wwbn

207 tracked vulnerabilities.

CVE-2026-35448 LOW
WWBN AVideo Provides Unauthenticated Access to Payment Order Data via BlockonomicsYPT check.php
Apr 06, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-35181 MEDIUM
WWBN AVideo Affected by CSRF on Player Skin Configuration via admin/playerUpdate.json.php
Apr 06, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-35180 MEDIUM
WWBN AVideo affected by CSRF on Site Customization Endpoint Enables Logo Overwrite via Base64 File Write
Apr 06, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-35179 MEDIUM
WWBN AVideo Unauthenticated Instagram Graph API Proxy via publishInstagram.json.php
Apr 06, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-34740 MEDIUM
AVideo: Stored SSRF via Video EPG Link Missing isSSRFSafeURL() Validation
Mar 31, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-34739 MEDIUM
AVideo: Reflected XSS via Unescaped ip Parameter in User_Location testIP.php
Mar 31, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-34738 MEDIUM
AVideo: Video Publishing Workflow Bypass via Unauthorized overrideStatus Request Parameter
Mar 31, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-34737 MEDIUM
AVideo: Arbitrary Stripe Subscription Cancellation via Debug Endpoint and retrieveSubscriptions() Bug
Mar 31, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-34733 MEDIUM
AVideo: Unauthenticated File Deletion via PHP Operator Precedence Bug in CLI Guard
Mar 31, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-34732 MEDIUM
AVideo: Missing Authentication in CreatePlugin list.json.php Template Affects 21 Endpoints
Mar 31, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-34731 HIGH
AVideo: Unauthenticated Live Stream Termination via RTMP Callback on_publish_done.php
Mar 31, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-34716 MEDIUM
AVideo: DOM XSS via Unsanitized Display Name in WebSocket Call Notification
Mar 31, 2026
CVSS 6.4
EPSS 0.00
CVE-2026-34613 MEDIUM
AVideo: CSRF on Plugin Enable/Disable Endpoint Allows Disabling Security Plugins
Mar 31, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-34611 MEDIUM
AVideo: CSRF on emailAllUsers.json.php Enables Mass Phishing Email to All Users
Mar 31, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-34396 MEDIUM
AVideo: Stored XSS via Unescaped Plugin Configuration Values in Admin Panel
Mar 31, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-34395 MEDIUM
AVideo: Mass User PII Disclosure via Missing Authorization in YPTWallet users.json.php
Mar 31, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-34394 HIGH
AVideo: CSRF on Admin Plugin Configuration Enables Payment Credential Hijacking
Mar 31, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-34375 HIGH
AVideo Vulnerable to Reflected XSS via Unsanitized plugin Parameter in YPTWallet Stripe Payment Page
Mar 27, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-34374 CRITICAL
AVideo has SQL Injection in Live_schedule::keyExists() via Unparameterized Stream Key
Mar 27, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-34369 MEDIUM
AVIdeo has Video Password Protection Bypass via API Endpoints Returning Full Playback Sources Without Password Verification
Mar 27, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-34368 MEDIUM
AVideo Vulnerable to Wallet Balance Double-Spend via TOCTOU Race Condition in transferBalance
Mar 27, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-34364 MEDIUM
AVideo has User Group-Based Category Access Control Bypass via Missing and Broken Group Filtering in categories.json.php
Mar 27, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-34362 MEDIUM
AVideo's WebSocket Token Never Expires Due to Commented-Out Timeout Validation in verifyTokenSocket()
Mar 27, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-34247 MEDIUM
AVideo's IDOR in uploadPoster.php Allows Any Authenticated User to Overwrite Scheduled Live Stream Posters and Trigger False Socket Notifications
Mar 27, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-34245 MEDIUM
AVideo's Missing Authorization in Playlist Schedule Creation Allows Cross-User Broadcast Hijacking
Mar 27, 2026
CVSS 6.3
EPSS 0.00