Skip to main content

Avideo

77 CVEs product

Monthly

CVE-2026-54458 PHP CRITICAL Act Now

Stored DOM cross-site scripting in WWBN AVideo's YPTSocket plugin (all versions prior to 29.0) lets any unauthenticated remote attacker run arbitrary JavaScript in the browser session of any administrator viewing the YPTSocket online-users debug panel. Because the malicious WebSocket metadata is broadcast to every connected client and rendered without escaping, a single anonymous WebSocket connection can be escalated into full administrative account takeover via the admin's own session and CSRF token. No public exploit identified at time of analysis; the flaw carries a CVSS 9.6 (Critical) rating driven by the scope change into the privileged admin origin.

PHP CSRF XSS Avideo
NVD GitHub
CVSS 3.1
9.6
CVE-2026-56347 PHP MEDIUM This Month

Stored cross-site scripting in AVideo's TopMenu plugin through version 26.0 allows payload execution for every site visitor due to unescaped rendering of icon classes, URLs, and text labels across multiple PHP templates. Critically, the saving endpoint (`menuItemSave.json.php`) lacks CSRF token validation despite checking for admin status, enabling a full CSRF-to-stored-XSS chain: an attacker with no account can inject the malicious menu item by luring an authenticated admin to an attacker-controlled page. Publicly available exploit code exists (GHSA-gmpc-fxg2-vcmq); no vendor-released patch has been identified at time of analysis.

XSS Avideo
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56346 PHP MEDIUM This Month

Unauthenticated PGP decryption exposure in AVideo through version 25.0 allows any remote attacker to submit private key material, ciphertext, and passphrases to the publicly accessible decryptMessage.json.php endpoint and receive plaintext in the server response - no credentials, session, or token required. The dual impact is confidentiality loss (private key material processed in server memory may be captured in application or web server logs) and availability degradation via unconstrained CPU consumption from repeated cryptographic operations. A publicly available proof-of-concept exists per the GHSA advisory; no vendor patch has been released as of this analysis.

Authentication Bypass Denial Of Service PHP Avideo
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-56345 PHP CRITICAL Act Now

Authorization bypass in AVideo's Meet plugin (versions through 29.0) lets remote attackers hijack arbitrary user sessions, including admin, by abusing the uploadRecordedVideo.json.php endpoint which derives the target users_id from a caller-controlled filename and then invokes the passwordless User->login() path. Exploitation requires the Meet shared secret, but that secret is a deterministic MD5 of values from configuration.php and is recoverable via known path-traversal flaws or timing attacks against checkToken.json.php. No public exploit identified at time of analysis, though the VulnCheck and GHSA advisories document the attack with code-level precision.

Authentication Bypass PHP File Upload Avideo
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.3%
CVE-2026-56342 MEDIUM This Month

Full-read SSRF in AVideo through version 27.0 allows authenticated administrators to make the server fetch arbitrary URLs via the statsURL parameter in plugin/Live/test.php, including cloud metadata endpoints and internal network services. The endpoint bypasses the codebase's own isSSRFSafeURL() guard - used in seven other endpoints - and returns full response bodies in the HTML output, enabling retrieval of IAM credentials from cloud metadata services such as 169.254.169.254, internal service data, and network configuration details. No public exploit code has been formally labeled as proof-of-concept, but the GHSA advisory discloses the complete vulnerable code path with all three sink functions (file_get_contents, curl_exec, wget), making exploitation trivial for any party who has read the advisory.

PHP SSRF Avideo
NVD GitHub VulDB
CVSS 4.0
6.1
EPSS
0.2%
CVE-2026-56341 PHP HIGH This Week

Unauthenticated information disclosure in AVideo through 26.0 exposes payment transaction records via multiple list.json.php endpoints in the PayPalYPT, AuthorizeNet, and BTCPayments plugins that lack User::isAdmin() authorization checks. Remote attackers can issue direct GET requests to harvest PayPal billing agreement IDs, Express Checkout tokens, Authorize.Net webhook payloads, and Bitcoin transaction records without credentials. No public exploit identified at time of analysis, but the GHSA advisory from WWBN/AVideo and VulnCheck disclosure provide full endpoint paths sufficient for trivial reproduction.

Authentication Bypass PHP Avideo
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-47694 PHP MEDIUM GHSA This Month

Stored cross-site scripting in WWBN AVideo 29.0 and earlier allows an authenticated low-privilege user with category creation or editing rights to persist malicious JavaScript in category descriptions, which executes in any victim's browser upon viewing the Gallery or affected category page. The scope-changed CVSS vector (S:C) reflects that the injected payload crosses from the attacker's session into other users' browser contexts, enabling session hijacking or unauthorized actions on victims' behalf. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low-complexity, network-accessible attack path warrants prompt access control review on affected deployments.

XSS Avideo
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-41063 PHP MEDIUM This Month

WWBN AVideo is an open source video platform. In versions 29.0 and below, the incomplete XSS fix in AVideo's `ParsedownSafeWithLinks` class overrides `inlineMarkup` for raw HTML but does not override `inlineLink()` or `inlineUrlTag()`, allowing `javascript:` URLs in markdown link syntax to bypass sanitization. Commit cae8f0dadbdd962c89b91d0095c76edb8aadcacf contains an updated fix.

XSS Avideo
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-41058 PHP HIGH This Week

WWBN AVideo is an open source video platform. In versions 29.0 and below, the incomplete fix for AVideo's CloneSite `deleteDump` parameter does not apply path traversal filtering, allowing `unlink()` of arbitrary files via `../../` sequences in the GET parameter. Commit 3c729717c26f160014a5c86b0b6accdbd613e7b2 contains an updated fix.

Path Traversal Avideo
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-41055 PHP HIGH This Week

WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete SSRF fix in AVideo's LiveLinks proxy adds `isSSRFSafeURL()` validation but leaves DNS TOCTOU vulnerabilities where DNS rebinding between validation and the actual HTTP request redirects traffic to internal endpoints. Commit 8d8fc0cadb425835b4861036d589abcea4d78ee8 contains an updated fix.

