wwbn/avideo Security Advisories for 10.4 (80)
-
[HIGH] AVideo Vulnerable to Reflected XSS via Unsanitized plugin Parameter in YPTWallet Stripe Payment Page
PKSA-vp5k-2k3q-kh8x CVE-2026-34375 GHSA-pm37-62g7-p768
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo has Video Password Protection Bypass via API Endpoints Returning Full Playback Sources Without Password Verification
PKSA-jgsk-3v13-mp5q CVE-2026-34369 GHSA-q6jj-r49p-94fh
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo Vulnerable to Wallet Balance Double-Spend via TOCTOU Race Condition in transferBalance
PKSA-r7hg-81sr-ph3s CVE-2026-34368 GHSA-h54m-c522-h6qr
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo has User Group-Based Category Access Control Bypass via Missing and Broken Group Filtering in categories.json.php
PKSA-zrqg-465j-tm13 CVE-2026-34364 GHSA-73gr-r64q-7jh4
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo's WebSocket Token Never Expires Due to Commented-Out Timeout Validation in verifyTokenSocket()
PKSA-3yrj-j1ff-gsp4 CVE-2026-34362 GHSA-2mg4-pfgx-64cf
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo: IDOR in uploadPoster.php Allows Any Authenticated User to Overwrite Scheduled Live Stream Posters and Trigger False Socket Notifications
PKSA-6jcq-63hk-b922 CVE-2026-34247 GHSA-g3hj-mf85-679g
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo: Missing Authorization in Playlist Schedule Creation Allows Cross-User Broadcast Hijacking
PKSA-fw58-yv1p-mjjv CVE-2026-34245 GHSA-2rm7-j397-3fqg
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] AVideo: Unauthenticated Access to Payment Log DataTables Endpoints Exposes Transaction Data, PayPal Tokens, and User Financial Records
PKSA-mhr2-p9hx-xy4j GHSA-wprj-9cvc-5w37
Affected version: <=26.0
Reported by:
GitHub -
[CRITICAL] AVideo has Plaintext Video Password Storage
PKSA-vcf8-yygk-smvm CVE-2026-33867 GHSA-363v-5rh8-23wg
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] AVideo has SQL Injection in category.php fixCleanTitle() via Unparameterized clean_title and id Variables
PKSA-d1c1-62x6-fsdv CVE-2026-33770 GHSA-584p-rpvq-35vf
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] AVideo has SQL Injection via Partial Prepared Statement — videos_id Concatenated Directly into Query
PKSA-d7fp-yz92-57bz CVE-2026-33767 GHSA-fj74-qxj7-r3vc
Affected version: <26.0
Reported by:
GitHub -
[MEDIUM] AVideo has SSRF Protection Bypass via HTTP Redirect in Image Download Endpoints
PKSA-37q2-fmsd-htgf CVE-2026-33766 GHSA-f359-r3pv-2phf
Affected version: <=14.3
Reported by:
GitHub -
[MEDIUM] AVideo: IDOR in AI Plugin Allows Stealing Other Users' AI-Generated Metadata and Transcriptions
PKSA-ggc8-4vpf-v295 CVE-2026-33764 GHSA-g39v-qrj6-jxrh
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo has an Unauthenticated Video Password Brute-Force Vulnerability via Unrate-Limited Boolean Oracle
PKSA-qmkf-gp88-ftk6 CVE-2026-33763 GHSA-8prq-2jr2-cm92
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo: Unauthenticated Access to Scheduler Plugin Endpoints Leaks Scheduled Tasks, Email Content, and User Mappings
PKSA-t2zr-g4vs-n5nr CVE-2026-33761 GHSA-j724-5c6c-68g5
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo: Unauthenticated IDOR in playlistsVideos.json.php Exposes Private Playlist Contents
