| CVE-2026-43875 |
medium |
6.8 |
6.8 |
23d ago |
AVideo: Password Hash Leak in MobileManager OAuth Redirect URL Enables Account Takeover |
|
| CVE-2026-43876 |
medium |
6.4 |
6.4 |
23d ago |
AVideo: HTML Injection in notifySubscribers.json.php Allows Platform-Branded Phishing Emails to Channel Subscribers |
|
| CVE-2026-43878 |
medium |
6.1 |
6.1 |
23d ago |
Video: Reflected XSS in plugin/Meet/iframe.php via Unescaped user and pass Parameters in JavaScript String Literal |
|
| CVE-2026-41062 |
medium |
— |
5.5 |
1mo ago |
WWBN AVideo has an Incomplete fix: Directory traversal bypass via query string in ReceiveImage downloadURL parameters |
|
| CVE-2026-34368 |
medium |
— |
5.5 |
2mo ago |
AVideo Vulnerable to Wallet Balance Double-Spend via TOCTOU Race Condition in transferBalance |
|
| CVE-2026-43879 |
medium |
5.4 |
5.4 |
23d ago |
AVideo has Blind SSRF in YPTWallet Donation Webhook via Missing isSSRFSafeURL() Check and CURLOPT_FOLLOWLOCATION Redirect Bypass |
|
| CVE-2026-43877 |
medium |
5.4 |
5.4 |
23d ago |
AVideo: CSRF in userSavePhoto.php Allows Cross-Origin Overwrite of Authenticated Users' Profile Photos with Arbitrary Content |
|
| CVE-2026-43881 |
medium |
5.3 |
5.3 |
23d ago |
AVideo: Unauthenticated User Enumeration in objects/users.json.php via isCompany Parameter Allows Bypass of the Admin-Only Listing Restriction |
|
| CVE-2026-43880 |
medium |
5.3 |
5.3 |
23d ago |
AVideo: Unauthenticated Arbitrary Email Sending via sendEmail.json.php Enables Phishing from the Site’s Legitimate From Address |
|
| CVE-2026-43882 |
medium |
4.3 |
4.3 |
23d ago |
AVideo: Unauthenticated CRLF/ICS Injection in Scheduler downloadICS.php Allows Calendar Event Spoofing |
|
| CVE-2026-43883 |
medium |
4.2 |
4.2 |
23d ago |
AVideo: IDOR in PayPalYPT Plugin Allows Any Authenticated User to Cancel Arbitrary PayPal Subscription Agreements |
|