Daniel Neto

118 exploits Active since May 2023
CVE-2026-43873 WRITEUP HIGH WRITEUP
WWBN AVideo: Unauthenticated Disclosure of CloneSite `myKey` via Error Echo in `cloneClient.json.php` Enables Cross-Site DB Dump of the Configured Clone Server
WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/CloneSite/cloneClient.json.php echoes the local CloneSite shared secret ($objClone->myKey, a constant md5($global['systemRootPath'] . $global['salt'])) into the HTTP response body on every unauthenticated request. The unauthenticated error branch was intended to reject non-admin callers without a valid key, but the rejection message interpolates the expected key before die(). When the victim has CloneSite configured with a remote cloneSiteURL (standard federation/backup setup), the leaked myKey is exactly the credential that authenticates the victim to that remote server's cloneServer.json.php, allowing the attacker to impersonate the victim and trigger a full mysqldump of the remote's database to the remote's public videos/clones/ directory Commit e6566f56a28f4556b2a0a09d03717a719dcb49da contains an updated fix.
CVSS 7.5
CVE-2026-43874 WRITEUP HIGH WRITEUP
WWBN AVideo: Incomplete Fix for YPTSocket autoEvalCodeOnHTML Strip: Unauthenticated Cross-User JavaScript Execution via `$msg['json']` Relay Bypass
WWBN AVideo is an open source video platform. In versions up to and including 29.0, the server-side mitigation for the YPTSocket autoEvalCodeOnHTML eval sink (from CVE-2026-40911) only strips the payload when it sits under $json['msg'], but the relay function msgToResourceId() selects the outbound message from $msg['json'] before $msg['msg']. An unauthenticated attacker can obtain a WebSocket token from plugin/YPTSocket/getWebSocket.json.php, connect to the WebSocket server, and send a message with autoEvalCodeOnHTML nested under a top-level json field — the strip branch is skipped, the relay delivers the payload verbatim to any logged-in user identified by to_users_id, and the client script runs it through eval(). Commit 9f3006f9a89a34daa67a83c6ad35f450cb91fcce contains an updated fix.
CVSS 7.2
CVE-2026-43875 WRITEUP MEDIUM WRITEUP
WWBN AVideo: Password Hash Leaked in MobileManager OAuth Redirect URL Enables Account Takeover
WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/MobileManager/oauth2.php completes an OAuth login by sending an HTTP 302 Location: oauth2Success.php?user=<email>&pass=<HASH> where <HASH> is the victim's stored password hash (md5(hash("whirlpool", sha1(password)))) read directly from the users table. AVideo's own login endpoint (objects/login.json.php) accepts an encodedPass=1 flag that bypasses hashing and performs a direct string comparison between the supplied value and the stored hash. Anyone who captures the redirect URL — via server logs, referrer leakage, or browser history — therefore obtains a credential equivalent to the plaintext password and can fully take over the account, including admin accounts. Commit 977cd6930a97571a26da4239e25c8096dd4ecbc1 contains an updated fix.
CVSS 6.8
CVE-2026-43876 WRITEUP MEDIUM WRITEUP
WWBN AVideo: HTML Injection in notifySubscribers.json.php Enables Platform-Branded Phishing Emails to Channel Subscribers
WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/notifySubscribers.json.php takes the raw message POST parameter and passes it into sendSiteEmail(), which substitutes it directly into an HTML email template (via str_replace on the {message} placeholder) and renders it with PHPMailer::msgHTML(). There is no HTML sanitization, character escaping, or output encoding on the attacker-controlled message between $_POST['message'] and the rendered email. Any authenticated user with upload permission can therefore broadcast arbitrary HTML — phishing links, tracking pixels, CSS/UI spoofing — to every subscriber on their channel (up to 10,000 recipients per invocation). The email is sent From: the platform's configured contact address and wrapped in the site's official logo and title, so attacker-supplied HTML arrives with the appearance of an official platform communication. Commit https://github.com/WWBN/AVideo/commit/ contains an updated fix.
