CVE-2026-45578 high —
8.0
12d ago
AVideo: OS command injection in on_publish.php execAsync via unescaped m3u8 URL
php
CVE-2026-46337 medium —
5.5
8d ago
AVideo: Unauthenticated Arbitrary Image Read via Path Traversal in `view/img/image404Raw.php`
php
CVE-2026-45731 medium —
5.5
9d ago
AVideo: Authenticated Arbitrary File Read in view/update.php
php
CVE-2026-45620 medium —
5.5
10d ago
AVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unauthenticated user enumeration sibling that survives `d9cdc7024`
php
CVE-2026-45619 medium —
5.5
12d ago
AVideo CVE-2026-43884 incomplete fix - six (or more) `isSSRFSafeURL()` call sites still discard the `$resolvedIP` out-param at master HEAD post-`603e7bf`
php
CVE-2026-45610 medium —
5.5
12d ago
AVideo: 2FA toggle endpoint has no CSRF protection, letting an attacker page silently disable a logged-in victim's 2FA
php
CVE-2026-45580 medium —
5.5
12d ago
AVideo: stored XSS via unescaped stream key in modeYoutubeLive.php class attribute
php
CVE-2026-39370 unknown —
—
2mo ago
WWBN AVideo has an Allowlisted downloadURL media extensions bypass SSRF protection and enable internal response exfiltration (Incomplete fix for CVE-2026-27732)
php
CVE-2026-39369 unknown —
—
2mo ago
WWBN AVideo's GIF poster fetch bypasses traversal scrubbing and exposes local files through public media URLs
php
CVE-2026-39368 unknown —
—
2mo ago
WWBN AVideo has a Live restream log callback flow enabling stored SSRF to internal services
php