Wwbn Avideo vulnerabilities
212 known vulnerabilities affecting wwbn/avideo.
Total CVEs
212
CISA KEV
0
Public exploits
10
Exploited in wild
2
Severity breakdown
CRITICAL25HIGH78MEDIUM108LOW1
Vulnerabilities
Page 8 of 11
CVE-2026-35450P4MEDIUMCVSS 5.3≤ 26.02026-04-06
CVE-2026-35450 [MEDIUM] CWE-306 CVE-2026-35450: WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/API/check.ffmpe
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/API/check.ffmpeg.json.php endpoint probes the FFmpeg remote server configuration and returns connectivity status without any authentication. All sibling FFmpeg management endpoints (kill.ffmpeg.json.php, list.ffmpeg.json.php, ffmpeg.php) require User::isAdmin().
ghsanvdosv
CVE-2026-30885P4MEDIUMCVSS 5.3fixed in 25.02026-03-10
CVE-2026-30885 [MEDIUM] CWE-306 CVE-2026-30885: WWBN AVideo is an open source video platform. Prior to 25.0, the /objects/playlistsFromUser.json.php
WWBN AVideo is an open source video platform. Prior to 25.0, the /objects/playlistsFromUser.json.php endpoint returns all playlists for any user without requiring authentication or authorization. An unauthenticated attacker can enumerate user IDs and retrieve playlist information including playlist names, video IDs, and playlist status for any user
ghsanvdosv
CVE-2026-33763P4MEDIUMCVSS 5.3≤ 26.02026-03-27
CVE-2026-33763 [MEDIUM] CWE-307 CVE-2026-33763: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_vid
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_video_password_is_correct` API endpoint allows any unauthenticated user to verify whether a given password is correct for any password-protected video. The endpoint returns a boolean `passwordIsCorrect` field with no rate limiting, CAPTCHA, or authentica
ghsanvdosv
CVE-2026-33688P4MEDIUMCVSS 5.3≤ 26.02026-03-23
CVE-2026-33688 [MEDIUM] CWE-204 CVE-2026-33688: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the password rec
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the password recovery endpoint at `objects/userRecoverPass.php` performs user existence and account status checks before validating the captcha. This allows an unauthenticated attacker to enumerate valid usernames and determine whether accounts are active, inactive,
ghsanvdosv
CVE-2026-43880P4MEDIUMCVSS 5.3≤ 29.02026-05-11
CVE-2026-43880 [MEDIUM] CWE-940 CVE-2026-43880: WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/sendEmai
WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/sendEmail.json.php exposes two branches depending on whether contactForm=1 is submitted. When the parameter is omitted, the endpoint sets $sendTo to an attacker-supplied email and, for unauthenticated callers, uses the site's own contact email as the message
ghsanvd
CVE-2026-27568P4MEDIUMCVSS 6.1fixed in 21.0≤ 26.02026-02-24
CVE-2026-27568 [MEDIUM] CWE-79 CVE-2026-27568: WWBN AVideo is an open source video platform. Prior to version 21.0, AVideo allows Markdown in video
WWBN AVideo is an open source video platform. Prior to version 21.0, AVideo allows Markdown in video comments and uses Parsedown (v1.7.4) without Safe Mode enabled. Markdown links are not sufficiently sanitized, allowing `javascript:` URIs to be rendered as clickable links. An authenticated low-privilege attacker can post a malicious comment that inj
ghsanvdosv
CVE-2026-43878P4MEDIUMCVSS 6.1≤ 29.02026-05-11
CVE-2026-43878 [MEDIUM] CWE-79 CVE-2026-43878: WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/Meet/ifra
WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/Meet/iframe.php echoes the attacker-controlled user and pass query parameters unescaped into a JavaScript double-quoted string literal inside a block. An attacker who sends a victim to a crafted URL can break out of the string and execute arbitrary JavaScript i
ghsanvd
CVE-2026-34362P4MEDIUMCVSS 5.4≤ 26.02026-03-27
CVE-2026-34362 [MEDIUM] CWE-613 CVE-2026-34362: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `verifyToken
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `verifyTokenSocket()` function in `plugin/YPTSocket/functions.php` has its token timeout validation commented out, causing WebSocket tokens to never expire despite being generated with a 12-hour timeout. This allows captured or legitimately obtained tokens to pro
ghsanvdosv
CVE-2026-34247P4MEDIUMCVSS 5.4≤ 26.02026-03-27
CVE-2026-34247 [MEDIUM] CWE-862 CVE-2026-34247: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/Live
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/Live/uploadPoster.php` endpoint allows any authenticated user to overwrite the poster image for any scheduled live stream by supplying an arbitrary `live_schedule_id`. The endpoint only checks `User::isLogged()` but never verifies that the authenticated u
ghsanvdosv
CVE-2026-35452P4MEDIUMCVSS 5.3≤ 26.02026-04-06
CVE-2026-35452 [MEDIUM] CWE-200 CVE-2026-35452: WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/CloneSite/clien
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/CloneSite/client.log.php endpoint serves the clone operation log file without any authentication. Every other endpoint in the CloneSite plugin directory enforces User::isAdmin(). The log contains internal filesystem paths, remote server URLs, and SSH connection meta
ghsanvdosv
CVE-2026-34364P4MEDIUMCVSS 5.3≤ 26.02026-03-27
CVE-2026-34364 [MEDIUM] CWE-863 CVE-2026-34364: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `categories.
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `categories.json.php` endpoint, which serves the category listing API, fails to enforce user group-based access controls on categories. In the default request path (no `?user=` parameter), user group filtering is entirely skipped, exposing all non-private categor
ghsanvdosv
CVE-2026-34368P4MEDIUMCVSS 5.3≤ 26.02026-03-27
CVE-2026-34368 [MEDIUM] CWE-362 CVE-2026-34368: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `transferBal
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `transferBalance()` method in `plugin/YPTWallet/YPTWallet.php` contains a Time-of-Check-Time-of-Use (TOCTOU) race condition. The method reads the sender's wallet balance, checks sufficiency in PHP, then writes the new balance — all without database transactions o
ghsanvdosv
CVE-2026-43879P4MEDIUMCVSS 5.4≤ 29.02026-05-11
CVE-2026-43879 [MEDIUM] CWE-918 CVE-2026-43879: WWBN AVideo is an open source video platform. In versions up to and including 29.0, an authenticated
WWBN AVideo is an open source video platform. In versions up to and including 29.0, an authenticated user can configure their own donation-notification webhook URL to point at internal/loopback/metadata hosts (e.g. http://127.0.0.1:8080/..., http://169.254.169.254/latest/..., RFC1918 addresses). When any other user (including a second account owned
ghsanvd
CVE-2026-35449P4MEDIUMCVSS 5.3≤ 26.02026-04-06
CVE-2026-35449 [MEDIUM] CWE-200 CVE-2026-35449: WWBN AVideo is an open source video platform. In versions 26.0 and prior, the install/test.php diagn
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the install/test.php diagnostic script has its CLI-only access guard disabled by commenting out the die() statement. The script remains accessible via HTTP after installation, exposing video viewer statistics including IP addresses, session IDs, and user agents to unauthentica
ghsanvdosv
CVE-2026-33759P4MEDIUMCVSS 5.3≤ 26.02026-03-27
CVE-2026-33759 [MEDIUM] CWE-639 CVE-2026-33759: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/pla
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/playlistsVideos.json.php` endpoint returns the full video contents of any playlist by ID without any authentication or authorization check. Private playlists (including `watch_later` and `favorite` types) are correctly hidden from listing endpoints via `
ghsanvdosv
CVE-2026-43881P4MEDIUMCVSS 5.3≤ 29.02026-05-11
CVE-2026-43881 [MEDIUM] CWE-306 CVE-2026-43881: WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/users.js
WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/users.json.php exposes two unauthenticated paths that disclose the full set of registered user accounts. The isCompany request parameter causes the handler to set $ignoreAdmin = true for any non-admin caller (including unauthenticated visitors), which defeats
ghsanvd
CVE-2026-45731P4MEDIUMCVSS 4.9≤ 29.02026-05-29
CVE-2026-45731 [MEDIUM] CWE-22 CVE-2026-45731: WWBN AVideo is an open source video platform. In 29.0 and earlier, view/update.php reads $_POST['upd
WWBN AVideo is an open source video platform. In 29.0 and earlier, view/update.php reads $_POST['updateFile'] as a relative path under updatedb/ and passes it to PHP's file() for line-by-line execution as part of a database migration. An authenticated administrator can abuse this to read arbitrary text files reachable from the web-server process.
ghsanvd
CVE-2026-45610P4MEDIUMCVSS 6.5≤ 29.02026-05-29
CVE-2026-45610 [MEDIUM] CWE-306 CVE-2026-45610: WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a cross-site request for
WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a cross-site request forgery vulnerability on the 2FA toggle. plugin/LoginControl/set.json.php accepts POST type=set2FA value=false, calls LoginControl::setUser2FA(User::getId(), false) on the session-authenticated user, and returns. There is no forbidIfIsUntrustedRequest()
ghsanvd
CVE-2026-34396P4MEDIUMCVSS 6.1≤ 26.02026-03-31
CVE-2026-34396 [MEDIUM] CWE-79 CVE-2026-34396: WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo admin panel ren
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo admin panel renders plugin configuration values in HTML forms without applying htmlspecialchars() or any other output encoding. The jsonToFormElements() function in admin/functions.php directly interpolates user-controlled values into textarea contents, option elemen
ghsanvdosv
CVE-2026-41055P4MEDIUMCVSS 5.3≤ 29.02026-04-21
CVE-2026-41055 [MEDIUM] CVE-2026-41055: WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete SSRF fix in
WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete SSRF fix in AVideo's LiveLinks proxy adds `isSSRFSafeURL()` validation but leaves DNS TOCTOU vulnerabilities where DNS rebinding between validation and the actual HTTP request redirects traffic to internal endpoints. Commit 8d8fc0cadb425835b4861036d589abcea4d78ee8 contain
nvd