CVE-2026-45578 high —
8.0
12d ago
AVideo: OS command injection in on_publish.php execAsync via unescaped m3u8 URL
php
CVE-2026-43885 high —
8.0
22d ago
AVideo Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor and Missing Authorization
php
CVE-2026-40926 high —
8.0
1mo ago
WWBN AVideo has Multiple CSRF Vulnerabilities in Admin JSON Endpoints (Category CRUD, Plugin Update Script)
php
CVE-2026-33492 high —
8.0
2mo ago
AVideo has Session Fixation via GET PHPSESSID Parameter With Disabled Login Session Regeneration
php
CVE-2026-33485 high —
8.0
2mo ago
AVideo has an Unauthenticated Blind SQL Injection in RTMP on_publish Callback via Stream Name Parameter
php
CVE-2026-43884 high 7.7
7.7
22d ago
AVideo has SSRF Protection Bypass via HTTP Redirect and DNS Rebinding in isSSRFSafeURL()
php
CVE-2026-43873 high 7.5
7.5
22d ago
AVideo: Unauthenticated Disclosure of CloneSite `myKey` via Error Echo in `cloneClient.json.php` Enables Cross-Site DB Dump of the Configured Clone Server
php
CVE-2026-43874 high 7.2
7.2
22d ago
AVideo has an Incomplete Fix for YPTSocket autoEvalCodeOnHTML Strip: Unauthenticated Cross-User JavaScript Execution via `$msg['json']` Relay Bypass
php
CVE-2026-43875 medium 6.8
6.8
22d ago
AVideo: Password Hash Leak in MobileManager OAuth Redirect URL Enables Account Takeover
php
CVE-2026-43876 medium 6.4
6.4
22d ago
AVideo: HTML Injection in notifySubscribers.json.php Allows Platform-Branded Phishing Emails to Channel Subscribers
php
CVE-2026-43878 medium 6.1
6.1
22d ago
Video: Reflected XSS in plugin/Meet/iframe.php via Unescaped user and pass Parameters in JavaScript String Literal
php
CVE-2026-46337 medium —
5.5
8d ago
AVideo: Unauthenticated Arbitrary Image Read via Path Traversal in `view/img/image404Raw.php`
php
CVE-2026-45731 medium —
5.5
9d ago
AVideo: Authenticated Arbitrary File Read in view/update.php
php
CVE-2026-45620 medium —
5.5
9d ago
AVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unauthenticated user enumeration sibling that survives `d9cdc7024`
php
CVE-2026-45619 medium —
5.5
12d ago
AVideo CVE-2026-43884 incomplete fix - six (or more) `isSSRFSafeURL()` call sites still discard the `$resolvedIP` out-param at master HEAD post-`603e7bf`
php
CVE-2026-45610 medium —
5.5
12d ago
AVideo: 2FA toggle endpoint has no CSRF protection, letting an attacker page silently disable a logged-in victim's 2FA
php
CVE-2026-45580 medium —
5.5
12d ago
AVideo: stored XSS via unescaped stream key in modeYoutubeLive.php class attribute
php
CVE-2026-41062 medium —
5.5
1mo ago
WWBN AVideo has an Incomplete fix: Directory traversal bypass via query string in ReceiveImage downloadURL parameters
php
CVE-2026-34368 medium —
5.5
2mo ago
AVideo Vulnerable to Wallet Balance Double-Spend via TOCTOU Race Condition in transferBalance
php
CVE-2026-43879 medium 5.4
5.4
22d ago
AVideo has Blind SSRF in YPTWallet Donation Webhook via Missing isSSRFSafeURL() Check and CURLOPT_FOLLOWLOCATION Redirect Bypass
php
CVE-2026-43877 medium 5.4
5.4
22d ago
AVideo: CSRF in userSavePhoto.php Allows Cross-Origin Overwrite of Authenticated Users' Profile Photos with Arbitrary Content
php
CVE-2026-43881 medium 5.3
5.3
22d ago
AVideo: Unauthenticated User Enumeration in objects/users.json.php via isCompany Parameter Allows Bypass of the Admin-Only Listing Restriction
php
CVE-2026-43880 medium 5.3
5.3
22d ago
AVideo: Unauthenticated Arbitrary Email Sending via sendEmail.json.php Enables Phishing from the Site’s Legitimate From Address
php
CVE-2026-43882 medium 4.3
4.3
22d ago