SSRF Avideo
NVD GitHub
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-40911 PHP CRITICAL GHSA Act Now

WWBN AVideo is an open source video platform. In versions 29.0 and prior, the YPTSocket plugin's WebSocket server relays attacker-supplied JSON message bodies to every connected client without sanitizing the `msg` or `callback` fields. On the client side, `plugin/YPTSocket/script.js` contains two `eval()` sinks fed directly by those relayed fields (`json.msg.autoEvalCodeOnHTML` at line 568 and `json.callback` at line 95). Because tokens are minted for anonymous visitors and never revalidated beyond decryption, an unauthenticated attacker can broadcast arbitrary JavaScript that executes in the origin of every currently-connected user (including administrators), resulting in universal account takeover, session theft, and privileged action execution. Commit c08694bf6264eb4decceb78c711baee2609b4efd contains a fix.

Code Injection RCE Avideo
NVD GitHub
CVSS 3.1
10.0
EPSS
0.2%
CVE-2026-39368 PHP MEDIUM GHSA This Month

Stored SSRF in WWBN AVideo 26.0 and prior allows authenticated streamers with low-privilege streaming permissions to store arbitrary callback URLs in the live restream log feature, triggering server-side requests to internal or loopback HTTP services. The vulnerability affects all versions up to and including 26.0; exploitation requires valid streaming credentials but no user interaction. No public exploit code has been identified, though a proof-of-concept exists per CISA SSVC data.

SSRF Avideo
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-39367 PHP MEDIUM GHSA This Month

Stored cross-site scripting (XSS) in WWBN AVideo 26.0 and prior allows authenticated users with upload permissions to inject malicious JavaScript into EPG (Electronic Program Guide) XML files, which executes in the browsers of unauthenticated visitors to the public EPG page without sanitization. Attackers can exploit this to hijack sessions and takeover accounts of any user viewing the compromised EPG. No public exploit code or active exploitation has been confirmed at the time of analysis.

XSS Avideo
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-34740 PHP MEDIUM PATCH GHSA This Month

Stored server-side request forgery (SSRF) in WWBN AVideo 26.0 and prior allows authenticated users with upload permissions to inject arbitrary URLs into the EPG (Electronic Program Guide) link feature, which the server automatically fetches on each EPG page visit. This enables attackers to scan internal networks, access cloud metadata services, and interact with internal services without the authentication or complexity barriers normally present in network-based attacks. No public exploit code identified at time of analysis.

SSRF Avideo
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-34738 PHP MEDIUM PATCH GHSA This Month

WWBN AVideo versions 26.0 and prior allow authenticated uploaders to bypass content moderation by directly setting video status to active via an unvalidated overrideStatus parameter, circumventing admin-controlled review workflows. The vulnerability affects any user with upload permissions and has a CVSS score of 4.3 (low-to-moderate severity) with no public exploit code identified at time of analysis.

Authentication Bypass Avideo
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-34716 PHP MEDIUM GHSA This Month

Stored cross-site scripting (XSS) in WWBN AVideo versions 26.0 and prior allows authenticated attackers to execute arbitrary JavaScript in the browsers of online users without any victim interaction. An attacker with a user account can set their display name to an XSS payload; when they initiate a call via the YPTSocket plugin, the caller notification rendered by the jQuery Toast Plugin executes the malicious script in every connected user's browser, enabling session hijacking, credential theft, or further compromise. CVSS 6.4 reflects moderate complexity due to authentication requirement and limited direct impact scope.

XSS RCE Avideo
NVD GitHub
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-34374 CRITICAL Act Now

SQL injection in WWBN AVideo versions up to 26.0 allows unauthenticated remote attackers to extract sensitive database contents and modify data through the RTMP publish authentication stream key validation mechanism. The vulnerability (CVSS 9.1 Critical) arises from unsanitized string interpolation in Live_schedule::keyExists() fallback logic, affecting the open-source video platform's live streaming infrastructure. No vendor-released patch identified at time of analysis, and no public exploit identified at time of analysis.

SQLi Avideo
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-34369 PHP MEDIUM GHSA This Month

WWBN AVideo up to version 26.0 fails to enforce password verification on API endpoints `get_api_video_file` and `get_api_video`, allowing unauthenticated remote attackers to retrieve direct playback URLs (MP4 files and HLS manifests) for password-protected videos by directly invoking the API. The web interface enforces password checks through the `CustomizeUser::getModeYouTube()` hook, but this validation is entirely absent from the API code path, creating a complete authentication bypass. Upstream fix available via commit be344206f2f461c034ad2f1c5d8212dd8a52b8c7; no public exploit or active exploitation confirmed at time of analysis.

Authentication Bypass Avideo
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-33683 PHP MEDIUM This Month

WWBN AVideo versions up to and including 26.0 contain a stored cross-site scripting (XSS) vulnerability in the user profile "about" field caused by improper sanitization order of operations. Any registered user can inject arbitrary JavaScript that executes when other users visit their channel page, allowing attackers to steal session cookies, perform actions on behalf of victims, or redirect users to malicious sites. A patch is available via commit 7cfdc380dae1e56bbb5de581470d9e9957445df0, and the vulnerability has been formally disclosed through GitHub Security Advisory GHSA-ghx5-7jjg-q2j7.

XSS Avideo
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-33648 PHP HIGH This Week

WWBN AVideo versions up to and including 26.0 contain a command injection vulnerability in the restreamer endpoint that allows authenticated attackers to execute arbitrary commands on the server. The vulnerability stems from unsanitized user input (users_id and liveTransmitionHistory_id parameters) being embedded directly into shell commands via exec(). With a CVSS score of 8.8, this critical vulnerability requires low attack complexity and low privileges, enabling complete system compromise including data theft, modification, and denial of service.

Command Injection Avideo
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-30885 PHP MEDIUM PATCH This Month

WWBN AVideo is an open source video platform. versions up to 25.0 is affected by missing authentication for critical function.