PKSA-kzzd-7tpm-2718 CVE-2026-33759 GHSA-75qq-68m8-pvfr
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] AVideo is Vulnerable to SQL Injection through Subscribe Endpoint via Unsanitized user_id Parameter
PKSA-c9d6-fz2f-92mg CVE-2026-33723 GHSA-ffr8-fxhv-fv8h
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] AVideo: Unauthenticated CDN Configuration Takeover via Empty Default Key Bypass and Mass-Assignment
PKSA-nk6y-bx1m-kq7t CVE-2026-33719 GHSA-r64r-883r-wcwh
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] AVideo: Remote Code Execution via PHP Temp File in Encoder downloadURL
PKSA-xbpw-5md3-j3nz CVE-2026-33717 GHSA-8wf4-c4x3-h952
Affected version: <=26.0
Reported by:
GitHub -
[CRITICAL] AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php
PKSA-7gff-yt7v-8bkx CVE-2026-33716 GHSA-9hv9-gvwm-95f2
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo vulnerable to IP Address Spoofing via Untrusted HTTP Headers in getRealIpAddr()
PKSA-x77f-z8vb-hbfr CVE-2026-33690 GHSA-8p2x-5cpm-qrqw
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo: Full-Read SSRF Through Unvalidated statsURL Parameter in plugin/Live/test.php
PKSA-6bhm-ppng-rh7j GHSA-wxjx-r2j2-96fx
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo has Pre-Captcha User Enumeration and Account Status Disclosure in Password Recovery Endpoint
PKSA-rmrd-1jny-519s CVE-2026-33688 GHSA-m99f-mmvg-3xmx
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo Allows Unauthenticated Access to AD_Server reports.json.php that Exposes Ad Campaign Analytics and User Data
PKSA-rhxf-1yfy-x5fd CVE-2026-33685 GHSA-j36m-74g2-7m95
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo vulnerable to Stored XSS via html_entity_decode() Reversing xss_esc() Sanitization in Channel About Field
PKSA-cx3j-v85y-y9tv CVE-2026-33683 GHSA-ghx5-7jjg-q2j7
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] AVideo has Path Traversal in pluginRunDatabaseScript.json.php Enables Arbitrary SQL File Execution via Unsanitized Plugin Name
PKSA-9p99-sn38-6cwv CVE-2026-33681 GHSA-3hwv-x8g3-9qpr
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] AVideo has a Blind SQL Injection in Live Schedule Reminder via Unsanitized live_schedule_id in Scheduler_commands::getAllActiveOrToRepeat()
PKSA-m663-qqs4-57t4 CVE-2026-33651 GHSA-pvw4-p2jm-chjm
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] AVideo: Video Moderator Privilege Escalation via Ownership Transfer Enables Arbitrary Video Deletion
PKSA-kbvc-x3nh-bwr5 CVE-2026-33650 GHSA-8x77-f38v-4m5j
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] AVideo's GET-Based CSRF in setPermission.json.php Enables Privilege Escalation via Arbitrary Permission Modification
PKSA-nfgn-q1hy-xddr CVE-2026-33649 GHSA-g8x9-7mgh-7cvj
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] AVideo Vulnerable to OS Command Injection via Unsanitized `users_id` and `liveTransmitionHistory_id` in Restreamer Log File Path
PKSA-cpqv-3x62-47s6 CVE-2026-33648 GHSA-5m4q-5cvx-36mw
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] AVideo Vulnerable to Remote Code Execution via MIME/Extension Mismatch in ImageGallery File Upload
