CVE-2026-45578 high —
8.0
13d ago
AVideo: OS command injection in on_publish.php execAsync via unescaped m3u8 URL
php
CVE-2026-43885 high —
8.0
22d ago
AVideo Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor and Missing Authorization
php
CVE-2026-40926 high —
8.0
1mo ago
WWBN AVideo has Multiple CSRF Vulnerabilities in Admin JSON Endpoints (Category CRUD, Plugin Update Script)
php
CVE-2026-33492 high —
8.0
2mo ago
AVideo has Session Fixation via GET PHPSESSID Parameter With Disabled Login Session Regeneration
php
CVE-2026-33485 high —
8.0
2mo ago
AVideo has an Unauthenticated Blind SQL Injection in RTMP on_publish Callback via Stream Name Parameter
php
CVE-2026-43884 high 7.7
7.7
22d ago
AVideo has SSRF Protection Bypass via HTTP Redirect and DNS Rebinding in isSSRFSafeURL()
php
CVE-2026-43873 high 7.5
7.5
23d ago
AVideo: Unauthenticated Disclosure of CloneSite `myKey` via Error Echo in `cloneClient.json.php` Enables Cross-Site DB Dump of the Configured Clone Server
php
CVE-2026-43874 high 7.2
7.2
22d ago
AVideo has an Incomplete Fix for YPTSocket autoEvalCodeOnHTML Strip: Unauthenticated Cross-User JavaScript Execution via `$msg['json']` Relay Bypass
php