PHP Authentication Bypass Avideo
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-29093 PHP HIGH This Week

Memcached session storage exposure in AVideo prior to version 24.0 allows unauthenticated remote attackers to read, modify, or delete user sessions by accessing the publicly exposed memcached service on port 11211. An attacker with network access to this port can hijack admin accounts, impersonate users, or destroy all active sessions without any authentication. This affects the official Docker deployment configuration for PHP, Docker, and AVideo products.

PHP Docker Authentication Bypass Avideo
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-28502 PHP HIGH This Week

Unauthenticated administrators in WWBN AVideo versions before 24.0 can achieve remote code execution by uploading malicious ZIP files through the plugin upload functionality, which extracts files without proper validation into web-accessible directories. This allows attackers to execute arbitrary PHP code on the server with high impact to confidentiality, integrity, and availability. No patch is currently available for affected PHP installations using vulnerable AVideo versions.

PHP RCE File Upload Avideo
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-28501 PHP CRITICAL POC Act Now

Unauthenticated SQL injection in AVideo before 24.0.

PHP SQLi Avideo
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-27732 PHP HIGH PATCH This Week

Server-side request forgery in AVideo prior to version 22.0 allows authenticated users to make arbitrary outbound requests from the affected server via an unvalidated downloadURL parameter in the aVideoEncoder.json.php endpoint. An attacker can exploit this to probe internal network services, access metadata endpoints, and retrieve sensitive data, potentially leading to further system compromise. This affects PHP deployments running vulnerable AVideo versions.

PHP SSRF Avideo
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-27568 PHP MEDIUM PATCH This Month

Avideo versions prior to 21.0 allow authenticated attackers to inject malicious JavaScript through improperly sanitized Markdown links in video comments, enabling session hijacking, privilege escalation, and data theft when victims click the links. The vulnerability stems from unsafe Parsedown configuration that fails to block javascript: URI schemes. A patch is available in version 21.0.

Privilege Escalation Avideo
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2020-37173 HIGH POC This Week

Avideo versions up to 8.1 contains a vulnerability that allows attackers to enumerate user details through the playlistsFromUser (CVSS 7.5).

PHP Information Disclosure Avideo
NVD GitHub Exploit-DB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2020-37172 MEDIUM POC This Month

Avideo versions up to 8.1 is affected by weak password recovery mechanism for forgotten password (CVSS 5.3).

CSRF Avideo
NVD GitHub Exploit-DB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2020-37158 MEDIUM POC This Month

AVideo Platform 8.1 contains a cross-site request forgery vulnerability that allows attackers to reset user passwords by exploiting the password recovery mechanism. [CVSS 5.3 MEDIUM]

CSRF Avideo
NVD GitHub Exploit-DB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2024-34899 PHP MEDIUM POC PATCH This Month

WWBN AVideo 12.4 is vulnerable to Cross Site Scripting (XSS). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Avideo
NVD
CVSS 3.1
5.4
EPSS
0.5%
CVE-2024-31819 PHP CRITICAL POC PATCH THREAT Act Now

An issue in WWBN AVideo v.12.4 through v.14.2 allows a remote attacker to execute arbitrary code via the systemRootPath parameter of the submitIndex.php component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection PHP RCE Avideo
NVD GitHub
CVSS 3.1
9.8
EPSS
15.6%
CVE-2023-50172 PHP MEDIUM POC This Month

A recovery notification bypass vulnerability exists in the userRecoverPass.php captcha validation functionality of WWBN AVideo dev master commit 15fed957fb. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass PHP Avideo
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2023-49864 MEDIUM POC This Month

An information disclosure vulnerability exists in the aVideoEncoderReceiveImage.json.php image upload functionality of WWBN AVideo dev master commit 15fed957fb. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Information Disclosure Avideo
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2023-49863 MEDIUM POC This Month

An information disclosure vulnerability exists in the aVideoEncoderReceiveImage.json.php image upload functionality of WWBN AVideo dev master commit 15fed957fb. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Information Disclosure Avideo
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2023-49862 MEDIUM POC This Month

An information disclosure vulnerability exists in the aVideoEncoderReceiveImage.json.php image upload functionality of WWBN AVideo dev master commit 15fed957fb. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Information Disclosure Avideo
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2023-49810 PHP HIGH POC This Week

A login attempt restriction bypass vulnerability exists in the checkLoginAttempts functionality of WWBN AVideo dev master commit 15fed957fb. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Avideo
NVD
CVSS 3.1
7.3
EPSS
0.1%
CVE-2023-49738 HIGH POC This Week

An information disclosure vulnerability exists in the image404Raw.php functionality of WWBN AVideo dev master commit 15fed957fb. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Information Disclosure Avideo
NVD
CVSS 3.1
7.5
EPSS
0.8%
CVE-2023-49715 MEDIUM POC This Month

A unrestricted php file upload vulnerability exists in the import.json.php temporary copy functionality of WWBN AVideo dev master commit 15fed957fb. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload RCE PHP Avideo
NVD
CVSS 3.1
4.3
EPSS
0.7%
CVE-2023-49599 PHP CRITICAL POC Act Now

An insufficient entropy vulnerability exists in the salt generation functionality of WWBN AVideo dev master commit 15fed957fb. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Avideo
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2023-49589 HIGH POC This Week

An insufficient entropy vulnerability exists in the userRecoverPass.php recoverPass generation functionality of WWBN AVideo dev master commit 15fed957fb. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Information Disclosure Avideo
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2023-48730 HIGH This Week

A cross-site scripting (xss) vulnerability exists in the navbarMenuAndLogo.php user name functionality of WWBN AVideo dev master commit 15fed957fb. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. No vendor patch available.

XSS PHP Avideo
NVD
CVSS 3.1
8.5
EPSS
0.5%
CVE-2023-48728 CRITICAL POC THREAT Emergency

A cross-site scripting (xss) vulnerability exists in the functiongetOpenGraph videoName functionality of WWBN AVideo 11.6 and dev master commit 3c6bb3ff. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 17.4%.

