cbcvebase.

Wwbn Avideo vulnerabilities

212 known vulnerabilities affecting wwbn/avideo.

Total CVEs
212
CISA KEV
0
Public exploits
10
Exploited in wild
2
Severity breakdown
CRITICAL25HIGH78MEDIUM108LOW1

Vulnerabilities

Page 7 of 11
CVE-2026-33041P3MEDIUMCVSS 5.3fixed in 26.02026-03-20
CVE-2026-33041 [MEDIUM] CWE-200 CVE-2026-33041: WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/encryptPass.json. WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/encryptPass.json.php exposes the application's password hashing algorithm to any unauthenticated user. An attacker can submit arbitrary passwords and receive their hashed equivalents, enabling offline password cracking against leaked database hashes. If an attacker ob
ghsanvdosv
CVE-2023-49862P3MEDIUMCVSS 6.5vdev master commit 15fed957fb2024-01-10
CVE-2023-49862 [MEDIUM] CWE-73 CVE-2023-49862: An information disclosure vulnerability exists in the aVideoEncoderReceiveImage.json.php image uploa An information disclosure vulnerability exists in the aVideoEncoderReceiveImage.json.php image upload functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary file read.This vulnerability is triggered by the `downloadURL_gifimage` parameter.
nvd
CVE-2023-49863P3MEDIUMCVSS 6.5vdev master commit 15fed957fb2024-01-10
CVE-2023-49863 [MEDIUM] CWE-73 CVE-2023-49863: An information disclosure vulnerability exists in the aVideoEncoderReceiveImage.json.php image uploa An information disclosure vulnerability exists in the aVideoEncoderReceiveImage.json.php image upload functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary file read.This vulnerability is triggered by the `downloadURL_webpimage` parameter.
nvd
CVE-2023-49864P3MEDIUMCVSS 6.5vdev_master_commit_15fed957fbvdev master commit 15fed957fb2024-01-10
CVE-2023-49864 [MEDIUM] CWE-73 CVE-2023-49864: An information disclosure vulnerability exists in the aVideoEncoderReceiveImage.json.php image uploa An information disclosure vulnerability exists in the aVideoEncoderReceiveImage.json.php image upload functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary file read.This vulnerability is triggered by the `downloadURL_image` parameter.
nvd
CVE-2026-43875P3MEDIUMCVSS 6.8≤ 29.02026-05-11
CVE-2026-43875 [MEDIUM] CWE-598 CVE-2026-43875: WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/MobileMan WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/MobileManager/oauth2.php completes an OAuth login by sending an HTTP 302 Location: oauth2Success.php?user=&pass= where is the victim's stored password hash (md5(hash("whirlpool", sha1(password)))) read directly from the users table. AVideo's own login endpoint
ghsanvd
CVE-2026-34716P3MEDIUMCVSS 6.4≤ 26.02026-03-31
CVE-2026-34716 [MEDIUM] CWE-79 CVE-2026-34716: WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo YPTSocket plugi WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo YPTSocket plugin's caller feature renders incoming call notifications using the jQuery Toast Plugin, passing the caller's display name directly as the heading parameter. The toast plugin constructs the heading as raw HTML ('' + heading + '') and inserts it into the D
ghsanvdosv
CVE-2026-43876P3MEDIUMCVSS 6.4≤ 29.02026-05-11
CVE-2026-43876 [MEDIUM] CWE-79 CVE-2026-43876: WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/notifySu WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/notifySubscribers.json.php takes the raw message POST parameter and passes it into sendSiteEmail(), which substitutes it directly into an HTML email template (via str_replace on the {message} placeholder) and renders it with PHPMailer::msgHTML(). There is no H
ghsanvd
CVE-2026-35179P3MEDIUMCVSS 5.3≤ 26.02026-04-06
CVE-2026-35179 [MEDIUM] CWE-862 CVE-2026-35179: WWBN AVideo is an open source video platform. In versions 26.0 and prior, the SocialMediaPublisher p WWBN AVideo is an open source video platform. In versions 26.0 and prior, the SocialMediaPublisher plugin exposes a publishInstagram.json.php endpoint that acts as an unauthenticated proxy to the Facebook/Instagram Graph API. The endpoint accepts user-controlled parameters including an access token, container ID, and Instagram account ID, and passes
ghsanvdosv
CVE-2023-47171P3MEDIUMCVSS 6.5v11.6v15fed957fb+1 more2024-01-10
CVE-2023-47171 [MEDIUM] CWE-73 CVE-2023-47171: An information disclosure vulnerability exists in the aVideoEncoder.json.php chunkFile path function An information disclosure vulnerability exists in the aVideoEncoder.json.php chunkFile path functionality of WWBN AVideo 11.6 and dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary file read.
nvd
CVE-2026-33766P3MEDIUMCVSS 6.5≤ 26.02026-03-27
CVE-2026-33766 [MEDIUM] CWE-918 CVE-2026-33766: WWBN AVideo is an open source video platform. In versions up to and including 26.0, `isSSRFSafeURL() WWBN AVideo is an open source video platform. In versions up to and including 26.0, `isSSRFSafeURL()` validates URLs against private/reserved IP ranges before fetching, but `url_get_contents()` follows HTTP redirects without re-validating the redirect target. An attacker can bypass SSRF protection by redirecting from a public URL to an internal targ
