| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-39369 | WWBN AVideo's GIF poster fetch bypasses traversal scrubbing and exposes local files through public media URLs | WWBN | AVideo | High | 7.6 | 2026-04-07 19:24:33 | Deep Dive |
| CVE-2026-39368 | WWBN AVideo has a Live restream log callback flow enabling stored SSRF to internal services | WWBN | AVideo | Medium | 6.5 | 2026-04-07 19:23:30 | Deep Dive |
| CVE-2026-39367 | WWBN AVideo has Stored XSS via Malicious EPG XML Program Titles in AVideo EPG Page | WWBN | AVideo | Medium | 5.4 | 2026-04-07 19:22:08 | Deep Dive |
| CVE-2026-39366 | WWBN AVideo Affected by a PayPal IPN Replay Attack Enabling Wallet Balance Inflation via Missing Transaction Deduplication in ipn.php | WWBN | AVideo | Medium | 6.5 | 2026-04-07 19:21:12 | Deep Dive |
| CVE-2026-35452 | WWBN AVideo has Unauthenticated Information Disclosure via Missing Auth on CloneSite client.log.php | WWBN | AVideo | Medium | 5.3 | 2026-04-06 21:47:46 | Deep Dive |
| CVE-2026-35450 | WWBN AVideo has Unauthenticated FFmpeg Remote Server Status Disclosure via check.ffmpeg.json.php | WWBN | AVideo | Medium | 5.3 | 2026-04-06 21:46:55 | Deep Dive |
| CVE-2026-35449 | WWBN AVideo has Unauthenticated Information Disclosure via Disabled CLI Guard in install/test.php | WWBN | AVideo | Medium | 5.3 | 2026-04-06 21:46:07 | Deep Dive |
| CVE-2026-35448 | WWBN AVideo Provides Unauthenticated Access to Payment Order Data via BlockonomicsYPT check.php | WWBN | AVideo | Low | 3.7 | 2026-04-06 21:45:02 | Deep Dive |
| CVE-2026-35181 | WWBN AVideo Affected by CSRF on Player Skin Configuration via admin/playerUpdate.json.php | WWBN | AVideo | Medium | 4.3 | 2026-04-06 19:09:45 | Deep Dive |
| CVE-2026-35180 | WWBN AVideo affected by CSRF on Site Customization Endpoint Enables Logo Overwrite via Base64 File Write | WWBN | AVideo | Medium | 4.3 | 2026-04-06 19:06:46 | Deep Dive |
| CVE-2026-35179 | WWBN AVideo Unauthenticated Instagram Graph API Proxy via publishInstagram.json.php | WWBN | AVideo | Medium | 5.3 | 2026-04-06 19:05:49 | Deep Dive |
| CVE-2026-34740 | AVideo: Stored SSRF via Video EPG Link Missing isSSRFSafeURL() Validation | WWBN | AVideo | Medium | 6.5 | 2026-03-31 20:57:14 | Deep Dive |
| CVE-2026-34739 | AVideo: Reflected XSS via Unescaped ip Parameter in User_Location testIP.php | WWBN | AVideo | Medium | 6.1 | 2026-03-31 20:56:16 | Deep Dive |
| CVE-2026-34738 | AVideo: Video Publishing Workflow Bypass via Unauthorized overrideStatus Request Parameter | WWBN | AVideo | Medium | 4.3 | 2026-03-31 20:55:09 | Deep Dive |
| CVE-2026-34737 | AVideo: Arbitrary Stripe Subscription Cancellation via Debug Endpoint and retrieveSubscriptions() Bug | WWBN | AVideo | Medium | 6.5 | 2026-03-31 20:53:52 | Deep Dive |
| CVE-2026-34733 | AVideo: Unauthenticated File Deletion via PHP Operator Precedence Bug in CLI Guard | WWBN | AVideo | Medium | 6.5 | 2026-03-31 20:52:46 | Deep Dive |
| CVE-2026-34732 | AVideo: Missing Authentication in CreatePlugin list.json.php Template Affects 21 Endpoints | WWBN | AVideo | Medium | 5.3 | 2026-03-31 20:51:51 | Deep Dive |
| CVE-2026-34731 | AVideo: Unauthenticated Live Stream Termination via RTMP Callback on_publish_done.php | WWBN | AVideo | High | 7.5 | 2026-03-31 20:50:24 | Deep Dive |
| CVE-2026-34716 | AVideo: DOM XSS via Unsanitized Display Name in WebSocket Call Notification | WWBN | AVideo | Medium | 6.4 | 2026-03-31 20:49:22 | Deep Dive |
| CVE-2026-34613 | AVideo: CSRF on Plugin Enable/Disable Endpoint Allows Disabling Security Plugins | WWBN | AVideo | Medium | 6.5 | 2026-03-31 20:45:51 | Deep Dive |