wwbn
207 tracked vulnerabilities.
CVE-2026-35448
LOW
WWBN AVideo Provides Unauthenticated Access to Payment Order Data via BlockonomicsYPT check.php
Apr 06, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-35181
MEDIUM
WWBN AVideo Affected by CSRF on Player Skin Configuration via admin/playerUpdate.json.php
Apr 06, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-35180
MEDIUM
WWBN AVideo affected by CSRF on Site Customization Endpoint Enables Logo Overwrite via Base64 File Write
Apr 06, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-35179
MEDIUM
WWBN AVideo Unauthenticated Instagram Graph API Proxy via publishInstagram.json.php
Apr 06, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-34740
MEDIUM
AVideo: Stored SSRF via Video EPG Link Missing isSSRFSafeURL() Validation
Mar 31, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-34739
MEDIUM
AVideo: Reflected XSS via Unescaped ip Parameter in User_Location testIP.php
Mar 31, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-34738
MEDIUM
AVideo: Video Publishing Workflow Bypass via Unauthorized overrideStatus Request Parameter
Mar 31, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-34737
MEDIUM
AVideo: Arbitrary Stripe Subscription Cancellation via Debug Endpoint and retrieveSubscriptions() Bug
Mar 31, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-34733
MEDIUM
AVideo: Unauthenticated File Deletion via PHP Operator Precedence Bug in CLI Guard
Mar 31, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-34732
MEDIUM
AVideo: Missing Authentication in CreatePlugin list.json.php Template Affects 21 Endpoints
Mar 31, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-34731
HIGH
AVideo: Unauthenticated Live Stream Termination via RTMP Callback on_publish_done.php
Mar 31, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-34716
MEDIUM
AVideo: DOM XSS via Unsanitized Display Name in WebSocket Call Notification
Mar 31, 2026
CVSS 6.4
EPSS 0.00
CVE-2026-34613
MEDIUM
AVideo: CSRF on Plugin Enable/Disable Endpoint Allows Disabling Security Plugins
Mar 31, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-34611
MEDIUM
AVideo: CSRF on emailAllUsers.json.php Enables Mass Phishing Email to All Users
Mar 31, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-34396
MEDIUM
AVideo: Stored XSS via Unescaped Plugin Configuration Values in Admin Panel
Mar 31, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-34395
MEDIUM
AVideo: Mass User PII Disclosure via Missing Authorization in YPTWallet users.json.php
Mar 31, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-34394
HIGH
AVideo: CSRF on Admin Plugin Configuration Enables Payment Credential Hijacking
Mar 31, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-34375
HIGH
AVideo Vulnerable to Reflected XSS via Unsanitized plugin Parameter in YPTWallet Stripe Payment Page
Mar 27, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-34374
CRITICAL
AVideo has SQL Injection in Live_schedule::keyExists() via Unparameterized Stream Key
Mar 27, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-34369
MEDIUM
AVIdeo has Video Password Protection Bypass via API Endpoints Returning Full Playback Sources Without Password Verification
Mar 27, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-34368
MEDIUM
AVideo Vulnerable to Wallet Balance Double-Spend via TOCTOU Race Condition in transferBalance
Mar 27, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-34364
MEDIUM
AVideo has User Group-Based Category Access Control Bypass via Missing and Broken Group Filtering in categories.json.php
Mar 27, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-34362
MEDIUM
AVideo's WebSocket Token Never Expires Due to Commented-Out Timeout Validation in verifyTokenSocket()
Mar 27, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-34247
MEDIUM
AVideo's IDOR in uploadPoster.php Allows Any Authenticated User to Overwrite Scheduled Live Stream Posters and Trigger False Socket Notifications
Mar 27, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-34245
MEDIUM
AVideo's Missing Authorization in Playlist Schedule Creation Allows Cross-User Broadcast Hijacking
Mar 27, 2026
CVSS 6.3
EPSS 0.00
Quick Filters