wwbn/avideo Security Advisories for 29.0 (19)
-
[HIGH] WWBN AVideo: RCE cause by clonesite plugin
PKSA-z3t4-4xbz-b3c9 GHSA-xr6f-h4x7-r6qp
Affected version: <=29.0
Reported by:
GitHub -
[HIGH] WWBN AVideo has an incomplete fix for CVE-2026-33502: Command Injection
PKSA-v7bq-jd15-qdrz GHSA-pq8p-wc4f-vg7j
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] WWBN AVideo has an incomplete fix for CVE-2026-33500: XSS
PKSA-gvmz-qdx4-njzh GHSA-m7r8-6q9j-m2hc
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] WWBN AVideo has an Incomplete fix: Directory traversal bypass via query string in ReceiveImage downloadURL parameters
PKSA-pt2z-fxr4-fvmc GHSA-m63r-m9jh-3vc6
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] WWBN AVideo has Stored XSS via Unanchored Duration Regex in Video Encoder Receiver
PKSA-gxyd-jpvf-3ngj GHSA-8pv3-29pp-pf8f
Affected version: <=29.0
Reported by:
GitHub -
[HIGH] WWBN AVideo has a SSRF via same-domain hostname with alternate port bypasses isSSRFSafeURL
PKSA-8cks-7g1w-tz19 GHSA-j432-4w3j-3w8j
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] WWBN AVideo has an incomplete fix for CVE-2026-33293: Path Traversal
PKSA-q934-7bnb-4bby GHSA-5879-4fmr-xwf2
Affected version: <=29.0
Reported by:
GitHub -
[HIGH] WWBN AVideo has a CORS Origin Reflection Bypass via plugin/API/router.php and allowOrigin(true) Exposes Authenticated API Responses
PKSA-tsyg-vszv-9tkz GHSA-ff5q-cc22-fgp4
Affected version: <=29.0
Reported by:
GitHub -
[HIGH] WWBN AVideo has CORS Origin Reflection with Credentials on Sensitive API Endpoints Enables Cross-Origin Account Takeover
PKSA-5c4b-gnfd-8xsq GHSA-ccq9-r5cw-5hwq
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] WWBN AVideo has an incomplete fix for CVE-2026-33039: SSRF
PKSA-zgmc-4215-ztzk GHSA-793q-xgj6-7frp
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] CAPTCHA Bypass in WWBN/AVideo via Attacker-Controlled Length Parameter and Missing Token Invalidation on Failure
PKSA-k6wt-ck7m-8514 GHSA-hg7g-56h5-5pqr
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] WWBN AVideo is missing CSRF protection in objects/commentDelete.json.php enables mass comment deletion against moderators and content creators
PKSA-8nj2-vhcz-7bc5 GHSA-8qm8-g55h-xmqr
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] WWBN AVideo: Missing CSRF Protection on State-Changing JSON Endpoints Enables Forced Comment Creation, Vote Manipulation, and Category Asset Deletion
PKSA-k36z-m2m9-7f9w GHSA-x2pw-9c38-cp2j
Affected version: <=29.0
Reported by:
GitHub -
[HIGH] WWBN AVideo has Multiple CSRF Vulnerabilities in Admin JSON Endpoints (Category CRUD, Plugin Update Script)
PKSA-ttj4-18vr-tsp9 GHSA-ffw8-fwxp-h64w
Affected version: <=29.0
Reported by:
GitHub -
[HIGH] WWBN AVideo has CSRF in configurationUpdate.json.php Enables Full Site Configuration Takeover Including Encoder URL and SMTP Credentials
PKSA-nfcd-g6c3-5tff GHSA-vvfw-4m39-fjqf
Affected version: <=29.0
Reported by:
GitHub -
[CRITICAL] WWBN AVideo YPTSocket WebSocket Broadcast Relay Leads to Unauthenticated Cross-User JavaScript Execution via Client-Side eval() Sinks
PKSA-zr2c-vrf1-x6qy GHSA-gph2-j4c9-vhhr
Affected version: <=29.0
Reported by:
GitHub -
[HIGH] WWBN AVideo has a Path Traversal in Locale Save Endpoint Enables Arbitrary PHP File Write to Any Web-Accessible Directory (RCE)
PKSA-mbzn-myxk-vdz9 GHSA-6rc6-p838-686f
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] WWBN AVideo has an Unauthenticated Information Disclosure via git.json.php Exposes Developer Emails and Deployed Version
PKSA-yc9y-ydj1-h48d GHSA-52hf-63q4-r926
Affected version: <=29.0
Reported by:
GitHub -
[MEDIUM] WWBN AVideo has an IDOR in Live Restreams list.json.php Exposes Other Users' Stream Keys and OAuth Tokens
PKSA-2sy8-4q8b-cn2c GHSA-gpgp-w4x2-h3h7
Affected version: <=29.0
Reported by:
GitHub