| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-41304 | WWBN AVideo vulnerable to RCE caused by clonesite plugin | WWBN | AVideo | - | - | 2026-04-21 23:07:49 | Deep Dive |
| CVE-2026-41064 | AVideo has an incomplete fix for CVE-2026-33502 (Command Injection) | WWBN | AVideo | Critical | 9.3 | 2026-04-21 23:04:32 | Deep Dive |
| CVE-2026-41063 | WWBN AVideo has incomplete fix for CVE-2026-33500 (XSS) | WWBN | AVideo | Medium | 5.4 | 2026-04-21 22:59:53 | Deep Dive |
| CVE-2026-41062 | WWBN/AVideo has an incomplete fix for a directory traversal bypass via query string in ReceiveImage downloadURL parameters | WWBN | AVideo | Medium | 6.5 | 2026-04-21 22:57:26 | Deep Dive |
| CVE-2026-41061 | WWBN AVideo Vulnerable to stored XSS via Unanchored Duration Regex in Video Encoder Receiver | WWBN | AVideo | Medium | 5.4 | 2026-04-21 22:49:41 | Deep Dive |
| CVE-2026-41060 | AVideo's SSRF via same-domain hostname with alternate port bypasses isSSRFSafeURL | WWBN | AVideo | High | 7.7 | 2026-04-21 22:44:44 | Deep Dive |
| CVE-2026-41058 | AVideo has an incomplete fix for CVE-2026-33293 (Path Traversal) in AVideo | WWBN | AVideo | High | 8.1 | 2026-04-21 22:43:17 | Deep Dive |
| CVE-2026-41057 | AVideo has CORS Origin Reflection Bypass via plugin/API/router.php and allowOrigin(true) that Exposes Authenticated API Responses | WWBN | AVideo | High | 7.1 | 2026-04-21 22:37:16 | Deep Dive |
| CVE-2026-41056 | AVideos has CORS Origin Reflection with Credentials on Sensitive API Endpoints that Enables Cross-Origin Account Takeover | WWBN | AVideo | High | 8.1 | 2026-04-21 22:35:56 | Deep Dive |
| CVE-2026-41055 | AVideo has an incomplete fix for CVE-2026-33039 (SSRF) | WWBN | AVideo | High | 8.6 | 2026-04-21 22:25:45 | Deep Dive |
| CVE-2026-40935 | WWBN/AVideo has CAPTCHA Bypass via Attacker-Controlled Length Parameter and Missing Token Invalidation on Failure | WWBN | AVideo | Medium | 5.3 | 2026-04-21 22:21:17 | Deep Dive |
| CVE-2026-40929 | WWBN AVideo's missing CSRF protection in objects/commentDelete.json.php enables mass comment deletion against moderators and content creators | WWBN | AVideo | Medium | 5.4 | 2026-04-21 22:16:55 | Deep Dive |
| CVE-2026-40928 | AVideo: Missing CSRF Protection on State-Changing JSON Endpoints Enables Forced Comment Creation, Vote Manipulation, and Category Asset Deletion | WWBN | AVideo | Medium | 5.4 | 2026-04-21 22:14:15 | Deep Dive |
| CVE-2026-40926 | WWBN AVideo Vulnerable to CSRF in Admin JSON Endpoints (Category CRUD, Plugin Update Script) | WWBN | AVideo | High | 7.1 | 2026-04-21 22:12:29 | Deep Dive |
| CVE-2026-40925 | WWBN AVideo has CSRF in configurationUpdate.json.php Enables Full Site Configuration Takeover Including Encoder URL and SMTP Credentials | WWBN | AVideo | High | 8.3 | 2026-04-21 19:58:30 | Deep Dive |
| CVE-2026-40911 | WWBN AVideo YPTSocket WebSocket Broadcast Relay Leads to Unauthenticated Cross-User JavaScript Execution via Client-Side eval() Sinks | WWBN | AVideo | Critical | 10.0 | 2026-04-21 19:55:37 | Deep Dive |
| CVE-2026-40909 | WWBN AVideo has a Path Traversal in Locale Save Endpoint that Enables Arbitrary PHP File Write to Any Web-Accessible Directory (RCE) | WWBN | AVideo | High | 8.7 | 2026-04-21 19:54:07 | Deep Dive |
| CVE-2026-40908 | WWBN AVideo has an Unauthenticated Information Disclosure via git.json.php that Exposes Developer Emails and Deployed Version | WWBN | AVideo | Medium | 5.3 | 2026-04-21 19:52:34 | Deep Dive |
| CVE-2026-40907 | WWBN AVideo has IDOR in Live Restreams list.json.php that Exposes Other Users' Stream Keys and OAuth Tokens | WWBN | AVideo | Medium | 6.5 | 2026-04-21 19:50:10 | Deep Dive |
| CVE-2026-39370 | WWBN AVideo has an Allowlisted downloadURL media extensions bypass SSRF protection and enable internal response exfiltration (Incomplete fix for CVE-2026-27732) | WWBN | AVideo | High | 7.1 | 2026-04-07 19:26:27 | Deep Dive |