CVSS 6.4
CVE-2026-43877 WRITEUP MEDIUM WRITEUP
WWBN AVideo: CSRF in userSavePhoto.php Allows Cross-Origin Overwrite of Any Logged-in User's Profile Photo with Arbitrary Bytes
WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/userSavePhoto.php is a legacy profile-photo endpoint that accepts a base64 POST parameter and writes the decoded bytes to videos/userPhoto/photo<users_id>.png. Its only access control is User::isLogged(). It does not end in .json.php, so it is excluded from the project's global autoCSRFGuard (which is suffix-scoped in objects/include_config.php). There is no CSRF token, no Origin/Referer check, and no MIME validation of the decoded bytes. Because AVideo's default cookie policy is SameSite=None; Secure on HTTPS (objects/functionsPHP.php:227), an attacker who lures a logged-in user to a malicious page can overwrite that user's profile photo with arbitrary bytes and also triggers a site-wide clearCache(true) on every forged request. Commit 9c38468041505e637101c5943c5370c68f48e3ac contains an updated fix.
CVSS 5.4
CVE-2026-43878 WRITEUP MEDIUM WRITEUP
WWBN AVideo: Reflected XSS in plugin/Meet/iframe.php via Unescaped `user`/`pass` Parameters Reflected into JavaScript String Literal
WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/Meet/iframe.php echoes the attacker-controlled user and pass query parameters unescaped into a JavaScript double-quoted string literal inside a <script> block. An attacker who sends a victim to a crafted URL can break out of the string and execute arbitrary JavaScript in the victim's browser in the context of the AVideo origin. No authentication is required if a public Meet schedule exists on the target. Commit 3298ced2bcf92e4f3acff6ce9bde14edf42ecb5b contains an updated fix.
CVSS 6.1
CVE-2026-43879 WRITEUP MEDIUM WRITEUP
WWBN AVideo: Blind SSRF in YPTWallet Donation Webhook via Missing isSSRFSafeURL() Check and CURLOPT_FOLLOWLOCATION Redirect Bypass
WWBN AVideo is an open source video platform. In versions up to and including 29.0, an authenticated user can configure their own donation-notification webhook URL to point at internal/loopback/metadata hosts (e.g. http://127.0.0.1:8080/..., http://169.254.169.254/latest/..., RFC1918 addresses). When any other user (including a second account owned by the same attacker) donates even a trivial amount via plugin/CustomizeUser/donate.json.php, the AVideo server issues a curl POST to the attacker-supplied URL, resulting in a blind SSRF. The handler uses only isValidURL() (which is a format check) and does not call the codebase's own isSSRFSafeURL() helper. Additionally, CURLOPT_FOLLOWLOCATION is enabled with no per-hop revalidation, so even if the stored URL were validated, an HTTP 307 from an attacker-controlled host could redirect the POST to internal targets. Commit aaacd48f29f1ff71d1eb5fc81d37605f593cefa9 contains an updated fix.
CVSS 5.4
CVE-2026-43880 WRITEUP MEDIUM WRITEUP
WWBN AVideo: Unauthenticated Arbitrary Email Sending via sendEmail.json.php Allows Phishing from Site's Legitimate From Address
WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/sendEmail.json.php exposes two branches depending on whether contactForm=1 is submitted. When the parameter is omitted, the endpoint sets $sendTo to an attacker-supplied email and, for unauthenticated callers, uses the site's own contact email as the message From:/Reply-To:. The endpoint is explicitly allow-listed as a "public write action" in objects/functionsSecurity.php (line 885), so it requires no authentication or CSRF token. An unauthenticated attacker (solving a captcha) can force the site's own SMTP infrastructure to send attacker-composed emails to arbitrary recipients with the site's legitimate sender address, passing SPF/DKIM/DMARC for the site's domain — ideal for targeted phishing and brand impersonation. Commit 4e3709895857a5857f0edb46b0ee984de0d9e1a2 contains an updated fix.