XSS Avideo
NVD
CVSS 3.1
9.6
EPSS
17.4%
CVE-2023-47862 CRITICAL Act Now

A local file inclusion vulnerability exists in the getLanguageFromBrowser functionality of WWBN AVideo dev master commit 15fed957fb. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Avideo
NVD
CVSS 3.1
9.8
EPSS
0.9%
CVE-2023-47861 CRITICAL POC Act Now

A cross-site scripting (xss) vulnerability exists in the channelBody.php user name functionality of WWBN AVideo 11.6 and dev master commit 15fed957fb. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Avideo
NVD
CVSS 3.1
9.0
EPSS
0.3%
CVE-2023-47171 MEDIUM POC This Month

An information disclosure vulnerability exists in the aVideoEncoder.json.php chunkFile path functionality of WWBN AVideo 11.6 and dev master commit 15fed957fb. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Information Disclosure Avideo
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2023-32073 PHP HIGH POC PATCH This Week

WWBN AVideo is an open source video platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PHP RCE Command Injection Avideo
NVD GitHub
CVSS 3.1
8.8
EPSS
6.5%
CVE-2023-30860 PHP MEDIUM POC PATCH This Month

WWBN AVideo is an open source video platform. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Avideo
NVD GitHub
CVSS 3.1
5.4
EPSS
0.7%
CVE-2023-30854 PHP HIGH POC PATCH This Week

AVideo is an open source video platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP RCE Command Injection Avideo
NVD GitHub
CVSS 3.1
8.8
EPSS
5.2%
CVE-2023-25314 MEDIUM PATCH This Month

Cross Site Scripting (XSS) vulnerability in World Wide Broadcast Network AVideo before 12.4, allows attackers to gain sensitive information via the success parameter to /user. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Avideo
NVD GitHub
CVSS 3.1
6.1
EPSS
0.4%
CVE-2023-25313 PHP CRITICAL POC PATCH Act Now

OS injection vulnerability in World Wide Broadcast Network AVideo version before 12.4, allows attackers to execute arbitrary code via the video link field to the Embed a video link feature. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Command Injection Avideo
NVD GitHub
CVSS 3.1
9.8
EPSS
1.3%
CVE-2022-34652 HIGH This Week

A sql injection vulnerability exists in the ObjectYPT functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Avideo
NVD GitHub
CVSS 3.1
8.8
EPSS
0.9%
CVE-2022-33149 HIGH This Week

A sql injection vulnerability exists in the ObjectYPT functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Avideo
NVD GitHub
CVSS 3.1
8.8
EPSS
1.6%
CVE-2022-33148 HIGH This Week

A sql injection vulnerability exists in the ObjectYPT functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Avideo
NVD GitHub
CVSS 3.1
8.8
EPSS
1.0%
CVE-2022-33147 HIGH This Week

A sql injection vulnerability exists in the ObjectYPT functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Avideo
NVD GitHub
CVSS 3.1
8.8
EPSS
1.6%
CVE-2022-32778 HIGH This Week

An information disclosure vulnerability exists in the cookie functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Avideo
NVD GitHub
CVSS 3.1
7.5
EPSS
2.0%
CVE-2022-32777 HIGH This Week

An information disclosure vulnerability exists in the cookie functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Avideo
NVD GitHub
CVSS 3.1
7.5
EPSS
2.0%
CVE-2022-32772 MEDIUM POC This Month

A cross-site scripting (xss) vulnerability exists in the footer alerts functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Avideo
NVD GitHub
CVSS 3.1
6.1
EPSS
3.0%
CVE-2022-32771 MEDIUM POC This Month

A cross-site scripting (xss) vulnerability exists in the footer alerts functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Avideo
NVD GitHub
CVSS 3.1
6.1
EPSS
3.2%
CVE-2022-32770 MEDIUM POC This Month

A cross-site scripting (xss) vulnerability exists in the footer alerts functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Avideo
NVD GitHub
CVSS 3.1
6.1
EPSS
3.4%
CVE-2022-32769 MEDIUM This Month

Multiple authentication bypass vulnerabilities exist in the objects id handling functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable. No vendor patch available.

Authentication Bypass Avideo
NVD GitHub
CVSS 3.1
5.0
EPSS
0.7%
CVE-2022-32768 MEDIUM This Month

Multiple authentication bypass vulnerabilities exist in the objects id handling functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated medium severity (CVSS 4.2), this vulnerability is remotely exploitable. No vendor patch available.

Authentication Bypass Avideo
NVD GitHub
CVSS 3.1
4.2
EPSS
0.8%
CVE-2022-32761 MEDIUM POC This Month

An information disclosure vulnerability exists in the aVideoEncoderReceiveImage functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Avideo
NVD GitHub
CVSS 3.1
6.5
EPSS
2.4%
CVE-2022-32572 HIGH POC THREAT This Week

An os command injection vulnerability exists in the aVideoEncoder wget functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Avideo
NVD GitHub
CVSS 3.1
8.8
EPSS
22.7%
CVE-2022-32282 HIGH POC This Week

An improper password check exists in the login functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Avideo
NVD GitHub
CVSS 3.1
8.8
EPSS
1.6%
CVE-2022-30690 MEDIUM POC THREAT This Month

A cross-site scripting (xss) vulnerability exists in the image403 functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Avideo
NVD GitHub
CVSS 3.1
6.1
EPSS
83.6%
CVE-2022-30605 HIGH POC This Week

A privilege escalation vulnerability exists in the session id functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Session Fixation Privilege Escalation Avideo
NVD GitHub
CVSS 3.1
8.8
EPSS
4.1%
CVE-2022-30547 CRITICAL POC THREAT Act Now

A directory traversal vulnerability exists in the unzipDirectory functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Avideo
NVD GitHub
CVSS 3.1
9.9
EPSS
63.7%
CVE-2022-30534 HIGH This Week

An OS command injection vulnerability exists in the aVideoEncoder chunkfile functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Avideo
NVD GitHub
CVSS 3.1
8.8
EPSS
74.5%
CVE-2022-29468 HIGH POC This Week

A cross-site request forgery (CSRF) vulnerability exists in WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Avideo
NVD GitHub
CVSS 3.1
8.8
EPSS
1.4%
CVE-2022-28712 CRITICAL POC Act Now

