| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-34611 | AVideo: CSRF on emailAllUsers.json.php Enables Mass Phishing Email to All Users | WWBN | AVideo | Medium | 6.5 | 2026-03-31 20:42:38 | Deep Dive |
| CVE-2026-34396 | AVideo: Stored XSS via Unescaped Plugin Configuration Values in Admin Panel | WWBN | AVideo | Medium | 6.1 | 2026-03-31 20:40:44 | Deep Dive |
| CVE-2026-34394 | AVideo: CSRF on Admin Plugin Configuration Enables Payment Credential Hijacking | WWBN | AVideo | High | 8.1 | 2026-03-31 20:39:46 | Deep Dive |
| CVE-2026-34395 | AVideo: Mass User PII Disclosure via Missing Authorization in YPTWallet users.json.php | WWBN | AVideo | Medium | 6.5 | 2026-03-31 20:38:54 | Deep Dive |
| CVE-2026-34375 | AVideo Vulnerable to Reflected XSS via Unsanitized plugin Parameter in YPTWallet Stripe Payment Page | WWBN | AVideo | High | 8.2 | 2026-03-27 18:17:33 | Deep Dive |
| CVE-2026-34374 | AVideo has SQL Injection in Live_schedule::keyExists() via Unparameterized Stream Key | WWBN | AVideo | Critical | 9.1 | 2026-03-27 18:16:22 | Deep Dive |
| CVE-2026-34369 | AVIdeo has Video Password Protection Bypass via API Endpoints Returning Full Playback Sources Without Password Verification | WWBN | AVideo | Medium | 5.3 | 2026-03-27 18:13:24 | Deep Dive |
| CVE-2026-34368 | AVideo Vulnerable to Wallet Balance Double-Spend via TOCTOU Race Condition in transferBalance | WWBN | AVideo | Medium | 5.3 | 2026-03-27 18:12:19 | Deep Dive |
| CVE-2026-34364 | AVideo has User Group-Based Category Access Control Bypass via Missing and Broken Group Filtering in categories.json.php | WWBN | AVideo | Medium | 5.3 | 2026-03-27 18:11:06 | Deep Dive |
| CVE-2026-34362 | AVideo's WebSocket Token Never Expires Due to Commented-Out Timeout Validation in verifyTokenSocket() | WWBN | AVideo | Medium | 5.4 | 2026-03-27 16:42:29 | Deep Dive |
| CVE-2026-34247 | AVideo's IDOR in uploadPoster.php Allows Any Authenticated User to Overwrite Scheduled Live Stream Posters and Trigger False Socket Notifications | WWBN | AVideo | Medium | 5.4 | 2026-03-27 16:39:05 | Deep Dive |
| CVE-2026-34245 | AVideo's Missing Authorization in Playlist Schedule Creation Allows Cross-User Broadcast Hijacking | WWBN | AVideo | Medium | 6.3 | 2026-03-27 16:32:36 | Deep Dive |
| CVE-2026-33867 | AVideo has Plaintext Video Password Storage | WWBN | AVideo | 中危 | - | 2026-03-27 16:30:17 | Deep Dive |
| CVE-2026-33770 | AVideo has SQL Injection in category.php fixCleanTitle() via Unparameterized clean_title and id Variables | WWBN | AVideo | 中危 | - | 2026-03-27 16:13:52 | Deep Dive |
| CVE-2026-33767 | AVideo has SQL Injection via Partial Prepared Statement — videos_id Concatenated Directly into Query | WWBN | AVideo | 中危 | - | 2026-03-27 16:12:37 | Deep Dive |
| CVE-2026-33766 | AVideo has SSRF Protection Bypass via HTTP Redirect in Image Download Endpoints | WWBN | AVideo | 中危 | - | 2026-03-27 14:31:06 | Deep Dive |
| CVE-2026-33764 | AVideo: IDOR in AI Plugin Allows Stealing Other Users' AI-Generated Metadata and Transcriptions | WWBN | AVideo | Medium | 4.3 | 2026-03-27 14:29:54 | Deep Dive |
| CVE-2026-33763 | AVideo has an Unauthenticated Video Password Brute-Force Vulnerability via Unrate-Limited Boolean Oracle | WWBN | AVideo | Medium | 5.3 | 2026-03-27 14:25:13 | Deep Dive |
| CVE-2026-33761 | AVideo: Unauthenticated Access to Scheduler Plugin Endpoints Leaks Scheduled Tasks, Email Content, and User Mappings | WWBN | AVideo | Medium | 5.3 | 2026-03-27 14:24:08 | Deep Dive |
| CVE-2026-33759 | AVideo: Unauthenticated IDOR in playlistsVideos.json.php Exposes Private Playlist Contents | WWBN | AVideo | Medium | 5.3 | 2026-03-27 14:18:49 | Deep Dive |