AVideo: Unauthenticated CRLF/ICS Injection in Scheduler downloadICS.php Allows Calendar Event Spoofing
php
CVE-2026-43883 medium 4.2
4.2
22d ago
AVideo: IDOR in PayPalYPT Plugin Allows Any Authenticated User to Cancel Arbitrary PayPal Subscription Agreements
php
CVE-2026-41304 unknown —
—
1mo ago
WWBN AVideo: RCE cause by clonesite plugin
php
CVE-2026-41064 unknown —
—
1mo ago
WWBN AVideo has an incomplete fix for CVE-2026-33502: Command Injection
php
CVE-2026-41063 unknown —
—
1mo ago
WWBN AVideo has an incomplete fix for CVE-2026-33500: XSS
php
CVE-2026-41061 unknown —
—
1mo ago
WWBN AVideo has Stored XSS via Unanchored Duration Regex in Video Encoder Receiver
php
CVE-2026-41060 unknown —
—
1mo ago
WWBN AVideo has a SSRF via same-domain hostname with alternate port bypasses isSSRFSafeURL
php
CVE-2026-41058 unknown —
—
1mo ago
WWBN AVideo has an incomplete fix for CVE-2026-33293: Path Traversal
php
CVE-2026-41057 unknown —
—
1mo ago
WWBN AVideo has a CORS Origin Reflection Bypass via plugin/API/router.php and allowOrigin(true) Exposes Authenticated API Responses
php
CVE-2026-41056 unknown —
—
1mo ago
WWBN AVideo has CORS Origin Reflection with Credentials on Sensitive API Endpoints Enables Cross-Origin Account Takeover
php
CVE-2026-41055 unknown —
—
1mo ago
WWBN AVideo has an incomplete fix for CVE-2026-33039: SSRF
php
CVE-2026-40935 unknown —
—
1mo ago
CAPTCHA Bypass in WWBN/AVideo via Attacker-Controlled Length Parameter and Missing Token Invalidation on Failure
php
CVE-2026-40929 unknown —
—
1mo ago
WWBN AVideo is missing CSRF protection in objects/commentDelete.json.php enables mass comment deletion against moderators and content creators
php
CVE-2026-40928 unknown —
—
1mo ago
WWBN AVideo: Missing CSRF Protection on State-Changing JSON Endpoints Enables Forced Comment Creation, Vote Manipulation, and Category Asset Deletion
php
CVE-2026-40925 unknown —
—
1mo ago
WWBN AVideo has CSRF in configurationUpdate.json.php Enables Full Site Configuration Takeover Including Encoder URL and SMTP Credentials
php
CVE-2026-40911 unknown —
—
1mo ago
WWBN AVideo YPTSocket WebSocket Broadcast Relay Leads to Unauthenticated Cross-User JavaScript Execution via Client-Side eval() Sinks
php
CVE-2026-40909 unknown —
—
1mo ago
WWBN AVideo has a Path Traversal in Locale Save Endpoint Enables Arbitrary PHP File Write to Any Web-Accessible Directory (RCE)
php
CVE-2026-40908 unknown —
—
1mo ago
WWBN AVideo has an Unauthenticated Information Disclosure via git.json.php Exposes Developer Emails and Deployed Version
php
CVE-2026-40907 unknown —
—
1mo ago
WWBN AVideo has an IDOR in Live Restreams list.json.php Exposes Other Users' Stream Keys and OAuth Tokens
php
CVE-2026-39367 unknown —
—
2mo ago
WWBN AVideo has Stored XSS via Malicious EPG XML Program Titles in AVideo EPG Page
php
CVE-2026-39366 unknown —
—
2mo ago
WWBN AVideo Affected by a PayPal IPN Replay Attack Enabling Wallet Balance Inflation via Missing Transaction Deduplication in ipn.php
php
CVE-2026-35452 unknown —
—
2mo ago
AVideo: Unauthenticated Information Disclosure via Missing Auth on CloneSite client.log.php
php
CVE-2026-35450 unknown —
—
2mo ago
AVideo: Unauthenticated FFmpeg Remote Server Status Disclosure via check.ffmpeg.json.php
php
CVE-2026-35449 unknown —
—
2mo ago
AVideo: Unauthenticated Information Disclosure via Disabled CLI Guard in install/test.php
php
CVE-2026-35448 unknown —
—
2mo ago
AVideo: Unauthenticated Access to Payment Order Data via BlockonomicsYPT check.php
php
CVE-2026-35181 unknown —
—
2mo ago