A cross-site scripting (xss) vulnerability exists in the videoAddNew functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Avideo
NVD GitHub
CVSS 3.1
9.0
EPSS
2.4%
CVE-2022-28710 MEDIUM POC This Month

An information disclosure vulnerability exists in the chunkFile functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Avideo
NVD GitHub
CVSS 3.1
6.5
EPSS
2.3%
CVE-2022-26842 CRITICAL POC Act Now

A reflected cross-site scripting (xss) vulnerability exists in the charts tab selection functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Avideo
NVD GitHub
CVSS 3.1
9.6
EPSS
2.9%
CVE-2022-27463 PHP MEDIUM PATCH This Month

Open redirect vulnerability in objects/login.json.php in WWBN AVideo through 11.6, allows attackers to arbitrarily redirect users from a crafted url to the login page. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

PHP Open Redirect Avideo
NVD GitHub
CVSS 3.1
6.1
EPSS
0.6%
CVE-2022-27462 MEDIUM PATCH This Month

Cross Site Scripting (XSS) vulnerability in objects/function.php in function getDeviceID in WWBN AVideo through 11.6, via the yptDevice parameter to view/include/head.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

PHP XSS Avideo
NVD GitHub
CVSS 3.1
6.1
EPSS
0.6%
CVE-2021-21286 HIGH This Week

AVideo Platform is an open-source Audio and Video platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Avideo
NVD GitHub
CVSS 3.1
8.8
EPSS
0.8%
CVE-2020-23490 HIGH POC PATCH This Week

There was a local file disclosure vulnerability in AVideo < 8.9 via the proxy streaming. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Avideo
NVD GitHub
CVSS 3.1
7.5
EPSS
2.6%
CVE-2020-23489 PHP HIGH PATCH This Week

The import.json.php file before 8.9 for Avideo is vulnerable to a File Deletion vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Authentication Bypass PHP Avideo
NVD GitHub
CVSS 3.1
8.8
EPSS
2.3%
CVSS 9.6
CRITICAL Act Now

Stored DOM cross-site scripting in WWBN AVideo's YPTSocket plugin (all versions prior to 29.0) lets any unauthenticated remote attacker run arbitrary JavaScript in the browser session of any administrator viewing the YPTSocket online-users debug panel. Because the malicious WebSocket metadata is broadcast to every connected client and rendered without escaping, a single anonymous WebSocket connection can be escalated into full administrative account takeover via the admin's own session and CSRF token. No public exploit identified at time of analysis; the flaw carries a CVSS 9.6 (Critical) rating driven by the scope change into the privileged admin origin.

PHP CSRF XSS +1
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Stored cross-site scripting in AVideo's TopMenu plugin through version 26.0 allows payload execution for every site visitor due to unescaped rendering of icon classes, URLs, and text labels across multiple PHP templates. Critically, the saving endpoint (`menuItemSave.json.php`) lacks CSRF token validation despite checking for admin status, enabling a full CSRF-to-stored-XSS chain: an attacker with no account can inject the malicious menu item by luring an authenticated admin to an attacker-controlled page. Publicly available exploit code exists (GHSA-gmpc-fxg2-vcmq); no vendor-released patch has been identified at time of analysis.

XSS Avideo
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

Unauthenticated PGP decryption exposure in AVideo through version 25.0 allows any remote attacker to submit private key material, ciphertext, and passphrases to the publicly accessible decryptMessage.json.php endpoint and receive plaintext in the server response - no credentials, session, or token required. The dual impact is confidentiality loss (private key material processed in server memory may be captured in application or web server logs) and availability degradation via unconstrained CPU consumption from repeated cryptographic operations. A publicly available proof-of-concept exists per the GHSA advisory; no vendor patch has been released as of this analysis.

Authentication Bypass Denial Of Service PHP +1
NVD GitHub VulDB
EPSS 0% CVSS 9.2
CRITICAL Act Now

Authorization bypass in AVideo's Meet plugin (versions through 29.0) lets remote attackers hijack arbitrary user sessions, including admin, by abusing the uploadRecordedVideo.json.php endpoint which derives the target users_id from a caller-controlled filename and then invokes the passwordless User->login() path. Exploitation requires the Meet shared secret, but that secret is a deterministic MD5 of values from configuration.php and is recoverable via known path-traversal flaws or timing attacks against checkToken.json.php. No public exploit identified at time of analysis, though the VulnCheck and GHSA advisories document the attack with code-level precision.

Authentication Bypass PHP File Upload +1
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Full-read SSRF in AVideo through version 27.0 allows authenticated administrators to make the server fetch arbitrary URLs via the statsURL parameter in plugin/Live/test.php, including cloud metadata endpoints and internal network services. The endpoint bypasses the codebase's own isSSRFSafeURL() guard - used in seven other endpoints - and returns full response bodies in the HTML output, enabling retrieval of IAM credentials from cloud metadata services such as 169.254.169.254, internal service data, and network configuration details. No public exploit code has been formally labeled as proof-of-concept, but the GHSA advisory discloses the complete vulnerable code path with all three sink functions (file_get_contents, curl_exec, wget), making exploitation trivial for any party who has read the advisory.

PHP SSRF Avideo
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH This Week

Unauthenticated information disclosure in AVideo through 26.0 exposes payment transaction records via multiple list.json.php endpoints in the PayPalYPT, AuthorizeNet, and BTCPayments plugins that lack User::isAdmin() authorization checks. Remote attackers can issue direct GET requests to harvest PayPal billing agreement IDs, Express Checkout tokens, Authorize.Net webhook payloads, and Bitcoin transaction records without credentials. No public exploit identified at time of analysis, but the GHSA advisory from WWBN/AVideo and VulnCheck disclosure provide full endpoint paths sufficient for trivial reproduction.

Authentication Bypass PHP Avideo
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored cross-site scripting in WWBN AVideo 29.0 and earlier allows an authenticated low-privilege user with category creation or editing rights to persist malicious JavaScript in category descriptions, which executes in any victim's browser upon viewing the Gallery or affected category page. The scope-changed CVSS vector (S:C) reflects that the injected payload crosses from the attacker's session into other users' browser contexts, enabling session hijacking or unauthorized actions on victims' behalf. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low-complexity, network-accessible attack path warrants prompt access control review on affected deployments.

