wwbn

197 tracked vulnerabilities.

CVE-2026-33717 HIGH
AVideo Vulnerable to Remote Code Execution via Persistent PHP Temp File in Encoder downloadURL with Resolution Validation Abort
Mar 23, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-33716 CRITICAL
AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php
Mar 23, 2026
CVSS 9.4
EPSS 0.00
CVE-2026-33690 MEDIUM
WWBN AVideo <= 26.0 - IP Address Spoofing via HTTP Header Manipulation
Mar 23, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-33688 MEDIUM
AVideo has Pre-Captcha User Enumeration and Account Status Disclosure in Password Recovery Endpoint
Mar 23, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-33685 MEDIUM
AVideo Allows Unauthenticated Access to AD_Server reports.json.php that Exposes Ad Campaign Analytics and User Data
Mar 23, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-33683 MEDIUM
WWBN AVideo <= 26.0 - Stored Cross-Site Scripting via User Profile About Field
Mar 23, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-33681 HIGH
AVideo has Path Traversal in pluginRunDatabaseScript.json.php Enables Arbitrary SQL File Execution via Unsanitized Plugin Name
Mar 23, 2026
CVSS 7.2
EPSS 0.00
CVE-2026-33651 HIGH
AVideo has a Blind SQL Injection in Live Schedule Reminder via Unsanitized live_schedule_id in Scheduler_commands::getAllActiveOrToRepeat()
Mar 23, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-33650 HIGH
AVideo's Video Moderator Privilege Escalation via Ownership Transfer Enables Arbitrary Video Deletion
Mar 23, 2026
CVSS 7.6
EPSS 0.00
CVE-2026-33649 HIGH
AVideo's GET-Based CSRF in setPermission.json.php Enables Privilege Escalation via Arbitrary Permission Modification
Mar 23, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-33648 HIGH
WWBN AVideo <=26.0 - Command Injection
Mar 23, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-33647 HIGH
AVideo Vulnerable to Remote Code Execution via MIME/Extension Mismatch in ImageGallery File Upload
Mar 23, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-33513 HIGH
AVideo has an Unauthenticated Local File Inclusion in API locale (RCE possible with writable PHP)
Mar 23, 2026
CVSS 8.6
EPSS 0.00
CVE-2026-33512 HIGH
WWBN AVideo <=26.0 - Info Disclosure
Mar 23, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33507 HIGH
AVideo Affected by CSRF on Plugin Import Endpoint Enables Unauthenticated Remote Code Execution via Malicious Plugin Upload
Mar 23, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-33502 CRITICAL
AVideo has Unauthenticated SSRF via plugin/Live/test.php
Mar 23, 2026
CVSS 9.3
EPSS 0.00
CVE-2026-33501 MEDIUM
AVideo has Unauthenticated Information Disclosure of User Group Permission Mappings via Permissions Plugin
Mar 23, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-33500 MEDIUM
AVideo Vulnerable to Stored XSS via Markdown `javascript:` URI Bypasses ParsedownSafeWithLinks Sanitization
Mar 23, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-33499 MEDIUM
AVideo has Reflected XSS via unlockPassword Parameter in forbiddenPage.php and warningPage.php
Mar 23, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-33493 HIGH
AVideo has a Path Traversal in import.json.php that Allows Private Video Theft and Arbitrary File Read/Deletion via fileURI Parameter
Mar 23, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-33492 HIGH
AVideo has Session Fixation via GET PHPSESSID Parameter With Disabled Login Session Regeneration
Mar 23, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-33488 HIGH
AVideo has a PGP 2FA Bypass via Cryptographically Broken 512-bit RSA Key Generation in LoginControl Plugin
Mar 23, 2026
CVSS 7.4
EPSS 0.00
CVE-2026-33485 HIGH
AVideo has an Unauthenticated Blind SQL Injection in RTMP on_publish Callback via Stream Name Parameter
Mar 23, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33483 HIGH
AVideo Affected by Unauthenticated Disk Space Exhaustion via Unlimited Temp File Creation in aVideoEncoderChunk.json.php
Mar 23, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-33482 HIGH
AVideo has an OS Command Injection via $() Shell Substitution Bypass in sanitizeFFmpegCommand()
Mar 23, 2026
CVSS 8.1
EPSS 0.00
Products
avideo 195 AVideo 124 avideo-encoder 3 AVideo-Encoder 2
Quick Filters
Critical CVEs With Exploits In CISA KEV