cbcvebase.

Wwbn Avideo vulnerabilities

212 known vulnerabilities affecting wwbn/avideo.

Total CVEs
212
CISA KEV
0
Public exploits
10
Exploited in wild
2
Severity breakdown
CRITICAL25HIGH78MEDIUM108LOW1

Vulnerabilities

Page 6 of 11
CVE-2022-26842P3CRITICALCVSS 9.6v11.6vdev master commit 3f7c03642022-08-22
CVE-2022-26842 [CRITICAL] CWE-79 CVE-2022-26842: A reflected cross-site scripting (xss) vulnerability exists in the charts tab selection functionalit A reflected cross-site scripting (xss) vulnerability exists in the charts tab selection functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get an authenticated user to send a crafted HTTP request to trigger this vulnerability.
nvd
CVE-2022-32777P3HIGHCVSS 7.5v11.6vdev master commit 3f7c03642022-08-22
CVE-2022-32777 [HIGH] CWE-732 CVE-2022-32777: An information disclosure vulnerability exists in the cookie functionality of WWBN AVideo 11.6 and d An information disclosure vulnerability exists in the cookie functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. The session cookie and the pass cookie miss the HttpOnly flag, making them accessible via JavaScript. The session cookie also misses the secure flag, which allows the session cookie to be leaked over non-HTTPS connections. Thi
nvd
CVE-2022-32778P3HIGHCVSS 7.5v11.6vdev master commit 3f7c03642022-08-22
CVE-2022-32778 [HIGH] CWE-732 CVE-2022-32778: An information disclosure vulnerability exists in the cookie functionality of WWBN AVideo 11.6 and d An information disclosure vulnerability exists in the cookie functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. The session cookie and the pass cookie miss the HttpOnly flag, making them accessible via JavaScript. The session cookie also misses the secure flag, which allows the session cookie to be leaked over non-HTTPS connections. Thi
nvd
CVE-2025-34435P3MEDIUMCVSS 6.5fixed in 20.02025-12-17
CVE-2025-34435 [MEDIUM] CWE-639 CVE-2025-34435: AVideo versions prior to 20.1 are vulnerable to an insecure direct object reference (IDOR) that allo AVideo versions prior to 20.1 are vulnerable to an insecure direct object reference (IDOR) that allows any authenticated user to delete media files belonging to other users. The affected endpoint validates authentication but fails to verify ownership or edit permissions for the targeted video.
nvd
CVE-2026-33723P3MEDIUMCVSS 6.5≤ 26.02026-03-23
CVE-2026-33723 [MEDIUM] CWE-89 CVE-2026-33723: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `Subscribe:: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `Subscribe::save()` method in `objects/subscribe.php` concatenates the `$this->users_id` property directly into an INSERT SQL query without sanitization or parameterized binding. This property originates from `$_POST['user_id']` in both `subscribe.json.php` and `s
ghsanvdosv
CVE-2026-40925P3HIGHCVSS 8.3≤ 29.02026-04-21
CVE-2026-40925 [HIGH] CWE-352 CVE-2026-40925: WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/configurationUpda WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/configurationUpdate.json.php` (also routed via `/updateConfig`) persists dozens of global site settings from `$_POST` but protects the endpoint only with `User::isAdmin()`. It does not call `forbidIfIsUntrustedRequest()`, does not verify a `globalToken`, and does not va
nvd
CVE-2026-34375P3HIGHCVSS 8.2≤ 26.02026-03-27
CVE-2026-34375 [HIGH] CWE-79 CVE-2026-34375: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the YPTWallet St WWBN AVideo is an open source video platform. In versions up to and including 26.0, the YPTWallet Stripe payment confirmation page directly echoes the `$_REQUEST['plugin']` parameter into a JavaScript block without any encoding or sanitization. The `plugin` parameter is not included in any of the framework's input filter lists defined in `security.php`
ghsanvdosv
CVE-2026-33354P3MEDIUMCVSS 6.5≤ 26.02026-03-23
CVE-2026-33354 [MEDIUM] CWE-73 CVE-2026-33354: WWBN AVideo is an open source video platform. In versions up to and including 26.0, `POST /objects/a WWBN AVideo is an open source video platform. In versions up to and including 26.0, `POST /objects/aVideoEncoder.json.php` accepts a requester-controlled `chunkFile` parameter intended for staged upload chunks. Instead of restricting that path to trusted server-generated chunk locations, the endpoint accepts arbitrary local filesystem paths that pass
ghsanvdosv
CVE-2026-39368P3MEDIUMCVSS 6.5≤ 26.02026-04-07
CVE-2026-39368 [MEDIUM] CWE-918 CVE-2026-39368: WWBN AVideo is an open source video platform. In versions 26.0 and prior, the Live restream log call WWBN AVideo is an open source video platform. In versions 26.0 and prior, the Live restream log callback flow accepted an attacker-controlled restreamerURL and later fetched that stored URL server-side, enabling stored SSRF for authenticated streamers. The vulnerable flow allowed a low-privilege user with streaming permission to store an arbitrary c
ghsanvd
CVE-2026-39370P3HIGHCVSS 7.1≤ 26.02026-04-07
CVE-2026-39370 [HIGH] CVE-2026-39370: WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoder.json WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoder.json.php still allows attacker-controlled downloadURL values with common media or archive extensions such as .mp4, .mp3, .zip, .jpg, .png, .gif, and .webm to bypass SSRF validation. The server then fetches the response and stores it as media content. This allows an
