| CVE-2026-46337 |
medium |
— |
5.5 |
|
|
|
9d ago |
AVideo: Unauthenticated Arbitrary Image Read via Path Traversal in `view/img/image404Raw.php` |
| CVE-2026-45731 |
medium |
— |
5.5 |
|
|
|
10d ago |
AVideo: Authenticated Arbitrary File Read in view/update.php |
| CVE-2026-45620 |
medium |
— |
5.5 |
|
|
|
10d ago |
AVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unauthenticated user enumeration sibling that survives `d9cdc7024` |
| CVE-2026-45619 |
medium |
— |
5.5 |
|
|
|
13d ago |
AVideo CVE-2026-43884 incomplete fix - six (or more) `isSSRFSafeURL()` call sites still discard the `$resolvedIP` out-param at master HEAD post-`603e7bf` |
| CVE-2026-45610 |
medium |
— |
5.5 |
|
|
|
13d ago |
AVideo: 2FA toggle endpoint has no CSRF protection, letting an attacker page silently disable a logged-in victim's 2FA |
| CVE-2026-45580 |
medium |
— |
5.5 |
|
|
|
13d ago |
AVideo: stored XSS via unescaped stream key in modeYoutubeLive.php class attribute |