| CVE-2026-45578 |
high |
8.8 |
8.8 |
|
|
|
14d ago |
WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a classic shell-metacharacter injection. The YPTSocket notification branch in plugin/Live/on_publish.php builds an execAsyn… |
| CVE-2026-45619 |
medium |
6.5 |
6.5 |
|
|
|
14d ago |
WWBN AVideo is an open source video platform. In 29.0 and earlier, EpgParser.php, plugin/AI/receiveAsync.json.php, and other locations do not use the $resolvedIP out-param of isSSRFSafeURL() for DNS … |
| CVE-2026-45610 |
medium |
5.7 |
5.7 |
|
|
|
14d ago |
WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a cross-site request forgery vulnerability on the 2FA toggle. plugin/LoginControl/set.json.php accepts POST type=set2FA val… |
| CVE-2026-46337 |
medium |
— |
5.5 |
|
|
|
10d ago |
WWBN AVideo is an open source video platform. In 29.0 and earlier, an unauthenticated remote attacker can read arbitrary image files anywhere on disk that the PHP user can open — including private us… |
| CVE-2026-45731 |
medium |
— |
5.5 |
|
|
|
11d ago |
WWBN AVideo is an open source video platform. In 29.0 and earlier, view/update.php reads $_POST['updateFile'] as a relative path under updatedb/ and passes it to PHP's file() for line-by-line executi… |
| CVE-2026-45580 |
medium |
5.4 |
5.4 |
|
|
|
14d ago |
WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a stored cross-site scripting vulnerability. The Live plugin's "YouTube-style" view renders the live transmission's stream … |
| CVE-2026-45620 |
medium |
5.3 |
5.3 |
|
|
|
11d ago |
WWBN AVideo is an open source video platform. In 29.0 and earlier, objects/mention.json.php has no User::loginCheck() or admin gate. It only has an entry guard: preg_match('/^@/', $_REQUEST['term']) … |