CVSS 5.3
CVE-2026-43881 WRITEUP MEDIUM WRITEUP
WWBN AVideo <= 29.0 - Unauthenticated User Enumeration
WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/users.json.php exposes two unauthenticated paths that disclose the full set of registered user accounts. The isCompany request parameter causes the handler to set $ignoreAdmin = true for any non-admin caller (including unauthenticated visitors), which defeats the admin-only guard inside User::getAllUsers()/User::getTotalUsers(). A second path accepts users_id and calls User::getUserFromID() directly with no permission check, producing a single-user oracle. Both paths return id, identification (display name), channel URL, photo, background, and status, plus the total account count. Commit d9cdc702481a626b15f814f6093f1e2a9c20d375 contains an updated fix.
CVSS 5.3
CVE-2026-43882 WRITEUP MEDIUM WRITEUP
WWBN AVideo: Unauthenticated CRLF/ICS Injection in Scheduler downloadICS.php Allows Calendar Event Spoofing
WWBN AVideo is an open source video platform. In versions up to and including 29.0, the unauthenticated plugin/Scheduler/downloadICS.php endpoint passes attacker-controlled title, description, and joinURL parameters into Scheduler::downloadICS(), which builds an ICS calendar file via the ICS helper class. ICS::escape_string() (objects/ICS.php:167-169) only escapes , and ; and does NOT neutralize CR/LF, so attacker CRLF bytes inside a property value break out and inject arbitrary ICS lines — including END:VEVENT / BEGIN:VEVENT pairs that add entire attacker-controlled calendar events. Because the malicious .ics file is served from the victim's trusted AVideo origin, this enables high-credibility calendar phishing: forged meetings with attacker-chosen SUMMARY, URL, LOCATION, and DESCRIPTION landing in the victim's calendar after import. Commit 764db592f99e545aa86bb9a4ad664ffd14c38ba5 contains an updated fix.
CVSS 4.3
CVE-2026-43883 WRITEUP MEDIUM WRITEUP
WWBN AVideo: IDOR in PayPalYPT agreementCancel.json.php Allows Any Authenticated User to Cancel Arbitrary PayPal Subscription Agreements
WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/PayPalYPT/agreementCancel.json.php cancels a PayPal billing agreement using an attacker-supplied agreement parameter without verifying that the authenticated user owns the agreement. A low-privilege authenticated user who learns or obtains another user's PayPal billing agreement ID can silently suspend the victim's recurring subscription, causing revenue loss to the platform and loss of paid service to the victim. Commit 0da3dcff1eda2f497694bf82b559829471c292c2 contains an updated fix.
CVSS 4.2
CVE-2026-43884 WRITEUP HIGH WRITEUP
WWBN AVideo: SSRF Protection Bypass via HTTP Redirect and DNS Rebinding in isSSRFSafeURL()
WWBN AVideo is an open source video platform. In versions up to and including 29.0, two endpoints (plugin/AI/receiveAsync.json.php and objects/EpgParser.php) in AVideo call isSSRFSafeURL() to validate user-supplied URLs, then fetch them using bare file_get_contents() without disabling PHP's automatic redirect following. An attacker can supply a URL pointing to a server they control that returns a 302 redirect to an internal/cloud-metadata address (e.g., http://169.254.169.254/latest/meta-data/). Since isSSRFSafeURL() only validates the initial URL, the redirect target bypasses all SSRF protections. Commit 603e7bf77a835584387327e35560262feb075db3 contains an updated fix.
CVSS 7.7
CVE-2026-43885 WRITEUP HIGH WRITEUP
WWBN AVideo: Exposure of Sensitive Information to an Unauthorized Actor and Missing Authorization
WWBN AVideo is an open source video platform. In versions up to and including 29.0, an unauthenticated user can read APISecret from objects/plugins.json.php and use it to call protected API endpoints (e.g. users_list) without logging in. Commit 1c36f229d0a103528fb9f64d0a1cc0e1e8f5999b contains an updated fix.