AVideo: CSRF on Player Skin Configuration via admin/playerUpdate.json.php
php
CVE-2026-35179 unknown —
—
2mo ago
AVideo: Unauthenticated Instagram Graph API Proxy via publishInstagram.json.php
php
CVE-2026-34740 unknown —
—
2mo ago
AVideo: Stored SSRF via Video EPG Link Missing isSSRFSafeURL() Validation
php
CVE-2026-34739 unknown —
—
2mo ago
AVideo: Reflected XSS via Unescaped ip Parameter in User_Location testIP.php
php
CVE-2026-34738 unknown —
—
2mo ago
AVideo: Video Publishing Workflow Bypass via Unauthorized overrideStatus Request Parameter
php
CVE-2026-34737 unknown —
—
2mo ago
AVideo: Arbitrary Stripe Subscription Cancellation via Debug Endpoint and retrieveSubscriptions() Bug
php
CVE-2026-34733 unknown —
—
2mo ago
AVideo: Unauthenticated File Deletion via PHP Operator Precedence Bug in CLI Guard
php
CVE-2026-34732 unknown —
—
2mo ago
AVideo: Missing Authentication in CreatePlugin list.json.php Template Affects 21 Endpoints
php
CVE-2026-34731 unknown —
—
2mo ago
AVideo: Unauthenticated Live Stream Termination via RTMP Callback on_publish_done.php
php
CVE-2026-34716 unknown —
—
2mo ago
AVideo: DOM XSS via Unsanitized Display Name in WebSocket Call Notification
php
CVE-2026-34613 unknown —
—
2mo ago
AVideo: CSRF on Plugin Enable/Disable Endpoint Allows Disabling Security Plugins
php
CVE-2026-34611 unknown —
—
2mo ago
AVideo: CSRF on emailAllUsers.json.php Enables Mass Phishing Email to All Users
php
CVE-2026-34396 unknown —
—
2mo ago
AVideo has Stored XSS via Unescaped Plugin Configuration Values in Admin Panel
php
CVE-2026-34395 unknown —
—
2mo ago
AVideo vulnerable to Mass User PII Disclosure via Missing Authorization in YPTWallet users.json.php
php
CVE-2026-34394 unknown —
—
2mo ago
AVideo's CSRF on Admin Plugin Configuration Enables Payment Credential Hijacking
php
CVE-2026-34375 unknown —
—
2mo ago
AVideo Vulnerable to Reflected XSS via Unsanitized plugin Parameter in YPTWallet Stripe Payment Page
php
CVE-2026-34369 unknown —
—
2mo ago
AVideo has Video Password Protection Bypass via API Endpoints Returning Full Playback Sources Without Password Verification
php
CVE-2026-34364 unknown —
—
2mo ago
AVideo has User Group-Based Category Access Control Bypass via Missing and Broken Group Filtering in categories.json.php
php
CVE-2026-34362 unknown —
—
2mo ago
AVideo's WebSocket Token Never Expires Due to Commented-Out Timeout Validation in verifyTokenSocket()
php
CVE-2026-34247 unknown —
—
2mo ago
AVideo: IDOR in uploadPoster.php Allows Any Authenticated User to Overwrite Scheduled Live Stream Posters and Trigger False Socket Notifications
php
CVE-2026-34245 unknown —
—
2mo ago
AVideo: Missing Authorization in Playlist Schedule Creation Allows Cross-User Broadcast Hijacking
php
CVE-2026-33867 unknown —
—
2mo ago
AVideo has Plaintext Video Password Storage
php
CVE-2026-33770 unknown —
—
2mo ago
AVideo has SQL Injection in category.php fixCleanTitle() via Unparameterized clean_title and id Variables
php
CVE-2026-33767 unknown —
—
2mo ago
AVideo has SQL Injection via Partial Prepared Statement — videos_id Concatenated Directly into Query
php
CVE-2026-33766 unknown —
—
2mo ago
AVideo has SSRF Protection Bypass via HTTP Redirect in Image Download Endpoints
php
CVE-2026-33764 unknown —
—
2mo ago
AVideo: IDOR in AI Plugin Allows Stealing Other Users' AI-Generated Metadata and Transcriptions
php
CVE-2026-33763 unknown —
—
2mo ago
AVideo has an Unauthenticated Video Password Brute-Force Vulnerability via Unrate-Limited Boolean Oracle
php
CVE-2026-33761 unknown —
—