XSS Avideo
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

WWBN AVideo is an open source video platform. In versions 29.0 and below, the incomplete XSS fix in AVideo's `ParsedownSafeWithLinks` class overrides `inlineMarkup` for raw HTML but does not override `inlineLink()` or `inlineUrlTag()`, allowing `javascript:` URLs in markdown link syntax to bypass sanitization. Commit cae8f0dadbdd962c89b91d0095c76edb8aadcacf contains an updated fix.

XSS Avideo
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

WWBN AVideo is an open source video platform. In versions 29.0 and below, the incomplete fix for AVideo's CloneSite `deleteDump` parameter does not apply path traversal filtering, allowing `unlink()` of arbitrary files via `../../` sequences in the GET parameter. Commit 3c729717c26f160014a5c86b0b6accdbd613e7b2 contains an updated fix.

Path Traversal Avideo
NVD GitHub
EPSS 0% CVSS 8.6
HIGH This Week

WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete SSRF fix in AVideo's LiveLinks proxy adds `isSSRFSafeURL()` validation but leaves DNS TOCTOU vulnerabilities where DNS rebinding between validation and the actual HTTP request redirects traffic to internal endpoints. Commit 8d8fc0cadb425835b4861036d589abcea4d78ee8 contains an updated fix.

SSRF Avideo
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL Act Now

WWBN AVideo is an open source video platform. In versions 29.0 and prior, the YPTSocket plugin's WebSocket server relays attacker-supplied JSON message bodies to every connected client without sanitizing the `msg` or `callback` fields. On the client side, `plugin/YPTSocket/script.js` contains two `eval()` sinks fed directly by those relayed fields (`json.msg.autoEvalCodeOnHTML` at line 568 and `json.callback` at line 95). Because tokens are minted for anonymous visitors and never revalidated beyond decryption, an unauthenticated attacker can broadcast arbitrary JavaScript that executes in the origin of every currently-connected user (including administrators), resulting in universal account takeover, session theft, and privileged action execution. Commit c08694bf6264eb4decceb78c711baee2609b4efd contains a fix.

Code Injection RCE Avideo
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored SSRF in WWBN AVideo 26.0 and prior allows authenticated streamers with low-privilege streaming permissions to store arbitrary callback URLs in the live restream log feature, triggering server-side requests to internal or loopback HTTP services. The vulnerability affects all versions up to and including 26.0; exploitation requires valid streaming credentials but no user interaction. No public exploit code has been identified, though a proof-of-concept exists per CISA SSVC data.

SSRF Avideo
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored cross-site scripting (XSS) in WWBN AVideo 26.0 and prior allows authenticated users with upload permissions to inject malicious JavaScript into EPG (Electronic Program Guide) XML files, which executes in the browsers of unauthenticated visitors to the public EPG page without sanitization. Attackers can exploit this to hijack sessions and takeover accounts of any user viewing the compromised EPG. No public exploit code or active exploitation has been confirmed at the time of analysis.

XSS Avideo
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Stored server-side request forgery (SSRF) in WWBN AVideo 26.0 and prior allows authenticated users with upload permissions to inject arbitrary URLs into the EPG (Electronic Program Guide) link feature, which the server automatically fetches on each EPG page visit. This enables attackers to scan internal networks, access cloud metadata services, and interact with internal services without the authentication or complexity barriers normally present in network-based attacks. No public exploit code identified at time of analysis.

SSRF Avideo
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

WWBN AVideo versions 26.0 and prior allow authenticated uploaders to bypass content moderation by directly setting video status to active via an unvalidated overrideStatus parameter, circumventing admin-controlled review workflows. The vulnerability affects any user with upload permissions and has a CVSS score of 4.3 (low-to-moderate severity) with no public exploit code identified at time of analysis.

Authentication Bypass Avideo
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting (XSS) in WWBN AVideo versions 26.0 and prior allows authenticated attackers to execute arbitrary JavaScript in the browsers of online users without any victim interaction. An attacker with a user account can set their display name to an XSS payload; when they initiate a call via the YPTSocket plugin, the caller notification rendered by the jQuery Toast Plugin executes the malicious script in every connected user's browser, enabling session hijacking, credential theft, or further compromise. CVSS 6.4 reflects moderate complexity due to authentication requirement and limited direct impact scope.

XSS RCE Avideo
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL Act Now

SQL injection in WWBN AVideo versions up to 26.0 allows unauthenticated remote attackers to extract sensitive database contents and modify data through the RTMP publish authentication stream key validation mechanism. The vulnerability (CVSS 9.1 Critical) arises from unsanitized string interpolation in Live_schedule::keyExists() fallback logic, affecting the open-source video platform's live streaming infrastructure. No vendor-released patch identified at time of analysis, and no public exploit identified at time of analysis.

SQLi Avideo
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

WWBN AVideo up to version 26.0 fails to enforce password verification on API endpoints `get_api_video_file` and `get_api_video`, allowing unauthenticated remote attackers to retrieve direct playback URLs (MP4 files and HLS manifests) for password-protected videos by directly invoking the API. The web interface enforces password checks through the `CustomizeUser::getModeYouTube()` hook, but this validation is entirely absent from the API code path, creating a complete authentication bypass. Upstream fix available via commit be344206f2f461c034ad2f1c5d8212dd8a52b8c7; no public exploit or active exploitation confirmed at time of analysis.

Authentication Bypass Avideo
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

WWBN AVideo versions up to and including 26.0 contain a stored cross-site scripting (XSS) vulnerability in the user profile "about" field caused by improper sanitization order of operations. Any registered user can inject arbitrary JavaScript that executes when other users visit their channel page, allowing attackers to steal session cookies, perform actions on behalf of victims, or redirect users to malicious sites. A patch is available via commit 7cfdc380dae1e56bbb5de581470d9e9957445df0, and the vulnerability has been formally disclosed through GitHub Security Advisory GHSA-ghx5-7jjg-q2j7.