CVE-2023-32073 WRITEUP HIGH WRITEUP
WWBN AVideo < 12.4 - Remote Code Execution via CloneSite Plugin
WWBN AVideo is an open source video platform. In versions 12.4 and prior, a command injection vulnerability exists at `plugin/CloneSite/cloneClient.json.php` which allows Remote Code Execution if you CloneSite Plugin. This is a bypass to the fix for CVE-2023-30854, which affects WWBN AVideo up to version 12.3. This issue is patched in commit 1df4af01f80d56ff2c4c43b89d0bac151e7fb6e3.
CVSS 8.8
CVE-2026-33501 WRITEUP MEDIUM WRITEUP
AVideo has Unauthenticated Information Disclosure of User Group Permission Mappings via Permissions Plugin
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the endpoint `plugin/Permissions/View/Users_groups_permissions/list.json.php` lacks any authentication or authorization check, allowing unauthenticated users to retrieve the complete permission matrix mapping user groups to plugins. All sibling endpoints in the same directory (`add.json.php`, `delete.json.php`, `index.php`) properly require `User::isAdmin()`, indicating this is an oversight. Commits dc3c825734628bb32550d0daa125f05bacb6829c and b583acdc9a9d1eab461543caa363e1a104fb4516 contain patches.
CVSS 5.3
CVE-2026-41055 WRITEUP HIGH WRITEUP
WWBN AVideo LiveLinks Proxy - Server-Side Request Forgery
WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete SSRF fix in AVideo's LiveLinks proxy adds `isSSRFSafeURL()` validation but leaves DNS TOCTOU vulnerabilities where DNS rebinding between validation and the actual HTTP request redirects traffic to internal endpoints. Commit 8d8fc0cadb425835b4861036d589abcea4d78ee8 contains an updated fix.
CVSS 8.6
CVE-2026-41058 WRITEUP HIGH WRITEUP
AVideo <=29.0 CloneSite deleteDump - Path Traversal
WWBN AVideo is an open source video platform. In versions 29.0 and below, the incomplete fix for AVideo's CloneSite `deleteDump` parameter does not apply path traversal filtering, allowing `unlink()` of arbitrary files via `../../` sequences in the GET parameter. Commit 3c729717c26f160014a5c86b0b6accdbd613e7b2 contains an updated fix.
CVSS 8.1
CVE-2026-41062 WRITEUP MEDIUM WRITEUP
AVideo <=29.0 ReceiveImage downloadURL - Path Traversal
WWBN AVideo is an open source video platform. In versions 29.0 and below, the directory traversal fix introduced in commit 2375eb5e0 for `objects/aVideoEncoderReceiveImage.json.php` only checks the URL path component (via `parse_url($url, PHP_URL_PATH)`) for `..` sequences. However, the downstream function `try_get_contents_from_local()` in `objects/functionsFile.php` uses `explode('/videos/', $url)` on the **full URL string** including the query string. An attacker can place the `/videos/../../` traversal payload in the query string to bypass the security check and read arbitrary files from the server filesystem. Commit bd11c16ec894698e54e2cdae25026c61ad1ed441 contains an updated fix.
CVSS 6.5
CVE-2026-41063 WRITEUP MEDIUM WRITEUP
WWBN AVideo ParsedownSafeWithLinks - Cross-Site Scripting
WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete XSS fix in AVideo's `ParsedownSafeWithLinks` class overrides `inlineMarkup` for raw HTML but does not override `inlineLink()` or `inlineUrlTag()`, allowing `javascript:` URLs in markdown link syntax to bypass sanitization. Commit cae8f0dadbdd962c89b91d0095c76edb8aadcacf contains an updated fix.
CVSS 5.4
CVE-2026-41064 WRITEUP CRITICAL WRITEUP
AVideo <=29.0 test.php URL Handling - Command Injection
WWBN AVideo is an open source video platform. In versions up to and including 29.0, an incomplete fix for AVideo's `test.php` adds `escapeshellarg` for wget but leaves the `file_get_contents` and `curl` code paths unsanitized, and the URL validation regex `/^http/` accepts strings like `httpevil[.]com`. Commit 78bccae74634ead68aa6528d631c9ec4fd7aa536 contains an updated fix.