PKSA-sv6m-nx8k-5kz3 CVE-2026-33647 GHSA-wxjw-phj6-g75w
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] AVideo has an Unauthenticated Local File Inclusion in API locale (RCE possible with writable PHP)
PKSA-2x5y-pg7k-8jx1 CVE-2026-33513 GHSA-8fw8-q79c-fp9m
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] AVideo has an unauthenticated decrypt oracle leaking any ciphertext
PKSA-stv4-sw5c-pp7h CVE-2026-33512 GHSA-mwjc-5j4x-r686
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] AVideo Affected by CSRF on Plugin Import Endpoint Enables Unauthenticated Remote Code Execution via Malicious Plugin Upload
PKSA-9rhr-hzp4-skcj CVE-2026-33507 GHSA-hv36-p4w4-6vmj
Affected version: <=26.0
Reported by:
GitHub -
[CRITICAL] AVideo has Unauthenticated SSRF via plugin/Live/test.php
PKSA-734r-s438-vkf3 CVE-2026-33502 GHSA-3fpm-8rjr-v5mc
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo has Unauthenticated Information Disclosure of User Group Permission Mappings via Permissions Plugin
PKSA-93k3-9zdh-zky7 CVE-2026-33501 GHSA-96qp-8cmq-jvq8
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo - Incomplete Fix for CVE-2026-27568: Stored XSS via Markdown `javascript:` URI Bypasses ParsedownSafeWithLinks Sanitization
PKSA-fjmv-8jwk-wtsg CVE-2026-33500 GHSA-72h5-39r7-r26j
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo has Reflected XSS via unlockPassword Parameter in forbiddenPage.php and warningPage.php
PKSA-g9zg-y2pv-yf4q CVE-2026-33499 GHSA-7292-w8qp-mhq2
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] AVideo has a Path Traversal in import.json.php Allows Private Video Theft and Arbitrary File Read/Deletion via fileURI Parameter
PKSA-28kd-gd4j-w94p CVE-2026-33493 GHSA-83xq-8jxj-4rxm
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] AVideo has Session Fixation via GET PHPSESSID Parameter With Disabled Login Session Regeneration
PKSA-3ybr-q6r1-fnzm CVE-2026-33492 GHSA-x3pr-vrhq-vq43
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] AVideo has a PGP 2FA Bypass via Cryptographically Broken 512-bit RSA Key Generation in LoginControl Plugin
PKSA-qjdg-5npg-72ng CVE-2026-33488 GHSA-6m5f-j7w2-w953
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] AVideo has an Unauthenticated Blind SQL Injection in RTMP on_publish Callback via Stream Name Parameter
PKSA-v7r8-5fwd-x92z CVE-2026-33485 GHSA-8p58-35c3-ccxx
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] AVideo Affected by Unauthenticated Disk Space Exhaustion via Unlimited Temp File Creation in aVideoEncoderChunk.json.php
PKSA-f4gx-6t2c-nrd6 CVE-2026-33483 GHSA-vv7w-qf5c-734w
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] AVideo has an OS Command Injection via $() Shell Substitution Bypass in sanitizeFFmpegCommand()
PKSA-tp22-rjkg-27h5 CVE-2026-33482 GHSA-pmj8-r2j7-xg6c
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] AVideo has a SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in Unauthenticated LiveLinks Proxy
PKSA-8d9c-5xxm-8vns CVE-2026-33480 GHSA-p3gr-g84w-g8hh
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] AVideo has PHP Code Injection via eval() in Gallery saveSort.json.php Exploitable Through CSRF Against Admin
PKSA-4kfk-t6qg-77z2 CVE-2026-33479 GHSA-xggw-g9pm-9qhh
Affected version: <=26.0