ghsanvdosv
CVE-2026-45619P3MEDIUMCVSS 6.5≤ 29.02026-05-29
CVE-2026-45619 [MEDIUM] CVE-2026-45619: WWBN AVideo is an open source video platform. In 29.0 and earlier, EpgParser.php, plugin/AI/receiveA WWBN AVideo is an open source video platform. In 29.0 and earlier, EpgParser.php, plugin/AI/receiveAsync.json.php, and other locations do not use the $resolvedIP out-param of isSSRFSafeURL() for DNS pinning via CURLOPT_RESOLVE, opening DNS-rebinding TOCTOU.
ghsanvd
CVE-2026-46337P3MEDIUMCVSS 5.3≤ 29.02026-05-29
CVE-2026-46337 [MEDIUM] CWE-22 CVE-2026-46337: WWBN AVideo is an open source video platform. In 29.0 and earlier, an unauthenticated remote attacke WWBN AVideo is an open source video platform. In 29.0 and earlier, an unauthenticated remote attacker can read arbitrary image files anywhere on disk that the PHP user can open — including private user-profile photos that the application's normal serving wrappers gate behind ACLs, admin-uploaded thumbnails, encrypted-video poster frames, and image co
ghsanvd
CVE-2026-40926P3HIGHCVSS 7.1≤ 29.02026-04-21
CVE-2026-40926 [HIGH] CWE-352 CVE-2026-40926: WWBN AVideo is an open source video platform. In versions 29.0 and prior, three admin-only JSON endp WWBN AVideo is an open source video platform. In versions 29.0 and prior, three admin-only JSON endpoints — `objects/categoryAddNew.json.php`, `objects/categoryDelete.json.php`, and `objects/pluginRunUpdateScript.json.php` — enforce only a role check (`Category::canCreateCategory()` / `User::isAdmin()`) and perform state-changing actions against the d
nvd
CVE-2026-34613P3MEDIUMCVSS 6.5≤ 26.02026-03-31
CVE-2026-34613 [MEDIUM] CWE-352 CVE-2026-34613: WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint object WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/pluginSwitch.json.php allows administrators to enable or disable any installed plugin. The endpoint checks for an active admin session but does not validate a CSRF token. Additionally, the plugins database table is explicitly listed in ignoreTableSe
ghsanvdosv
CVE-2026-34611P4MEDIUMCVSS 6.5≤ 26.02026-03-31
CVE-2026-34611 [MEDIUM] CWE-352 CVE-2026-34611: WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint object WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/emailAllUsers.json.php allows administrators to send HTML emails to every registered user on the platform. While the endpoint verifies admin session status, it does not validate a CSRF token. Because AVideo sets SameSite=None on session cookies, a c
ghsanvdosv
CVE-2026-33761P4MEDIUMCVSS 5.3≤ 26.02026-03-27
CVE-2026-33761 [MEDIUM] CWE-200 CVE-2026-33761: WWBN AVideo is an open source video platform. In versions up to and including 26.0, three `list.json WWBN AVideo is an open source video platform. In versions up to and including 26.0, three `list.json.php` endpoints in the Scheduler plugin lack any authentication check, while every other endpoint in the same plugin directories (`add.json.php`, `delete.json.php`, `index.php`) requires `User::isAdmin()`. An unauthenticated attacker can retrieve all
ghsanvdosv
CVE-2026-33685P4MEDIUMCVSS 5.3≤ 26.02026-03-23
CVE-2026-33685 [MEDIUM] CWE-862 CVE-2026-33685: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/AD_S WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/AD_Server/reports.json.php` endpoint performs no authentication or authorization checks, allowing any unauthenticated attacker to extract ad campaign analytics data including video titles, user channel names, user IDs, ad campaign names, and impression/cl
ghsanvdosv
CVE-2026-33237P4MEDIUMCVSS 5.5fixed in 26.02026-03-21
CVE-2026-33237 [MEDIUM] CWE-918 CVE-2026-33237: WWBN AVideo is an open source video platform. Prior to version 26.0, the Scheduler plugin's `run()` WWBN AVideo is an open source video platform. Prior to version 26.0, the Scheduler plugin's `run()` function in `plugin/Scheduler/Scheduler.php` calls `url_get_contents()` with an admin-configurable `callbackURL` that is validated only by `isValidURL()` (URL format check). Unlike other AVideo endpoints that were recently patched for SSRF (GHSA-9x67-f
ghsanvdosv
CVE-2026-33501P4MEDIUMCVSS 5.3≤ 26.02026-03-23
CVE-2026-33501 [MEDIUM] CWE-862 CVE-2026-33501: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the endpoint `pl WWBN AVideo is an open source video platform. In versions up to and including 26.0, the endpoint `plugin/Permissions/View/Users_groups_permissions/list.json.php` lacks any authentication or authorization check, allowing unauthenticated users to retrieve the complete permission matrix mapping user groups to plugins. All sibling endpoints in the same
ghsanvdosv
CVE-2026-34369P4MEDIUMCVSS 5.3≤ 26.02026-03-27
CVE-2026-34369 [MEDIUM] CWE-862 CVE-2026-34369: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_vid WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_video_file` and `get_api_video` API endpoints in AVideo return full video playback sources (direct MP4 URLs, HLS manifests) for password-protected videos without verifying the video password. While the normal web playback flow enforces password checks vi
ghsanvdosv
Wwbn Avideo vulnerabilities | cvebase