker deployment files (docker-compose.yml, env.example) ship with the admin password set to "password", which is automatically used to seed the admin account during installation, meaning any instance deployed without overriding SYSTEM_ADMIN_PASSWORD is immediatel

CVE-2026-33039 [HIGH] CWE-918 CVE-2026-33039: WWBN AVideo is an open source video platform. In versions 25.0 and below, the plugin/LiveLinks/proxy WWBN AVideo is an open source video platform. In versions 25.0 and below, the plugin/LiveLinks/proxy.php endpoint validates user-supplied URLs against internal/private networks using isSSRFSafeURL(), but only checks the initial URL. When the initial URL responds with an HTTP redirect (Location header), the redirect target is fetched via fakeBrowser()

CVE-2026-33038 [HIGH] CWE-306 CVE-2026-33038: WWBN AVideo is an open source video platform. Versions 25.0 and below are vulnerable to unauthentica WWBN AVideo is an open source video platform. Versions 25.0 and below are vulnerable to unauthenticated application takeover through the install/checkConfiguration.php endpoint. install/checkConfiguration.php performs full application initialization: database setup, admin account creation, and configuration file write, all from an unauthenticated POST

CVE-2026-33041 [MEDIUM] CWE-200 CVE-2026-33041: WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/encryptPass.json. WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/encryptPass.json.php exposes the application's password hashing algorithm to any unauthenticated user. An attacker can submit arbitrary passwords and receive their hashed equivalents, enabling offline password cracking against leaked database hashes. If an attacker ob

CVE-2026-33035 [MEDIUM] CWE-79 CVE-2026-33035: WWBN AVideo is an open source video platform. In versions 25.0 and below, there is a reflected XSS v WWBN AVideo is an open source video platform. In versions 25.0 and below, there is a reflected XSS vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser. User input from a URL parameter flows through PHP's json_encode() into a JavaScript function that renders it via innerHTML, bypassing encoding and

CVE-2026-30885 [MEDIUM] CWE-306 CVE-2026-30885: WWBN AVideo is an open source video platform. Prior to 25.0, the /objects/playlistsFromUser.json.php WWBN AVideo is an open source video platform. Prior to 25.0, the /objects/playlistsFromUser.json.php endpoint returns all playlists for any user without requiring authentication or authorization. An unauthenticated attacker can enumerate user IDs and retrieve playlist information including playlist names, video IDs, and playlist status for any user

CVE-2026-28501 [CRITICAL] CWE-89 CVE-2026-28501: WWBN AVideo is an open source video platform. Prior to version 24.0, an unauthenticated SQL Injectio WWBN AVideo is an open source video platform. Prior to version 24.0, an unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php components. The application fails to properly sanitize the catName parameter when it is supplied via a JSON-formatted POST request body. Because JSON input is p

CVE-2026-29093 [CRITICAL] CWE-287 CVE-2026-29093: WWBN AVideo is an open source video platform. Prior to version 24.0, the official docker-compose.yml WWBN AVideo is an open source video platform. Prior to version 24.0, the official docker-compose.yml publishes the memcached service on host port 11211 (0.0.0.0:11211) with no authentication, while the Dockerfile configures PHP to store all user sessions in that memcached instance. An attacker who can reach port 11211 can read, modify, or flush se

CVE-2026-28502 [CRITICAL] CWE-434 CVE-2026-28502: WWBN AVideo is an open source video platform. Prior to version 24.0, an authenticated Remote Code Ex WWBN AVideo is an open source video platform. Prior to version 24.0, an authenticated Remote Code Execution (RCE) vulnerability was identified in AVideo related to the plugin upload/import functionality. The issue allowed an authenticated administrator to upload a specially crafted ZIP archive containing executable server-side files. Due to insuff

CVE-2026-29058 [CRITICAL] CWE-78 WWBN AVideo is vulnerable to unauthenticated OS Command Injection via base64Url in objects/getImage.php WWBN AVideo is vulnerable to unauthenticated OS Command Injection via base64Url in objects/getImage.php ## Impact An unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the `base64Url` GET parameter. This can lead to full server compromise, data exfiltration (e.g., configuration secrets, intern

CVE-2026-27732 [HIGH] CWE-918 CVE-2026-27732: WWBN AVideo is an open source video platform. Prior to version 22.0, the `aVideoEncoder.json.php` AP WWBN AVideo is an open source video platform. Prior to version 22.0, the `aVideoEncoder.json.php` API endpoint accepts a `downloadURL` parameter and fetches the referenced resource server-side without proper validation or an allow-list. This allows authenticated users to trigger server-side requests to arbitrary URLs (including internal network endpoi

CVE-2026-27568 [MEDIUM] CWE-79 CVE-2026-27568: WWBN AVideo is an open source video platform. Prior to version 21.0, AVideo allows Markdown in video WWBN AVideo is an open source video platform. Prior to version 21.0, AVideo allows Markdown in video comments and uses Parsedown (v1.7.4) without Safe Mode enabled. Markdown links are not sufficiently sanitized, allowing `javascript:` URIs to be rendered as clickable links. An authenticated low-privilege attacker can post a malicious comment that inj

CVE-2020-37158 [HIGH] CWE-352 CVE-2020-37158: AVideo Platform 8.1 contains a cross-site request forgery vulnerability that allows attackers to res AVideo Platform 8.1 contains a cross-site request forgery vulnerability that allows attackers to reset user passwords by exploiting the password recovery mechanism. Attackers can craft malicious requests to the recoverPass endpoint using the user's recovery token to change account credentials without authentication.

CVE-2020-37172 [HIGH] CWE-640 CVE-2020-37172: AVideo Platform 8.1 contains a cross-site request forgery vulnerability that allows attackers to res AVideo Platform 8.1 contains a cross-site request forgery vulnerability that allows attackers to reset user passwords by exploiting the password recovery mechanism. Attackers can craft malicious requests to the recoverPass endpoint using the user's recovery token to change account credentials without authentication.

CVE-2020-37173 [HIGH] CWE-359 CVE-2020-37173: AVideo Platform 8.1 contains an information disclosure vulnerability that allows attackers to enumer AVideo Platform 8.1 contains an information disclosure vulnerability that allows attackers to enumerate user details through the playlistsFromUser.json.php endpoint. Attackers can retrieve sensitive user information including email, password hash, and administrative status by manipulating the users_id parameter.

CVE-2025-34434 [CRITICAL] CWE-306 CVE-2025-34434: AVideo versions prior to 20.1 with the ImageGallery plugin enabled is vulnerable to unauthenticated AVideo versions prior to 20.1 with the ImageGallery plugin enabled is vulnerable to unauthenticated file upload and deletion. Plugin endpoints responsible for managing gallery images fail to enforce authentication checks and do not validate ownership, allowing unauthenticated attackers to upload or delete images associated with any image-based vide