Reported by:
GitHub -
[HIGH] AVideo has an authenticated arbitrary local file read via `chunkFile` path injection in `aVideoEncoder.json.php`
PKSA-6mc5-gbk2-4jkz CVE-2026-33354 GHSA-4jw9-5hrc-m4j6
Affected version: <=26.0
Reported by:
GitHub -
[CRITICAL] AVideo has an Unauthenticated SQL Injection via `doNotShowCats` Parameter (Backslash Escape Bypass)
PKSA-zqc4-q9ns-kq82 CVE-2026-33352 GHSA-mcj5-6qr4-95fj
Affected version: <=26.0
Reported by:
GitHub -
[CRITICAL] AVideo has Unauthenticated SSRF via `webSiteRootURL` Parameter in saveDVR.json.php, Chaining to Verification Bypass
PKSA-kz4k-1fdq-4jkn CVE-2026-33351 GHSA-5f7v-4f6g-74rj
Affected version: <=26.0
Reported by:
GitHub -
[MEDIUM] AVideo: IDOR - Any Admin Can Set Another User's Channel Password via setPassword.json.php
PKSA-qms8-qf5t-6w9q CVE-2026-33297 GHSA-6547-8hrg-c55m
Affected version: <=25.0
Reported by:
GitHub -
[LOW] AVideo has an Open Redirect via Unvalidated redirectUri in userLogin.php
PKSA-yh5p-7324-8k1n CVE-2026-33296 GHSA-hj5h-5623-gwhw
Affected version: <=25.0
Reported by:
GitHub -
[HIGH] AVideo Affected by Stored XSS via Unescaped Video Title in CDN downloadButtons.php
PKSA-7zcq-fgdd-9176 CVE-2026-33295 GHSA-gc3m-4mcr-h3pv
Affected version: <=25.0
Reported by:
GitHub -
[MEDIUM] AVideo Affected by SSRF in BulkEmbed Thumbnail Fetch Allows Reading Internal Network Resources
PKSA-69wq-d8c2-6qbn CVE-2026-33294 GHSA-66cw-h2mj-j39p
Affected version: <=25.0
Reported by:
GitHub -
[HIGH] AVideo Affected by Arbitrary File Deletion via Path Traversal in CloneSite deleteDump Parameter
PKSA-61gg-79td-yp6m CVE-2026-33293 GHSA-xmjm-86qv-g226
Affected version: <=25.0
Reported by:
GitHub -
[HIGH] AVideo has an Authorization Bypass via Path Traversal in HLS Endpoint Allows Streaming Private/Paid Videos
PKSA-ht27-8rcs-t939 CVE-2026-33292 GHSA-pw4v-x838-w5pg
Affected version: <=25.0
Reported by:
GitHub -
[MEDIUM] AVideo has Unauthenticated PGP Message Decryption via Public Endpoint
PKSA-3whn-q4tm-bwhh GHSA-5x2w-37xf-7962
Affected version: <=25.0
Reported by:
GitHub -
[MEDIUM] AVideo has an OS Command Injection via Unescaped URL in LinkedIn Video Upload Shell Command
PKSA-5drt-2yg3-m4bb CVE-2026-33319 GHSA-w5ff-2mjc-4phc
Affected version: <=25.0
Reported by:
GitHub -
[MEDIUM] AVideo has a Path Traversal in listFiles.json.php Enables Server Filesystem Enumeration
PKSA-484r-cdwt-2gm4 CVE-2026-33238 GHSA-4wmm-6qxj-fpj4
Affected version: <=14.0
Reported by:
GitHub -
[MEDIUM] AVideo has SSRF in Scheduler Plugin via callbackURL Missing `isSSRFSafeURL()` Validation
PKSA-1msk-y5kh-hb4p CVE-2026-33237 GHSA-v467-g7g7-hhfh
Affected version: <=14.0
Reported by:
GitHub -
[HIGH] AVideo vulnerable to unauthenticated SSRF via HTTP redirect bypass in LiveLinks proxy
PKSA-spwc-tcr7-cpby CVE-2026-33039 GHSA-9x67-f2v7-63rw
Affected version: <=25.0
Reported by:
GitHub -
[MEDIUM] Unauthenticated Reflected XSS via innerHTML in AVideo
PKSA-qj1g-pbwp-h996 CVE-2026-33035 GHSA-wfq5-qgqp-hvhv
Affected version: <=25.0
Reported by:
GitHub -
[HIGH] AVideo affected by Session Hijacking via Unauthenticated Session ID Disclosure with Permissive CORS
PKSA-pcdx-pg9p-v4gz CVE-2026-33043 GHSA-qc3p-398r-p59j
Affected version: <=25.0
Reported by:
GitHub -
