CVE-2026-45578 high —
8.0
13d ago
AVideo: OS command injection in on_publish.php execAsync via unescaped m3u8 URL
php
CVE-2026-43885 high —
8.0
22d ago
AVideo Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor and Missing Authorization
php
CVE-2026-40926 high —
8.0
1mo ago
WWBN AVideo has Multiple CSRF Vulnerabilities in Admin JSON Endpoints (Category CRUD, Plugin Update Script)
php
CVE-2026-33492 high —
8.0
2mo ago
AVideo has Session Fixation via GET PHPSESSID Parameter With Disabled Login Session Regeneration
php
CVE-2026-33485 high —
8.0
2mo ago
AVideo has an Unauthenticated Blind SQL Injection in RTMP on_publish Callback via Stream Name Parameter
php
CVE-2026-43884 high 7.7
7.7
22d ago
AVideo has SSRF Protection Bypass via HTTP Redirect and DNS Rebinding in isSSRFSafeURL()
php
CVE-2026-43873 high 7.5
7.5
23d ago
AVideo: Unauthenticated Disclosure of CloneSite `myKey` via Error Echo in `cloneClient.json.php` Enables Cross-Site DB Dump of the Configured Clone Server
php
CVE-2026-43874 high 7.2
7.2
22d ago
AVideo has an Incomplete Fix for YPTSocket autoEvalCodeOnHTML Strip: Unauthenticated Cross-User JavaScript Execution via `$msg['json']` Relay Bypass
php
CVE-2026-43875 medium 6.8
6.8
22d ago
AVideo: Password Hash Leak in MobileManager OAuth Redirect URL Enables Account Takeover
php
CVE-2026-43876 medium 6.4
6.4
22d ago
AVideo: HTML Injection in notifySubscribers.json.php Allows Platform-Branded Phishing Emails to Channel Subscribers
php
CVE-2026-43878 medium 6.1
6.1
22d ago
Video: Reflected XSS in plugin/Meet/iframe.php via Unescaped user and pass Parameters in JavaScript String Literal
php
CVE-2026-46337 medium —
5.5
9d ago
AVideo: Unauthenticated Arbitrary Image Read via Path Traversal in `view/img/image404Raw.php`
php
CVE-2026-45731 medium —
5.5
10d ago
AVideo: Authenticated Arbitrary File Read in view/update.php
php
CVE-2026-45620 medium —
5.5
10d ago
AVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unauthenticated user enumeration sibling that survives `d9cdc7024`
php
CVE-2026-45619 medium —
5.5
13d ago
AVideo CVE-2026-43884 incomplete fix - six (or more) `isSSRFSafeURL()` call sites still discard the `$resolvedIP` out-param at master HEAD post-`603e7bf`
php
CVE-2026-45610 medium —
5.5
13d ago
AVideo: 2FA toggle endpoint has no CSRF protection, letting an attacker page silently disable a logged-in victim's 2FA
php
CVE-2026-45580 medium —
5.5
13d ago
AVideo: stored XSS via unescaped stream key in modeYoutubeLive.php class attribute
php
CVE-2026-41062 medium —
5.5
1mo ago
WWBN AVideo has an Incomplete fix: Directory traversal bypass via query string in ReceiveImage downloadURL parameters
php
CVE-2026-34368 medium —
5.5
2mo ago
AVideo Vulnerable to Wallet Balance Double-Spend via TOCTOU Race Condition in transferBalance
php
CVE-2026-43879 medium 5.4
5.4
22d ago
AVideo has Blind SSRF in YPTWallet Donation Webhook via Missing isSSRFSafeURL() Check and CURLOPT_FOLLOWLOCATION Redirect Bypass
php
CVE-2026-43877 medium 5.4
5.4
22d ago
AVideo: CSRF in userSavePhoto.php Allows Cross-Origin Overwrite of Authenticated Users' Profile Photos with Arbitrary Content
php
CVE-2026-43881 medium 5.3
5.3
22d ago
AVideo: Unauthenticated User Enumeration in objects/users.json.php via isCompany Parameter Allows Bypass of the Admin-Only Listing Restriction
php
CVE-2026-43880 medium 5.3
5.3
22d ago
AVideo: Unauthenticated Arbitrary Email Sending via sendEmail.json.php Enables Phishing from the Site’s Legitimate From Address
php
CVE-2026-43882 medium 4.3
4.3
22d ago
AVideo: Unauthenticated CRLF/ICS Injection in Scheduler downloadICS.php Allows Calendar Event Spoofing
php
CVE-2026-43883 medium 4.2
4.2
22d ago
AVideo: IDOR in PayPalYPT Plugin Allows Any Authenticated User to Cancel Arbitrary PayPal Subscription Agreements
php