Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

AVideo — Vulnerabilities & Security Advisories 171

All 171 CVE vulnerabilities found in AVideo, with AI-generated Chinese analysis, references, and POCs.

Vendor: WWBN

CVE IDTitleCVSSSeverityPublished
CVE-2026-35179 WWBN AVideo Unauthenticated Instagram Graph API Proxy via publishInstagram.json.php CWE-862 5.3 Medium2026-04-06
CVE-2026-34740 AVideo: Stored SSRF via Video EPG Link Missing isSSRFSafeURL() Validation CWE-918 6.5 Medium2026-03-31
CVE-2026-34739 AVideo: Reflected XSS via Unescaped ip Parameter in User_Location testIP.php CWE-79 6.1 Medium2026-03-31
CVE-2026-34738 AVideo: Video Publishing Workflow Bypass via Unauthorized overrideStatus Request Parameter CWE-285 4.3 Medium2026-03-31
CVE-2026-34737 AVideo: Arbitrary Stripe Subscription Cancellation via Debug Endpoint and retrieveSubscriptions() Bug CWE-862 6.5 Medium2026-03-31
CVE-2026-34733 AVideo: Unauthenticated File Deletion via PHP Operator Precedence Bug in CLI Guard CWE-284 6.5 Medium2026-03-31
CVE-2026-34732 AVideo: Missing Authentication in CreatePlugin list.json.php Template Affects 21 Endpoints CWE-306 5.3 Medium2026-03-31
CVE-2026-34731 AVideo: Unauthenticated Live Stream Termination via RTMP Callback on_publish_done.php CWE-306 7.5 High2026-03-31
CVE-2026-34716 AVideo: DOM XSS via Unsanitized Display Name in WebSocket Call Notification CWE-79 6.4 Medium2026-03-31
CVE-2026-34613 AVideo: CSRF on Plugin Enable/Disable Endpoint Allows Disabling Security Plugins CWE-352 6.5 Medium2026-03-31
CVE-2026-34611 AVideo: CSRF on emailAllUsers.json.php Enables Mass Phishing Email to All Users CWE-352 6.5 Medium2026-03-31
CVE-2026-34396 AVideo: Stored XSS via Unescaped Plugin Configuration Values in Admin Panel CWE-79 6.1 Medium2026-03-31
CVE-2026-34394 AVideo: CSRF on Admin Plugin Configuration Enables Payment Credential Hijacking CWE-352 8.1 High2026-03-31
CVE-2026-34395 AVideo: Mass User PII Disclosure via Missing Authorization in YPTWallet users.json.php CWE-862 6.5 Medium2026-03-31
CVE-2026-34375 AVideo Vulnerable to Reflected XSS via Unsanitized plugin Parameter in YPTWallet Stripe Payment Page CWE-79 8.2 High2026-03-27
CVE-2026-34374 AVideo has SQL Injection in Live_schedule::keyExists() via Unparameterized Stream Key CWE-89 9.1 Critical2026-03-27
CVE-2026-34369 AVIdeo has Video Password Protection Bypass via API Endpoints Returning Full Playback Sources Without Password Verification CWE-862 5.3 Medium2026-03-27
CVE-2026-34368 AVideo Vulnerable to Wallet Balance Double-Spend via TOCTOU Race Condition in transferBalance CWE-362 5.3 Medium2026-03-27
CVE-2026-34364 AVideo has User Group-Based Category Access Control Bypass via Missing and Broken Group Filtering in categories.json.php CWE-863 5.3 Medium2026-03-27
CVE-2026-34362 AVideo's WebSocket Token Never Expires Due to Commented-Out Timeout Validation in verifyTokenSocket() CWE-613 5.4 Medium2026-03-27
CVE-2026-34247 AVideo's IDOR in uploadPoster.php Allows Any Authenticated User to Overwrite Scheduled Live Stream Posters and Trigger False Socket Notifications CWE-862 5.4 Medium2026-03-27
CVE-2026-34245 AVideo's Missing Authorization in Playlist Schedule Creation Allows Cross-User Broadcast Hijacking CWE-862 6.3 Medium2026-03-27
CVE-2026-33867 AVideo has Plaintext Video Password Storage CWE-312 8.1 -2026-03-27
CVE-2026-33770 AVideo has SQL Injection in category.php fixCleanTitle() via Unparameterized clean_title and id Variables CWE-89 9.8 -2026-03-27
CVE-2026-33767 AVideo has SQL Injection via Partial Prepared Statement — videos_id Concatenated Directly into Query CWE-89 9.8 -2026-03-27
CVE-2026-33766 AVideo has SSRF Protection Bypass via HTTP Redirect in Image Download Endpoints CWE-918 8.2 -2026-03-27
CVE-2026-33764 AVideo: IDOR in AI Plugin Allows Stealing Other Users' AI-Generated Metadata and Transcriptions CWE-639 4.3 Medium2026-03-27
CVE-2026-33763 AVideo has an Unauthenticated Video Password Brute-Force Vulnerability via Unrate-Limited Boolean Oracle CWE-307 5.3 Medium2026-03-27
CVE-2026-33761 AVideo: Unauthenticated Access to Scheduler Plugin Endpoints Leaks Scheduled Tasks, Email Content, and User Mappings CWE-862 5.3 Medium2026-03-27
CVE-2026-33759 AVideo: Unauthenticated IDOR in playlistsVideos.json.php Exposes Private Playlist Contents CWE-862 5.3 Medium2026-03-27

All 171 known CVE vulnerabilities affecting AVideo with full Chinese analysis, references, and POCs where available.