wwbn

197 tracked vulnerabilities.

CVE-2026-34731 HIGH
AVideo: Unauthenticated Live Stream Termination via RTMP Callback on_publish_done.php
Mar 31, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-34716 MEDIUM
AVideo: DOM XSS via Unsanitized Display Name in WebSocket Call Notification
Mar 31, 2026
CVSS 6.4
EPSS 0.00
CVE-2026-34613 MEDIUM
AVideo: CSRF on Plugin Enable/Disable Endpoint Allows Disabling Security Plugins
Mar 31, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-34611 MEDIUM
AVideo: CSRF on emailAllUsers.json.php Enables Mass Phishing Email to All Users
Mar 31, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-34396 MEDIUM
AVideo: Stored XSS via Unescaped Plugin Configuration Values in Admin Panel
Mar 31, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-34395 MEDIUM
AVideo: Mass User PII Disclosure via Missing Authorization in YPTWallet users.json.php
Mar 31, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-34394 HIGH
AVideo: CSRF on Admin Plugin Configuration Enables Payment Credential Hijacking
Mar 31, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-34375 HIGH
AVideo Vulnerable to Reflected XSS via Unsanitized plugin Parameter in YPTWallet Stripe Payment Page
Mar 27, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-34374 CRITICAL
AVideo has SQL Injection in Live_schedule::keyExists() via Unparameterized Stream Key
Mar 27, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-34369 MEDIUM
AVIdeo has Video Password Protection Bypass via API Endpoints Returning Full Playback Sources Without Password Verification
Mar 27, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-34368 MEDIUM
AVideo Vulnerable to Wallet Balance Double-Spend via TOCTOU Race Condition in transferBalance
Mar 27, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-34364 MEDIUM
AVideo has User Group-Based Category Access Control Bypass via Missing and Broken Group Filtering in categories.json.php
Mar 27, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-34362 MEDIUM
AVideo's WebSocket Token Never Expires Due to Commented-Out Timeout Validation in verifyTokenSocket()
Mar 27, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-34247 MEDIUM
AVideo's IDOR in uploadPoster.php Allows Any Authenticated User to Overwrite Scheduled Live Stream Posters and Trigger False Socket Notifications
Mar 27, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-34245 MEDIUM
AVideo's Missing Authorization in Playlist Schedule Creation Allows Cross-User Broadcast Hijacking
Mar 27, 2026
CVSS 6.3
EPSS 0.00
CVE-2026-33867 HIGH
AVideo has Plaintext Video Password Storage
Mar 27, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33770 CRITICAL
AVideo has SQL Injection in category.php fixCleanTitle() via Unparameterized clean_title and id Variables
Mar 27, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-33767 HIGH
AVideo has SQL Injection via Partial Prepared Statement — videos_id Concatenated Directly into Query
Mar 27, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-33766 MEDIUM
AVideo has SSRF Protection Bypass via HTTP Redirect in Image Download Endpoints
Mar 27, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-33764 MEDIUM
AVideo: IDOR in AI Plugin Allows Stealing Other Users' AI-Generated Metadata and Transcriptions
Mar 27, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-33763 MEDIUM
AVideo has an Unauthenticated Video Password Brute-Force Vulnerability via Unrate-Limited Boolean Oracle
Mar 27, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-33761 MEDIUM
AVideo: Unauthenticated Access to Scheduler Plugin Endpoints Leaks Scheduled Tasks, Email Content, and User Mappings
Mar 27, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-33759 MEDIUM
AVideo: Unauthenticated IDOR in playlistsVideos.json.php Exposes Private Playlist Contents
Mar 27, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-33723 HIGH
AVideo Vulnerable to SQL Injection in Subscribe Endpoint via Unsanitized user_id Parameter in subscribe.php
Mar 23, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-33719 HIGH
WWBN AVideo <= 26.0 - Unauthenticated CDN Configuration Modification via par Parameter
Mar 23, 2026
CVSS 8.6
EPSS 0.00
Products
avideo 195 AVideo 124 avideo-encoder 3 AVideo-Encoder 2
Quick Filters
Critical CVEs With Exploits In CISA KEV