wwbn
207 tracked vulnerabilities.
CVE-2026-33502
CRITICAL
AVideo has Unauthenticated SSRF via plugin/Live/test.php
Mar 23, 2026
CVSS 9.3
EPSS 0.00
CVE-2026-33501
MEDIUM
AVideo has Unauthenticated Information Disclosure of User Group Permission Mappings via Permissions Plugin
Mar 23, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-33500
MEDIUM
AVideo Vulnerable to Stored XSS via Markdown `javascript:` URI Bypasses ParsedownSafeWithLinks Sanitization
Mar 23, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-33499
MEDIUM
AVideo has Reflected XSS via unlockPassword Parameter in forbiddenPage.php and warningPage.php
Mar 23, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-33493
HIGH
AVideo <=26.0 import.json.php fileURI - Path Traversal
Mar 23, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-33492
HIGH
AVideo has Session Fixation via GET PHPSESSID Parameter With Disabled Login Session Regeneration
Mar 23, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-33488
HIGH
AVideo <=26.0 LoginControl PGP - Two-Factor Authentication Bypass
Mar 23, 2026
CVSS 7.4
EPSS 0.00
CVE-2026-33485
HIGH
AVideo <=26.0 RTMP on_publish - Unauthenticated Blind SQL Injection
Mar 23, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33483
HIGH
AVideo Affected by Unauthenticated Disk Space Exhaustion via Unlimited Temp File Creation in aVideoEncoderChunk.json.php
Mar 23, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-33482
HIGH
AVideo <=26.0 sanitizeFFmpegCommand - OS Command Injection
Mar 23, 2026
CVSS 8.1
EPSS 0.02
CVE-2026-33480
HIGH
AVideo <=26.0 LiveLinks Proxy - Server-Side Request Forgery Bypass
Mar 23, 2026
CVSS 8.6
EPSS 0.00
CVE-2026-33479
HIGH
AVideo has PHP Code Injection via eval() in Gallery saveSort.json.php Exploitable Through CSRF Against Admin
Mar 23, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-33478
CRITICAL
NUCLEI
AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection
Mar 23, 2026
CVSS 10.0
EPSS 0.13
CVE-2026-33354
HIGH
AVideo <=26.0 aVideoEncoder chunkFile - Local File Read
Mar 23, 2026
CVSS 7.6
EPSS 0.00
CVE-2026-33352
CRITICAL
AVideo <26.0 doNotShowCats - Unauthenticated SQL Injection
Mar 23, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-33351
CRITICAL
AVideo has Unauthenticated SSRF via `webSiteRootURL` Parameter in saveDVR.json.php, Chaining to Verification Bypass
Mar 23, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-33297
CRITICAL
AVideo <26.0 setPassword.json.php - Channel Password Bypass
Mar 23, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-33319
MEDIUM
AVideo Vulnerable to OS Command Injection via Unescaped URL in LinkedIn Video Upload Shell Command
Mar 22, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-33296
MEDIUM
AVideo <26.0 userLogin.php redirectUri - Open Redirect
Mar 22, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-33295
MEDIUM
AVideo Vulnerable to Stored XSS via Unescaped Video Title in CDN downloadButtons.php
Mar 22, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-33294
MEDIUM
AVideo has SSRF in BulkEmbed Thumbnail Fetch that Allows Reading Internal Network Resources
Mar 22, 2026
CVSS 5.0
EPSS 0.00
CVE-2026-33293
HIGH
AVideo Affected by Arbitrary File Deletion via Path Traversal in CloneSite deleteDump Parameter
Mar 22, 2026
CVSS 8.1
EPSS 0.01
CVE-2026-33292
HIGH
AVideo has Authorization Bypass via Path Traversal in HLS Endpoint Allows Streaming Private/Paid Videos
Mar 22, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-33238
MEDIUM
AVideo <26.0 listFiles.json.php - Filesystem Enumeration
Mar 21, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-33237
MEDIUM
AVideo has SSRF in Scheduler Plugin via callbackURL Missing `isSSRFSafeURL()` Validation
Mar 21, 2026
CVSS 5.5
EPSS 0.00
Quick Filters