XSS Avideo
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

WWBN AVideo versions up to and including 26.0 contain a command injection vulnerability in the restreamer endpoint that allows authenticated attackers to execute arbitrary commands on the server. The vulnerability stems from unsanitized user input (users_id and liveTransmitionHistory_id parameters) being embedded directly into shell commands via exec(). With a CVSS score of 8.8, this critical vulnerability requires low attack complexity and low privileges, enabling complete system compromise including data theft, modification, and denial of service.

Command Injection Avideo
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

WWBN AVideo is an open source video platform. versions up to 25.0 is affected by missing authentication for critical function.

PHP Authentication Bypass Avideo
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Memcached session storage exposure in AVideo prior to version 24.0 allows unauthenticated remote attackers to read, modify, or delete user sessions by accessing the publicly exposed memcached service on port 11211. An attacker with network access to this port can hijack admin accounts, impersonate users, or destroy all active sessions without any authentication. This affects the official Docker deployment configuration for PHP, Docker, and AVideo products.

PHP Docker Authentication Bypass +1
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Unauthenticated administrators in WWBN AVideo versions before 24.0 can achieve remote code execution by uploading malicious ZIP files through the plugin upload functionality, which extracts files without proper validation into web-accessible directories. This allows attackers to execute arbitrary PHP code on the server with high impact to confidentiality, integrity, and availability. No patch is currently available for affected PHP installations using vulnerable AVideo versions.

PHP RCE File Upload +1
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Unauthenticated SQL injection in AVideo before 24.0.

PHP SQLi Avideo
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Server-side request forgery in AVideo prior to version 22.0 allows authenticated users to make arbitrary outbound requests from the affected server via an unvalidated downloadURL parameter in the aVideoEncoder.json.php endpoint. An attacker can exploit this to probe internal network services, access metadata endpoints, and retrieve sensitive data, potentially leading to further system compromise. This affects PHP deployments running vulnerable AVideo versions.

PHP SSRF Avideo
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Avideo versions prior to 21.0 allow authenticated attackers to inject malicious JavaScript through improperly sanitized Markdown links in video comments, enabling session hijacking, privilege escalation, and data theft when victims click the links. The vulnerability stems from unsafe Parsedown configuration that fails to block javascript: URI schemes. A patch is available in version 21.0.

Privilege Escalation Avideo
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC This Week

Avideo versions up to 8.1 contains a vulnerability that allows attackers to enumerate user details through the playlistsFromUser (CVSS 7.5).

PHP Information Disclosure Avideo
NVD GitHub Exploit-DB
EPSS 0% CVSS 5.3
MEDIUM POC This Month

Avideo versions up to 8.1 is affected by weak password recovery mechanism for forgotten password (CVSS 5.3).

CSRF Avideo
NVD GitHub Exploit-DB
EPSS 0% CVSS 5.3
MEDIUM POC This Month

AVideo Platform 8.1 contains a cross-site request forgery vulnerability that allows attackers to reset user passwords by exploiting the password recovery mechanism. [CVSS 5.3 MEDIUM]

CSRF Avideo
NVD GitHub Exploit-DB
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

WWBN AVideo 12.4 is vulnerable to Cross Site Scripting (XSS). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Avideo
NVD
EPSS 16% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

An issue in WWBN AVideo v.12.4 through v.14.2 allows a remote attacker to execute arbitrary code via the systemRootPath parameter of the submitIndex.php component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection PHP RCE +1
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A recovery notification bypass vulnerability exists in the userRecoverPass.php captcha validation functionality of WWBN AVideo dev master commit 15fed957fb. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass PHP Avideo
NVD
EPSS 0% CVSS 6.5
MEDIUM POC This Month

An information disclosure vulnerability exists in the aVideoEncoderReceiveImage.json.php image upload functionality of WWBN AVideo dev master commit 15fed957fb. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Information Disclosure Avideo
NVD
EPSS 0% CVSS 6.5
MEDIUM POC This Month

An information disclosure vulnerability exists in the aVideoEncoderReceiveImage.json.php image upload functionality of WWBN AVideo dev master commit 15fed957fb. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Information Disclosure Avideo
NVD
EPSS 0% CVSS 6.5
MEDIUM POC This Month

An information disclosure vulnerability exists in the aVideoEncoderReceiveImage.json.php image upload functionality of WWBN AVideo dev master commit 15fed957fb. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Information Disclosure Avideo
NVD
EPSS 0% CVSS 7.3
HIGH POC This Week

A login attempt restriction bypass vulnerability exists in the checkLoginAttempts functionality of WWBN AVideo dev master commit 15fed957fb. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Avideo
NVD
EPSS 1% CVSS 7.5
HIGH POC This Week

An information disclosure vulnerability exists in the image404Raw.php functionality of WWBN AVideo dev master commit 15fed957fb. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Information Disclosure Avideo
NVD
EPSS 1% CVSS 4.3
MEDIUM POC This Month

A unrestricted php file upload vulnerability exists in the import.json.php temporary copy functionality of WWBN AVideo dev master commit 15fed957fb. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload RCE PHP +1
NVD
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

An insufficient entropy vulnerability exists in the salt generation functionality of WWBN AVideo dev master commit 15fed957fb. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Avideo
NVD
EPSS 0% CVSS 8.8
HIGH POC This Week

An insufficient entropy vulnerability exists in the userRecoverPass.php recoverPass generation functionality of WWBN AVideo dev master commit 15fed957fb. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Information Disclosure Avideo
NVD
EPSS 0% CVSS 8.5
HIGH This Week

A cross-site scripting (xss) vulnerability exists in the navbarMenuAndLogo.php user name functionality of WWBN AVideo dev master commit 15fed957fb. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. No vendor patch available.

XSS PHP Avideo
NVD
EPSS 17% CVSS 9.6
CRITICAL POC THREAT Emergency

A cross-site scripting (xss) vulnerability exists in the functiongetOpenGraph videoName functionality of WWBN AVideo 11.6 and dev master commit 3c6bb3ff. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 17.4%.

