Package impact

Packagist / wwbn/avideo

critical high medium low unknown

0

KEV Has exploit

CVE	Severity	CVSS	Risk	Published	Description	Impact
CVE-2026-43875	medium	6.8	6.8	23d ago	AVideo: Password Hash Leak in MobileManager OAuth Redirect URL Enables Account Takeover
CVE-2026-43876	medium	6.4	6.4	23d ago	AVideo: HTML Injection in notifySubscribers.json.php Allows Platform-Branded Phishing Emails to Channel Subscribers
CVE-2026-43878	medium	6.1	6.1	23d ago	Video: Reflected XSS in plugin/Meet/iframe.php via Unescaped user and pass Parameters in JavaScript String Literal
CVE-2026-46337	medium	—	5.5	9d ago	AVideo: Unauthenticated Arbitrary Image Read via Path Traversal in `view/img/image404Raw.php`
CVE-2026-45731	medium	—	5.5	10d ago	AVideo: Authenticated Arbitrary File Read in view/update.php
CVE-2026-45620	medium	—	5.5	10d ago	AVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unauthenticated user enumeration sibling that survives `d9cdc7024`
CVE-2026-45619	medium	—	5.5	13d ago	AVideo CVE-2026-43884 incomplete fix - six (or more) `isSSRFSafeURL()` call sites still discard the `$resolvedIP` out-param at master HEAD post-`603e7bf`
CVE-2026-45610	medium	—	5.5	13d ago	AVideo: 2FA toggle endpoint has no CSRF protection, letting an attacker page silently disable a logged-in victim's 2FA
CVE-2026-45580	medium	—	5.5	13d ago	AVideo: stored XSS via unescaped stream key in modeYoutubeLive.php class attribute
CVE-2026-41062	medium	—	5.5	1mo ago	WWBN AVideo has an Incomplete fix: Directory traversal bypass via query string in ReceiveImage downloadURL parameters
CVE-2026-34368	medium	—	5.5	2mo ago	AVideo Vulnerable to Wallet Balance Double-Spend via TOCTOU Race Condition in transferBalance
CVE-2026-43879	medium	5.4	5.4	23d ago	AVideo has Blind SSRF in YPTWallet Donation Webhook via Missing isSSRFSafeURL() Check and CURLOPT_FOLLOWLOCATION Redirect Bypass
CVE-2026-43877	medium	5.4	5.4	23d ago	AVideo: CSRF in userSavePhoto.php Allows Cross-Origin Overwrite of Authenticated Users' Profile Photos with Arbitrary Content
CVE-2026-43881	medium	5.3	5.3	23d ago	AVideo: Unauthenticated User Enumeration in objects/users.json.php via isCompany Parameter Allows Bypass of the Admin-Only Listing Restriction
CVE-2026-43880	medium	5.3	5.3	23d ago	AVideo: Unauthenticated Arbitrary Email Sending via sendEmail.json.php Enables Phishing from the Site’s Legitimate From Address
CVE-2026-43882	medium	4.3	4.3	23d ago	AVideo: Unauthenticated CRLF/ICS Injection in Scheduler downloadICS.php Allows Calendar Event Spoofing
CVE-2026-43883	medium	4.2	4.2	23d ago	AVideo: IDOR in PayPalYPT Plugin Allows Any Authenticated User to Cancel Arbitrary PayPal Subscription Agreements