ghsanvd
CVE-2026-41057P3HIGHCVSS 7.1≤ 29.02026-04-21
CVE-2026-41057 [HIGH] CWE-346 CVE-2026-41057: WWBN AVideo is an open source video platform. In versions 29.0 and below, the CORS origin validation WWBN AVideo is an open source video platform. In versions 29.0 and below, the CORS origin validation fix in commit `986e64aad` is incomplete. Two separate code paths still reflect arbitrary `Origin` headers with credentials allowed for all `/api/*` endpoints: (1) `plugin/API/router.php` lines 4-8 unconditionally reflect any origin before application c
nvd
CVE-2026-34737P3MEDIUMCVSS 6.5≤ 26.02026-03-31
CVE-2026-34737 [MEDIUM] CWE-862 CVE-2026-34737: WWBN AVideo is an open source video platform. In versions 26.0 and prior, the StripeYPT plugin inclu WWBN AVideo is an open source video platform. In versions 26.0 and prior, the StripeYPT plugin includes a test.php debug endpoint that is accessible to any logged-in user, not just administrators. This endpoint processes Stripe webhook-style payloads and triggers subscription operations, including cancellation. Due to a bug in the retrieveSubscripti
ghsanvdosv
CVE-2022-32761P3MEDIUMCVSS 6.5v11.6vdev master commit 3f7c03642022-08-22
CVE-2022-32761 [MEDIUM] CWE-73 CVE-2022-32761: An information disclosure vulnerability exists in the aVideoEncoderReceiveImage functionality of WWB An information disclosure vulnerability exists in the aVideoEncoderReceiveImage functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary file read. An attacker can send an HTTP request to trigger this vulnerability.
nvd
CVE-2022-28710P3MEDIUMCVSS 6.5v11.6vdev master commit 3f7c03642022-08-22
CVE-2022-28710 [MEDIUM] CWE-73 CVE-2022-28710: An information disclosure vulnerability exists in the chunkFile functionality of WWBN AVideo 11.6 an An information disclosure vulnerability exists in the chunkFile functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary file read. An attacker can send an HTTP request to trigger this vulnerability.
nvd
CVE-2026-43874P3HIGH≥ 0, ≤ 29.02026-05-05
CVE-2026-43874 [HIGH] CWE-94 AVideo has an Incomplete Fix for YPTSocket autoEvalCodeOnHTML Strip: Unauthenticated Cross-User JavaScript Execution via `$msg['json']` Relay Bypass AVideo has an Incomplete Fix for YPTSocket autoEvalCodeOnHTML Strip: Unauthenticated Cross-User JavaScript Execution via `$msg['json']` Relay Bypass ## Summary The server-side mitigation for the YPTSocket `autoEvalCodeOnHTML` eval sink (prior advisory GHSA-gph2-j4c9-vhhr, commit `c08694bf6`) only strips the payload whe
ghsa
CVE-2023-49810P3MEDIUMCVSS 6.5v15fed957fbvdev master commit 15fed957fb2024-01-10
CVE-2023-49810 [MEDIUM] CWE-307 CVE-2023-49810: A login attempt restriction bypass vulnerability exists in the checkLoginAttempts functionality of W A login attempt restriction bypass vulnerability exists in the checkLoginAttempts functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to captcha bypass, which can be abused by an attacker to brute force user credentials. An attacker can send a series of HTTP requests to trigger this vulnerability.
ghsanvdosv
CVE-2026-34395P3MEDIUMCVSS 6.5≤ 26.02026-03-31
CVE-2026-34395 [MEDIUM] CWE-862 CVE-2026-34395: WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/YPTWallet/view/ WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/YPTWallet/view/users.json.php endpoint returns all platform users with their personal information and wallet balances to any authenticated user. The endpoint checks User::isLogged() but does not check User::isAdmin(), so any registered user can dump the full user da
ghsanvdosv
CVE-2026-40907P3MEDIUMCVSS 6.5≤ 29.02026-04-21
CVE-2026-40907 [MEDIUM] CWE-639 CVE-2026-40907: WWBN AVideo is an open source video platform. In versions 29.0 and prior, the endpoint `plugin/Live/ WWBN AVideo is an open source video platform. In versions 29.0 and prior, the endpoint `plugin/Live/view/Live_restreams/list.json.php` contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user with streaming permission to retrieve other users' live restream configurations, including third-party platform str
nvd
CVE-2026-39366P3MEDIUMCVSS 6.5≤ 26.02026-04-07
CVE-2026-39366 [MEDIUM] CWE-345 CVE-2026-39366: WWBN AVideo is an open source video platform. In versions 26.0 and prior, the PayPal IPN v1 handler WWBN AVideo is an open source video platform. In versions 26.0 and prior, the PayPal IPN v1 handler at plugin/PayPalYPT/ipn.php lacks transaction deduplication, allowing an attacker to replay a single legitimate IPN notification to repeatedly inflate their wallet balance and renew subscriptions. The newer ipnV2.php and webhook.php handlers correctly
ghsanvdosv
CVE-2026-34245P3MEDIUMCVSS 6.3≤ 26.02026-03-27
CVE-2026-34245 [MEDIUM] CWE-862 CVE-2026-34245: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/Play WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/PlayLists/View/Playlists_schedules/add.json.php` endpoint allows any authenticated user with streaming permission to create or modify broadcast schedules targeting any playlist on the platform, regardless of ownership. When the schedule executes, the rebr
ghsanvdosv
Wwbn Avideo vulnerabilities | cvebase