Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's video processing pipeline accepts an overrideStatus request parameter that allows any uploader to set a video's status to any valid state, including "active" (a). This bypasses the admin-controlled moderation and draft workflows. The setStatus() method validates the status code against a list of known values but does not verify that the caller has permission to set that particular status. As a result, any user with upload permissions can publish videos directly, circumventing content review processes. At time of publication, there are no publicly available patches.
AnalysisAI
WWBN AVideo versions 26.0 and prior allow authenticated uploaders to bypass content moderation by directly setting video status to active via an unvalidated overrideStatus parameter, circumventing admin-controlled review workflows. The vulnerability affects any user with upload permissions and has a CVSS score of 4.3 (low-to-moderate severity) with no public exploit code identified at time of analysis.
Technical ContextAI
AVideo's video processing pipeline implements a setStatus() method that validates incoming status codes against a whitelist of permitted states (including 'active') but fails to perform authorization checks to ensure the caller has permission to transition a video to that state. This is a classic authorization bypass flaw (CWE-285: Improper Authorization) where business logic validation exists but privilege validation is absent. The vulnerability leverages the HTTP request parameter overrideStatus to inject status transitions directly into the video object lifecycle, bypassing the intended moderation and draft workflow states that admins control.
RemediationAI
No vendor-released patch identified at time of analysis. Immediate mitigation options include: (1) restrict upload permissions to trusted users only until a patch is available; (2) implement server-side authorization checks in the setStatus() method to verify that only admins or designated moderators can change video status, particularly to 'active' state; (3) audit existing videos marked as 'active' to identify any that bypassed moderation; (4) monitor video status change logs for unauthorized transitions. Contact WWBN or monitor the GitHub Security Advisory (https://github.com/WWBN/AVideo/security/advisories/GHSA-m577-w9j8-ch7j) for patch availability and timeline.
A cross-site scripting (xss) vulnerability exists in the functiongetOpenGraph videoName functionality of WWBN AVideo 11.
An issue in WWBN AVideo v.12.4 through v.14.2 allows a remote attacker to execute arbitrary code via the systemRootPath
A directory traversal vulnerability exists in the unzipDirectory functionality of WWBN AVideo 11.6 and dev master commit
An insufficient entropy vulnerability exists in the salt generation functionality of WWBN AVideo dev master commit 15fed
Unauthenticated SQL injection in AVideo before 24.0.
OS injection vulnerability in World Wide Broadcast Network AVideo version before 12.4, allows attackers to execute arbit
A reflected cross-site scripting (xss) vulnerability exists in the charts tab selection functionality of WWBN AVideo 11.
A cross-site scripting (xss) vulnerability exists in the channelBody.php user name functionality of WWBN AVideo 11.6 and
A cross-site scripting (xss) vulnerability exists in the videoAddNew functionality of WWBN AVideo 11.6 and dev master co
An insufficient entropy vulnerability exists in the userRecoverPass.php recoverPass generation functionality of WWBN AVi
WWBN AVideo is an open source video platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable
AVideo is an open source video platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17656
GHSA-m577-w9j8-ch7j