VIR Vulnerability Intelligence Relay

Package impact

php COMPOSER / wwbn/avideo

Severitycriticalhighmediumlowunknown
0
KEVHas exploit
Reset
CVE Severity CVSS Risk Published Description Impact
CVE-2026-43885 high 8.0 22d ago AVideo Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor and Missing Authorization php
CVE-2026-40926 high 8.0 1mo ago WWBN AVideo has Multiple CSRF Vulnerabilities in Admin JSON Endpoints (Category CRUD, Plugin Update Script) php
CVE-2026-33492 high 8.0 2mo ago AVideo has Session Fixation via GET PHPSESSID Parameter With Disabled Login Session Regeneration php
CVE-2026-33485 high 8.0 2mo ago AVideo has an Unauthenticated Blind SQL Injection in RTMP on_publish Callback via Stream Name Parameter php
CVE-2026-43884 high 7.7 7.7 22d ago AVideo has SSRF Protection Bypass via HTTP Redirect and DNS Rebinding in isSSRFSafeURL() php
CVE-2026-43873 high 7.5 7.5 23d ago AVideo: Unauthenticated Disclosure of CloneSite `myKey` via Error Echo in `cloneClient.json.php` Enables Cross-Site DB Dump of the Configured Clone Server php
CVE-2026-43874 high 7.2 7.2 23d ago AVideo has an Incomplete Fix for YPTSocket autoEvalCodeOnHTML Strip: Unauthenticated Cross-User JavaScript Execution via `$msg['json']` Relay Bypass php
CVE-2026-43875 medium 6.8 6.8 23d ago AVideo: Password Hash Leak in MobileManager OAuth Redirect URL Enables Account Takeover php
CVE-2026-43876 medium 6.4 6.4 23d ago AVideo: HTML Injection in notifySubscribers.json.php Allows Platform-Branded Phishing Emails to Channel Subscribers php
CVE-2026-43878 medium 6.1 6.1 23d ago Video: Reflected XSS in plugin/Meet/iframe.php via Unescaped user and pass Parameters in JavaScript String Literal php
CVE-2026-41062 medium 5.5 1mo ago WWBN AVideo has an Incomplete fix: Directory traversal bypass via query string in ReceiveImage downloadURL parameters php
CVE-2026-34368 medium 5.5 2mo ago AVideo Vulnerable to Wallet Balance Double-Spend via TOCTOU Race Condition in transferBalance php
CVE-2026-43879 medium 5.4 5.4 22d ago AVideo has Blind SSRF in YPTWallet Donation Webhook via Missing isSSRFSafeURL() Check and CURLOPT_FOLLOWLOCATION Redirect Bypass php
CVE-2026-43877 medium 5.4 5.4 23d ago AVideo: CSRF in userSavePhoto.php Allows Cross-Origin Overwrite of Authenticated Users' Profile Photos with Arbitrary Content php
CVE-2026-43881 medium 5.3 5.3 22d ago AVideo: Unauthenticated User Enumeration in objects/users.json.php via isCompany Parameter Allows Bypass of the Admin-Only Listing Restriction php
CVE-2026-43880 medium 5.3 5.3 22d ago AVideo: Unauthenticated Arbitrary Email Sending via sendEmail.json.php Enables Phishing from the Site’s Legitimate From Address php
CVE-2026-43882 medium 4.3 4.3 22d ago AVideo: Unauthenticated CRLF/ICS Injection in Scheduler downloadICS.php Allows Calendar Event Spoofing php
CVE-2026-43883 medium 4.2 4.2 22d ago AVideo: IDOR in PayPalYPT Plugin Allows Any Authenticated User to Cancel Arbitrary PayPal Subscription Agreements php