| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-33238 | AVideo has a Path Traversal in listFiles.json.php that Enables Server Filesystem Enumeration | WWBN | AVideo | Medium | 4.3 | 2026-03-20 23:31:35 | Deep Dive |
| CVE-2026-33237 | AVideo has SSRF in Scheduler Plugin via callbackURL Missing `isSSRFSafeURL()` Validation | WWBN | AVideo | Medium | 5.5 | 2026-03-20 23:30:04 | Deep Dive |
| CVE-2026-33043 | AVideo affected by Session Hijacking via Unauthenticated Session ID Disclosure with Permissive CORS | WWBN | AVideo | High | 8.1 | 2026-03-20 05:52:59 | Deep Dive |
| CVE-2026-33041 | AVideo has an Unauthenticated Password Hash Oracle via encryptPass.json.php | WWBN | AVideo | Medium | 5.3 | 2026-03-20 05:50:07 | Deep Dive |
| CVE-2026-33039 | AVideo vulnerable to unauthenticated SSRF via HTTP redirect bypass in LiveLinks proxy | WWBN | AVideo | High | 8.6 | 2026-03-20 05:38:51 | Deep Dive |
| CVE-2026-33038 | AVideo affected by unauthenticated application takeover via exposed web installer on uninitialized deployments | WWBN | AVideo | High | 8.1 | 2026-03-20 05:35:57 | Deep Dive |
| CVE-2026-33037 | WWBN AVideo has predictable default admin credentials in official Docker deployment path | WWBN | AVideo | High | 8.1 | 2026-03-20 05:25:49 | Deep Dive |
| CVE-2026-33035 | Unauthenticated Reflected XSS via innerHTML in AVideo | WWBN | AVideo | 中危 | - | 2026-03-20 05:08:32 | Deep Dive |
| CVE-2026-33025 | AVideo-Encoder is Vulnerable to Authenticated SQL Injection via ORDER BY Clause | WWBN | AVideo-Encoder | 中危 | - | 2026-03-20 05:02:10 | Deep Dive |
| CVE-2026-33024 | AVideo-Encoder has Unauthenticated Blind Server-Side Request Forgery via Public Thumbnail Generator | WWBN | AVideo-Encoder | 中危 | - | 2026-03-20 04:58:48 | Deep Dive |
| CVE-2026-30885 | WWBN AVideo - Unauthenticated IDOR - Playlist Information Disclosure | WWBN | AVideo | - | - | 2026-03-09 22:36:00 | Deep Dive |
| CVE-2026-29058 | AVideo: Unauthenticated OS Command Injection via base64Url in objects/getImage.php | WWBN | AVideo-Encoder | Critical | 9.8 | 2026-03-06 07:08:27 | Deep Dive |
| CVE-2026-28501 | WWBN AVideo: Unauthenticated SQL Injection via JSON Request Bypass in objects/videos.json.php | WWBN | AVideo | Critical | 9.8 | 2026-03-06 03:05:22 | Deep Dive |
| CVE-2026-28502 | WWBN AVideo: Authenticated Remote Code Execution via Unsafe Plugin ZIP Extraction | WWBN | AVideo | 中危 | - | 2026-03-06 03:04:57 | Deep Dive |
| CVE-2026-29093 | WWBN AVideo: Unauthenticated PHP session store exposed to host network via published memcached port | WWBN | AVideo | High | 8.1 | 2026-03-06 03:04:44 | Deep Dive |
| CVE-2026-27732 | AVideo has Authenticated Server-Side Request Forgery via downloadURL in aVideoEncoder.json.php | WWBN | AVideo | 高危 | - | 2026-02-24 14:56:55 | Deep Dive |
| CVE-2026-27568 | AVideo has Stored Cross-Site Scripting via Markdown Comment Injection | WWBN | AVideo | 中危 | - | 2026-02-24 14:53:21 | Deep Dive |
| CVE-2020-37158 | AVideo Platform 8.1 - Cross Site Request Forgery (Password Reset) | AVideo | AVideo Platform | Medium | 5.3 | 2026-02-11 20:49:49 | Deep Dive |
| CVE-2020-37173 | AVideo Platform 8.1 - Information Disclosure (User Enumeration) | AVideo | AVideo Platform | High | 7.5 | 2026-02-11 20:36:58 | Deep Dive |
| CVE-2020-37172 | AVideo Platform 8.1 - Cross Site Request Forgery (Password Reset) | AVideo | AVideo Platform | Medium | 5.3 | 2026-02-11 20:33:34 | Deep Dive |