XSS Avideo
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

A local file inclusion vulnerability exists in the getLanguageFromBrowser functionality of WWBN AVideo dev master commit 15fed957fb. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Avideo
NVD
EPSS 0% CVSS 9.0
CRITICAL POC Act Now

A cross-site scripting (xss) vulnerability exists in the channelBody.php user name functionality of WWBN AVideo 11.6 and dev master commit 15fed957fb. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Avideo
NVD
EPSS 0% CVSS 6.5
MEDIUM POC This Month

An information disclosure vulnerability exists in the aVideoEncoder.json.php chunkFile path functionality of WWBN AVideo 11.6 and dev master commit 15fed957fb. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Information Disclosure Avideo
NVD
EPSS 6% CVSS 8.8
HIGH POC PATCH This Week

WWBN AVideo is an open source video platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PHP RCE Command Injection +1
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC PATCH This Month

WWBN AVideo is an open source video platform. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Avideo
NVD GitHub
EPSS 5% CVSS 8.8
HIGH POC PATCH This Week

AVideo is an open source video platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP RCE Command Injection +1
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross Site Scripting (XSS) vulnerability in World Wide Broadcast Network AVideo before 12.4, allows attackers to gain sensitive information via the success parameter to /user. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Avideo
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

OS injection vulnerability in World Wide Broadcast Network AVideo version before 12.4, allows attackers to execute arbitrary code via the video link field to the Embed a video link feature. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Command Injection Avideo
NVD GitHub
EPSS 1% CVSS 8.8
HIGH This Week

A sql injection vulnerability exists in the ObjectYPT functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Avideo
NVD GitHub
EPSS 2% CVSS 8.8
HIGH This Week

A sql injection vulnerability exists in the ObjectYPT functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Avideo
NVD GitHub
EPSS 1% CVSS 8.8
HIGH This Week

A sql injection vulnerability exists in the ObjectYPT functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Avideo
NVD GitHub
EPSS 2% CVSS 8.8
HIGH This Week

A sql injection vulnerability exists in the ObjectYPT functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Avideo
NVD GitHub
EPSS 2% CVSS 7.5
HIGH This Week

An information disclosure vulnerability exists in the cookie functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Avideo
NVD GitHub
EPSS 2% CVSS 7.5
HIGH This Week

An information disclosure vulnerability exists in the cookie functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Avideo
NVD GitHub
EPSS 3% CVSS 6.1
MEDIUM POC This Month

A cross-site scripting (xss) vulnerability exists in the footer alerts functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Avideo
NVD GitHub
EPSS 3% CVSS 6.1
MEDIUM POC This Month

A cross-site scripting (xss) vulnerability exists in the footer alerts functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Avideo
NVD GitHub
EPSS 3% CVSS 6.1
MEDIUM POC This Month

A cross-site scripting (xss) vulnerability exists in the footer alerts functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Avideo
NVD GitHub
EPSS 1% CVSS 5.0
MEDIUM This Month

Multiple authentication bypass vulnerabilities exist in the objects id handling functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable. No vendor patch available.

Authentication Bypass Avideo
NVD GitHub
EPSS 1% CVSS 4.2
MEDIUM This Month

Multiple authentication bypass vulnerabilities exist in the objects id handling functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated medium severity (CVSS 4.2), this vulnerability is remotely exploitable. No vendor patch available.

Authentication Bypass Avideo
NVD GitHub
EPSS 2% CVSS 6.5
MEDIUM POC This Month

An information disclosure vulnerability exists in the aVideoEncoderReceiveImage functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Avideo
NVD GitHub
EPSS 23% CVSS 8.8
HIGH POC THREAT This Week

An os command injection vulnerability exists in the aVideoEncoder wget functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Avideo
NVD GitHub
EPSS 2% CVSS 8.8
HIGH POC This Week

An improper password check exists in the login functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Avideo
NVD GitHub
EPSS 84% CVSS 6.1
MEDIUM POC THREAT This Month

A cross-site scripting (xss) vulnerability exists in the image403 functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Avideo
NVD GitHub
EPSS 4% CVSS 8.8
HIGH POC This Week

A privilege escalation vulnerability exists in the session id functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Session Fixation Privilege Escalation Avideo
NVD GitHub
EPSS 64% CVSS 9.9
CRITICAL POC THREAT Act Now

A directory traversal vulnerability exists in the unzipDirectory functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Avideo
NVD GitHub
EPSS 74% CVSS 8.8
HIGH This Week

An OS command injection vulnerability exists in the aVideoEncoder chunkfile functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Avideo
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC This Week

A cross-site request forgery (CSRF) vulnerability exists in WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Avideo
NVD GitHub
EPSS 2% CVSS 9.0
CRITICAL POC Act Now

A cross-site scripting (xss) vulnerability exists in the videoAddNew functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Avideo
NVD GitHub
EPSS 2% CVSS 6.5
MEDIUM POC This Month

An information disclosure vulnerability exists in the chunkFile functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Avideo
NVD GitHub
EPSS 3% CVSS 9.6
CRITICAL POC Act Now

A reflected cross-site scripting (xss) vulnerability exists in the charts tab selection functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Avideo
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

Open redirect vulnerability in objects/login.json.php in WWBN AVideo through 11.6, allows attackers to arbitrarily redirect users from a crafted url to the login page. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

PHP Open Redirect Avideo
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

Cross Site Scripting (XSS) vulnerability in objects/function.php in function getDeviceID in WWBN AVideo through 11.6, via the yptDevice parameter to view/include/head.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

PHP XSS Avideo
NVD GitHub
EPSS 1% CVSS 8.8
HIGH This Week

AVideo Platform is an open-source Audio and Video platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Avideo
NVD GitHub
EPSS 3% CVSS 7.5
HIGH POC PATCH This Week

There was a local file disclosure vulnerability in AVideo < 8.9 via the proxy streaming. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Avideo
NVD GitHub
EPSS 2% CVSS 8.8
HIGH PATCH This Week

The import.json.php file before 8.9 for Avideo is vulnerable to a File Deletion vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Authentication Bypass PHP Avideo
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy