cbcvebase.

Wwbn Avideo vulnerabilities

212 known vulnerabilities affecting wwbn/avideo.

Total CVEs
212
CISA KEV
0
Public exploits
10
Exploited in wild
2
Severity breakdown
CRITICAL25HIGH78MEDIUM108LOW1

Vulnerabilities

Page 9 of 11
CVE-2026-43877P4MEDIUMCVSS 5.4≤ 29.02026-05-11
CVE-2026-43877 [MEDIUM] CWE-352 CVE-2026-43877: WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/userSave WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/userSavePhoto.php is a legacy profile-photo endpoint that accepts a base64 POST parameter and writes the decoded bytes to videos/userPhoto/photo.png. Its only access control is User::isLogged(). It does not end in .json.php, so it is excluded from the project
ghsanvd
CVE-2026-40908P4MEDIUMCVSS 5.3≤ 29.02026-04-21
CVE-2026-40908 [MEDIUM] CWE-200 CVE-2026-40908: WWBN AVideo is an open source video platform. In versions 29.0 and prior, the file `git.json.php` at WWBN AVideo is an open source video platform. In versions 29.0 and prior, the file `git.json.php` at the web root executes `git log -1` and returns the full output as JSON to any unauthenticated user. This exposes the exact deployed commit hash (enabling version fingerprinting against known CVEs), developer names and email addresses (PII), and commi
nvd
CVE-2026-40935P4MEDIUMCVSS 5.3≤ 29.02026-04-21
CVE-2026-40935 [MEDIUM] CWE-804 CVE-2026-40935: WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/getCaptcha.php` a WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/getCaptcha.php` accepts the CAPTCHA length (`ql`) directly from the query string with no clamping or sanitization, letting any unauthenticated client force the server to generate a 1-character CAPTCHA word. Combined with a case-insensitive `strcasecmp` comparison over
nvd
CVE-2022-32769P4MEDIUMCVSS 5.0v11.6vdev master commit 3f7c03642022-08-22
CVE-2022-32769 [MEDIUM] CWE-862 CVE-2022-32769: Multiple authentication bypass vulnerabilities exist in the objects id handling functionality of WWB Multiple authentication bypass vulnerabilities exist in the objects id handling functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request by an authenticated user can lead to unauthorized access and takeover of resources. An attacker can send an HTTP request to trigger this vulnerability.This vulnerability ex
nvd
CVE-2026-33035P4MEDIUMCVSS 6.1fixed in 26.02026-03-20
CVE-2026-33035 [MEDIUM] CWE-79 CVE-2026-33035: WWBN AVideo is an open source video platform. In versions 25.0 and below, there is a reflected XSS v WWBN AVideo is an open source video platform. In versions 25.0 and below, there is a reflected XSS vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser. User input from a URL parameter flows through PHP's json_encode() into a JavaScript function that renders it via innerHTML, bypassing encoding and
ghsanvdosv
CVE-2026-34739P4MEDIUMCVSS 6.1≤ 26.02026-03-31
CVE-2026-34739 [MEDIUM] CWE-79 CVE-2026-34739: WWBN AVideo is an open source video platform. In versions 26.0 and prior, the User_Location plugin's WWBN AVideo is an open source video platform. In versions 26.0 and prior, the User_Location plugin's testIP.php page reflects the ip request parameter directly into an HTML input element without applying htmlspecialchars() or any other output encoding. This allows an attacker to inject arbitrary HTML and JavaScript via a crafted URL. Although the pag
ghsanvdosv
CVE-2025-34439P4MEDIUMCVSS 6.1fixed in 20.02025-12-17
CVE-2025-34439 [MEDIUM] CWE-601 CVE-2025-34439: AVideo versions prior to 20.1 are vulnerable to an open redirect flaw due to missing validation of t AVideo versions prior to 20.1 are vulnerable to an open redirect flaw due to missing validation of the cancelUri parameter during user login. An attacker can craft a link to redirect users to arbitrary external sites, enabling phishing attacks.
nvd
CVE-2023-50172P4MEDIUMCVSS 5.3v15fed957fbvdev master commit 15fed957fb2024-01-10
CVE-2023-50172 [MEDIUM] CWE-640 CVE-2023-50172: A recovery notification bypass vulnerability exists in the userRecoverPass.php captcha validation fu A recovery notification bypass vulnerability exists in the userRecoverPass.php captcha validation functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to the silent creation of a recovery pass code for any user.
ghsanvdosv
CVE-2026-39367P4MEDIUMCVSS 5.4≤ 26.02026-04-07
CVE-2026-39367 [MEDIUM] CWE-79 CVE-2026-39367: WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's EPG (Electronic P WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's EPG (Electronic Program Guide) feature parses XML from user-controlled URLs and renders programme titles directly into HTML without any sanitization or escaping. A user with upload permission can set a video's epg_link to a malicious XML file whose elements contain Jav
ghsanvdosv
CVE-2026-45620P4MEDIUMCVSS 5.3≤ 29.02026-05-29
CVE-2026-45620 [MEDIUM] CVE-2026-45620: WWBN AVideo is an open source video platform. In 29.0 and earlier, objects/mention.json.php has no U WWBN AVideo is an open source video platform. In 29.0 and earlier, objects/mention.json.php has no User::loginCheck() or admin gate. It only has an entry guard: preg_match('/^@/', $_REQUEST['term']) and hard-coded rowCount=10. This enables unauthenticated user enumeration.
ghsanvd
CVE-2026-33690P4MEDIUMCVSS 5.3≤ 26.0v<=26.02026-03-23
CVE-2026-33690 [MEDIUM] CWE-348 CVE-2026-33690: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `getRealIpAd WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `getRealIpAddr()` function in `objects/functions.php` trusts user-controlled HTTP headers to determine the client's IP address. An attacker can spoof their IP address by sending forged headers, bypassing any IP-based access controls or audit logging. Commit 1a1df
ghsanvdosv
CVE-2026-33238P4MEDIUMCVSS 4.3fixed in 26.02026-03-21
CVE-2026-33238 [MEDIUM] CWE-22 CVE-2026-33238: WWBN AVideo is an open source video platform. Prior to version 26.0, the `listFiles.json.php` endpoi WWBN AVideo is an open source video platform. Prior to version 26.0, the `listFiles.json.php` endpoint accepts a `path` POST parameter and passes it directly to `glob()` without restricting the path to an allowed base directory. An authenticated uploader can traverse the entire server filesystem by supplying arbitrary absolute paths, enumerating `.mp
ghsanvdosv
CVE-2025-50128P4MEDIUMCVSS 6.1v14.4vdev master commit 8a8954ff2025-07-24
CVE-2025-50128 [MEDIUM] CWE-79 CVE-2025-50128: A cross-site scripting (xss) vulnerability exists in the videoNotFound 404ErrorMsg parameter functio A cross-site scripting (xss) vulnerability exists in the videoNotFound 404ErrorMsg parameter functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit a webpage to trigger this vulnerability.
nvd
CVE-2025-46410P4MEDIUMCVSS 6.1v14.4vdev master commit 8a8954ff2025-07-24
CVE-2025-46410 [MEDIUM] CWE-79 CVE-2025-46410: A cross-site scripting (xss) vulnerability exists in the managerPlaylists PlaylistOwnerUsersId param A cross-site scripting (xss) vulnerability exists in the managerPlaylists PlaylistOwnerUsersId parameter functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit a webpage to trigger this vulnerability.
nvd
CVE-2025-53084P4MEDIUMCVSS 6.1v14.4vdev master commit 8a8954ff2025-07-24
CVE-2025-53084 [MEDIUM] CWE-79 CVE-2025-53084: A cross-site scripting (xss) vulnerability exists in the videosList page parameter functionality of A cross-site scripting (xss) vulnerability exists in the videosList page parameter functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit a webpage to trigger this vulnerability.
nvd
CVE-2026-33499P4MEDIUMCVSS 6.1≤ 26.02026-03-23
CVE-2026-33499 [MEDIUM] CWE-79 CVE-2026-33499: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `view/forbid WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `view/forbiddenPage.php` and `view/warningPage.php` templates reflect the `$_REQUEST['unlockPassword']` parameter directly into an HTML `` tag's attributes without any output encoding or sanitization. An attacker can craft a URL that breaks out of the `value` attr
ghsanvdosv
CVE-2023-30860P4MEDIUMCVSS 5.4fixed in 12.42023-05-08
CVE-2023-30860 [MEDIUM] CWE-79 CVE-2023-30860: WWBN AVideo is an open source video platform. In AVideo prior to version 12.4, a normal user can mak WWBN AVideo is an open source video platform. In AVideo prior to version 12.4, a normal user can make a Meeting Schedule where the user can invite another user in that Meeting, but it does not properly sanitize the malicious characters when creating a Meeting Room. This allows attacker to insert malicious scripts. Since any USER including the ADMIN c
ghsanvdosv
CVE-2026-33500P4MEDIUMCVSS 5.4≤ 26.02026-03-23
CVE-2026-33500 [MEDIUM] CWE-79 CVE-2026-33500: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the fix for CVE- WWBN AVideo is an open source video platform. In versions up to and including 26.0, the fix for CVE-2026-27568 (GHSA-rcqw-6466-3mv7) introduced a custom `ParsedownSafeWithLinks` class that sanitizes raw HTML `` and `` tags in comments, but explicitly disables Parsedown's `safeMode`. This creates a bypass: markdown link syntax `[text](javascript:alert
ghsanvdosv
CVE-2026-33683P4MEDIUMCVSS 5.4≤ 26.02026-03-23
CVE-2026-33683 [MEDIUM] CWE-79 CVE-2026-33683: WWBN AVideo is an open source video platform. In versions up to and including 26.0, a sanitization o WWBN AVideo is an open source video platform. In versions up to and including 26.0, a sanitization order-of-operations flaw in the user profile "about" field allows any registered user to inject arbitrary JavaScript that executes when other users visit their channel page. The `xss_esc()` function entity-encodes input before `strip_specific_tags()` ca
ghsanvdosv
CVE-2026-47694P4MEDIUMCVSS 5.4≤ 29.02026-05-29
CVE-2026-47694 [MEDIUM] CWE-79 CVE-2026-47694: WWBN AVideo is an open source video platform. In 29.0 and earlier, AVideo stores category descriptio WWBN AVideo is an open source video platform. In 29.0 and earlier, AVideo stores category descriptions from user input and later renders category_description as raw HTML in the Gallery view. A user who can create or edit categories can store JavaScript in a category description, which executes when another user views the affected Gallery/category pag
ghsanvd
Wwbn Avideo vulnerabilities | cvebase