[MEDIUM] AVideo has an Unauthenticated Password Hash Oracle via encryptPass.json.php
PKSA-v5mg-73g8-w2x4 CVE-2026-33041 GHSA-px7x-gq96-rmp5
Affected version: <=25.0
Reported by:
GitHub -
[HIGH] AVideo affected by unauthenticated application takeover via exposed web installer on uninitialized deployments
PKSA-3jbs-pwhv-9v32 CVE-2026-33038 GHSA-2f9h-23f7-8gcx
Affected version: <=25.0
Reported by:
GitHub -
[MEDIUM] AVideo has Unauthenticated IDOR - Playlist Information Disclosure
PKSA-prng-jvqx-4vkt CVE-2026-30885 GHSA-6w2r-cfpc-23r5
Affected version: <25.0
Reported by:
GitHub -
[HIGH] AVideo: Unauthenticated PHP session store exposed to host network via published memcached port
PKSA-876z-dgrg-zwqs CVE-2026-29093 GHSA-xxpw-32hf-q8v9
Affected version: <=21.0
Reported by:
GitHub -
[CRITICAL] AVideo has Authenticated Remote Code Execution via Unsafe Plugin ZIP Extraction
PKSA-p5zb-45dv-s5gy CVE-2026-28502 GHSA-v8jw-8w5p-23g3
Affected version: <21.0
Reported by:
GitHub -
[CRITICAL] AVideo has Unauthenticated SQL Injection via JSON Request Bypass in objects/videos.json.php
PKSA-xtjn-tvnf-r8sj CVE-2026-28501 GHSA-pv87-r9qf-x56p
Affected version: <=21.0.0
Reported by:
GitHub -
[HIGH] AVideo has Authenticated Server-Side Request Forgery via downloadURL in aVideoEncoder.json.php
PKSA-mpqq-rw7h-r6qr CVE-2026-27732 GHSA-h39h-7cvg-q7j6
Affected version: <=21.0.0
Reported by:
GitHub -
[MEDIUM] AVideo has Stored Cross-Site Scripting via Markdown Comment Injection
PKSA-zj1v-1r3y-vnpg CVE-2026-27568 GHSA-rcqw-6466-3mv7
Affected version: <21.0
Reported by:
GitHub -
[MEDIUM] AVideo cross-site scripting vulnerability in the view/about.php page
PKSA-m87c-2qr6-rc54 CVE-2024-34899 GHSA-f98p-2hc5-fm7v
Affected version: <14.3
Reported by:
GitHub -
[MEDIUM] WWBN AVideo recovery notification bypass vulnerability
PKSA-bpdw-n2tk-hn54 CVE-2023-50172 GHSA-8m5f-2xvp-2c8w
Affected version: <=12.4
Reported by:
GitHub -
[HIGH] WWBN AVideo Improper Restriction of Excessive Authentication Attempts vulnerability
PKSA-ybsw-d66n-nyf1 CVE-2023-49810 GHSA-v977-h4hm-rrff
Affected version: <=12.4
Reported by:
GitHub -
[CRITICAL] WWBN AVideo Insufficient Entropy vulnerbaility
PKSA-c41p-f5f9-8mhz CVE-2023-49599 GHSA-wqcc-qf63-c2x4
Affected version: <=12.4
Reported by:
GitHub -
[HIGH] WWBN AVideo command injection vulnerability
PKSA-ws9n-zq9c-9xzs CVE-2023-32073 GHSA-2mhh-27v7-3vcx
Affected version: <=12.4
Reported by:
GitHub -
[HIGH] WWBN/AVideo stored XSS vulnerability leads to takeover of any user's account, including admin's account
PKSA-t55s-s47b-sccg CVE-2023-30860 GHSA-xr9h-p2rc-rpqm
Affected version: <12.4
Reported by:
GitHub -
[HIGH] Remote code injection in wwbn/avideo
PKSA-ct52-vj4v-3chj CVE-2023-30854 GHSA-6vrj-ph27-qfp3
Affected version: <12.4
Reported by:
GitHub -
[HIGH] Cross site scripting (XSS) in wwbn/avideo
PKSA-8k5w-rfw7-6y43 GHSA-2fch-hv74-fgw9
Affected version: <12.4
Reported by:
GitHub -
[CRITICAL] AVideo contains Command injection when embedding a video link
PKSA-cgqj-pxkw-3pc8 CVE-2023-25313 GHSA-pgvh-p3g4-86jw
Affected version: <12.4
Reported by:
GitHub -
[MEDIUM] Open redirect in wwbn/avideo
PKSA-yy51-mh2t-n18p CVE-2022-27463 GHSA-34hv-f45p-4qfq
Affected version: <=11.6
Reported by:
GitHub