2mo ago
AVideo: Unauthenticated Access to Scheduler Plugin Endpoints Leaks Scheduled Tasks, Email Content, and User Mappings
php
CVE-2026-33759 unknown —
—
2mo ago
AVideo: Unauthenticated IDOR in playlistsVideos.json.php Exposes Private Playlist Contents
php
CVE-2026-33723 unknown —
—
2mo ago
AVideo is Vulnerable to SQL Injection through Subscribe Endpoint via Unsanitized user_id Parameter
php
CVE-2026-33719 unknown —
—
2mo ago
AVideo: Unauthenticated CDN Configuration Takeover via Empty Default Key Bypass and Mass-Assignment
php
CVE-2026-33717 unknown —
—
2mo ago
AVideo: Remote Code Execution via PHP Temp File in Encoder downloadURL
php
CVE-2026-33716 unknown —
—
2mo ago
AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php
php
CVE-2026-33690 unknown —
—
2mo ago
AVideo vulnerable to IP Address Spoofing via Untrusted HTTP Headers in getRealIpAddr()
php
CVE-2026-33688 unknown —
—
2mo ago
AVideo has Pre-Captcha User Enumeration and Account Status Disclosure in Password Recovery Endpoint
php
CVE-2026-33685 unknown —
—
2mo ago
AVideo Allows Unauthenticated Access to AD_Server reports.json.php that Exposes Ad Campaign Analytics and User Data
php
CVE-2026-33683 unknown —
—
2mo ago
AVideo vulnerable to Stored XSS via html_entity_decode() Reversing xss_esc() Sanitization in Channel About Field
php
CVE-2026-33681 unknown —
—
2mo ago
AVideo has Path Traversal in pluginRunDatabaseScript.json.php Enables Arbitrary SQL File Execution via Unsanitized Plugin Name
php
CVE-2026-33651 unknown —
—
2mo ago
AVideo has a Blind SQL Injection in Live Schedule Reminder via Unsanitized live_schedule_id in Scheduler_commands::getAllActiveOrToRepeat()
php
CVE-2026-33650 unknown —
—
2mo ago
AVideo: Video Moderator Privilege Escalation via Ownership Transfer Enables Arbitrary Video Deletion
php
CVE-2026-33649 unknown —
—
2mo ago
AVideo's GET-Based CSRF in setPermission.json.php Enables Privilege Escalation via Arbitrary Permission Modification
php
CVE-2026-33648 unknown —
—
2mo ago
AVideo Vulnerable to OS Command Injection via Unsanitized `users_id` and `liveTransmitionHistory_id` in Restreamer Log File Path
php
CVE-2026-33647 unknown —
—
2mo ago
AVideo Vulnerable to Remote Code Execution via MIME/Extension Mismatch in ImageGallery File Upload
php
CVE-2026-33513 unknown —
—
2mo ago
AVideo has an Unauthenticated Local File Inclusion in API locale (RCE possible with writable PHP)
php
CVE-2026-33512 unknown —
—
2mo ago
AVideo has an unauthenticated decrypt oracle leaking any ciphertext
php
CVE-2026-33507 unknown —
—
2mo ago
AVideo Affected by CSRF on Plugin Import Endpoint Enables Unauthenticated Remote Code Execution via Malicious Plugin Upload
php
CVE-2026-33502 unknown —
—
2mo ago
AVideo has Unauthenticated SSRF via plugin/Live/test.php
php
CVE-2026-33501 unknown —
—
2mo ago
AVideo has Unauthenticated Information Disclosure of User Group Permission Mappings via Permissions Plugin
php
CVE-2026-33500 unknown —
—
2mo ago
AVideo - Incomplete Fix for CVE-2026-27568: Stored XSS via Markdown `javascript:` URI Bypasses ParsedownSafeWithLinks Sanitization
php
CVE-2026-33499 unknown —
—
2mo ago
AVideo has Reflected XSS via unlockPassword Parameter in forbiddenPage.php and warningPage.php
php
CVE-2026-33493 unknown —
—
2mo ago
AVideo has a Path Traversal in import.json.php Allows Private Video Theft and Arbitrary File Read/Deletion via fileURI Parameter
php
CVE-2026-33488 unknown —
—
2mo ago
AVideo has a PGP 2FA Bypass via Cryptographically Broken 512-bit RSA Key Generation in LoginControl Plugin
php