CVSS 9.3
CVE-2026-39369 WRITEUP HIGH WRITEUP
WWBN AVideo's GIF poster fetch bypasses traversal scrubbing and exposes local files through public media URLs
WWBN AVideo is an open source video platform. In versions 26.0 and prior, objects/aVideoEncoderReceiveImage.json.php allowed an authenticated uploader to fetch attacker-controlled same-origin /videos/... URLs, bypass traversal scrubbing, and expose server-local files through the GIF poster storage path. The vulnerable GIF branch could be abused to read local files such as /etc/passwd or application source files and republish those bytes through a normal public GIF media URL.
CVSS 7.6
CVE-2026-40907 WRITEUP MEDIUM WRITEUP
WWBN AVideo has IDOR in Live Restreams list.json.php that Exposes Other Users' Stream Keys and OAuth Tokens
WWBN AVideo is an open source video platform. In versions 29.0 and prior, the endpoint `plugin/Live/view/Live_restreams/list.json.php` contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user with streaming permission to retrieve other users' live restream configurations, including third-party platform stream keys and OAuth tokens (access_token, refresh_token) for services like YouTube Live, Facebook Live, and Twitch. Commit d5992fff2811df4adad1d9fc7d0a5837b882aed7 fixes the issue.
CVSS 6.5
CVE-2026-40909 WRITEUP HIGH WRITEUP
WWBN AVideo <= 29.0 - Path Traversal Remote Code Execution
WWBN AVideo is an open source video platform. In versions 29.0 and prior, the locale save endpoint (`locale/save.php`) constructs a file path by directly concatenating `$_POST['flag']` into the path at line 30 without any sanitization. The `$_POST['code']` parameter is then written verbatim to that path via `fwrite()` at line 40. An admin attacker (or any user who can CSRF an admin, since no CSRF token is checked and cookies use `SameSite=None`) can traverse out of the `locale/` directory and write arbitrary `.php` files to any writable location on the filesystem, achieving Remote Code Execution. Commit 57f89ffbc27d37c9d9dd727212334846e78ac21a fixes the issue.
CVSS 8.7
CVE-2026-40911 WRITEUP CRITICAL WRITEUP
WWBN AVideo YPTSocket WebSocket Broadcast Relay Leads to Unauthenticated Cross-User JavaScript Execution via Client-Side eval() Sinks
WWBN AVideo is an open source video platform. In versions 29.0 and prior, the YPTSocket plugin's WebSocket server relays attacker-supplied JSON message bodies to every connected client without sanitizing the `msg` or `callback` fields. On the client side, `plugin/YPTSocket/script.js` contains two `eval()` sinks fed directly by those relayed fields (`json.msg.autoEvalCodeOnHTML` at line 568 and `json.callback` at line 95). Because tokens are minted for anonymous visitors and never revalidated beyond decryption, an unauthenticated attacker can broadcast arbitrary JavaScript that executes in the origin of every currently-connected user (including administrators), resulting in universal account takeover, session theft, and privileged action execution. Commit c08694bf6264eb4decceb78c711baee2609b4efd contains a fix.
CVSS 10.0
CVE-2026-40925 WRITEUP HIGH WRITEUP
WWBN AVideo has CSRF in configurationUpdate.json.php Enables Full Site Configuration Takeover Including Encoder URL and SMTP Credentials
WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/configurationUpdate.json.php` (also routed via `/updateConfig`) persists dozens of global site settings from `$_POST` but protects the endpoint only with `User::isAdmin()`. It does not call `forbidIfIsUntrustedRequest()`, does not verify a `globalToken`, and does not validate the Origin/Referer header. Because AVideo intentionally sets `session.cookie_samesite=None` to support cross-origin iframe embedding, a logged-in administrator who visits an attacker-controlled page will have the browser auto-submit a cross-origin POST that rewrites the site's encoder URL, SMTP credentials, site `<head>` HTML, logo, favicon, contact email, and more in a single request. Commit f9492f5e6123dff0292d5bb3164fde7665dc36b4 contains a fix.
CVSS 8.3