wwbn

207 tracked vulnerabilities.

CVE-2026-41063 MEDIUM
WWBN AVideo ParsedownSafeWithLinks - Cross-Site Scripting
Apr 21, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-41062 MEDIUM
AVideo <=29.0 ReceiveImage downloadURL - Path Traversal
Apr 21, 2026
CVSS 6.5
EPSS 0.01
CVE-2026-41061 MEDIUM
WWBN AVideo Vulnerable to stored XSS via Unanchored Duration Regex in Video Encoder Receiver
Apr 21, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-41060 HIGH
AVideo's SSRF via same-domain hostname with alternate port bypasses isSSRFSafeURL
Apr 21, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-41058 HIGH
AVideo <=29.0 CloneSite deleteDump - Path Traversal
Apr 21, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-41057 HIGH
AVideo has CORS Origin Reflection Bypass via plugin/API/router.php and allowOrigin(true) that Exposes Authenticated API Responses
Apr 21, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-41056 HIGH
AVideos has CORS Origin Reflection with Credentials on Sensitive API Endpoints that Enables Cross-Origin Account Takeover
Apr 21, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-41055 HIGH
WWBN AVideo LiveLinks Proxy - Server-Side Request Forgery
Apr 21, 2026
CVSS 8.6
EPSS 0.00
CVE-2026-40935 MEDIUM
WWBN/AVideo has CAPTCHA Bypass via Attacker-Controlled Length Parameter and Missing Token Invalidation on Failure
Apr 21, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-40929 MEDIUM
WWBN AVideo's missing CSRF protection in objects/commentDelete.json.php enables mass comment deletion against moderators and content creators
Apr 21, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-40928 MEDIUM
AVideo: Missing CSRF Protection on State-Changing JSON Endpoints Enables Forced Comment Creation, Vote Manipulation, and Category Asset Deletion
Apr 21, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-40926 HIGH
WWBN AVideo Vulnerable to CSRF in Admin JSON Endpoints (Category CRUD, Plugin Update Script)
Apr 21, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-40925 HIGH
WWBN AVideo has CSRF in configurationUpdate.json.php Enables Full Site Configuration Takeover Including Encoder URL and SMTP Credentials
Apr 21, 2026
CVSS 8.3
EPSS 0.00
CVE-2026-40911 CRITICAL
WWBN AVideo YPTSocket WebSocket Broadcast Relay Leads to Unauthenticated Cross-User JavaScript Execution via Client-Side eval() Sinks
Apr 21, 2026
CVSS 10.0
EPSS 0.01
CVE-2026-40909 HIGH
WWBN AVideo <= 29.0 - Path Traversal Remote Code Execution
Apr 21, 2026
CVSS 8.7
EPSS 0.01
CVE-2026-40908 MEDIUM
AVideo <=29.0 git.json.php - Unauthenticated Information Disclosure
Apr 21, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-40907 MEDIUM
WWBN AVideo has IDOR in Live Restreams list.json.php that Exposes Other Users' Stream Keys and OAuth Tokens
Apr 21, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-39370 HIGH
WWBN AVideo <= 26.0 - Server-Side Request Forgery Response Exfiltration
Apr 07, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-39369 HIGH
WWBN AVideo's GIF poster fetch bypasses traversal scrubbing and exposes local files through public media URLs
Apr 07, 2026
CVSS 7.6
EPSS 0.00
CVE-2026-39368 MEDIUM
AVideo <=26.0 Live Restream Callback - Stored Server-Side Request Forgery
Apr 07, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-39367 MEDIUM
WWBN AVideo has Stored XSS via Malicious EPG XML Program Titles in AVideo EPG Page
Apr 07, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-39366 MEDIUM
WWBN AVideo Affected by a PayPal IPN Replay Attack Enabling Wallet Balance Inflation via Missing Transaction Deduplication in ipn.php
Apr 07, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-35452 MEDIUM
WWBN AVideo has Unauthenticated Information Disclosure via Missing Auth on CloneSite client.log.php
Apr 06, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-35450 MEDIUM
WWBN AVideo has Unauthenticated FFmpeg Remote Server Status Disclosure via check.ffmpeg.json.php
Apr 06, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-35449 MEDIUM
WWBN AVideo has Unauthenticated Information Disclosure via Disabled CLI Guard in install/test.php
Apr 06, 2026
CVSS 5.3
EPSS 0.00