Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

AVideo — Vulnerabilities & Security Advisories 171

All 171 CVE vulnerabilities found in AVideo, with AI-generated Chinese analysis, references, and POCs.

Vendor: WWBN

CVE IDTitleCVSSSeverityPublished
CVE-2026-41304 WWBN AVideo vulnerable to RCE caused by clonesite plugin CWE-77 8.8AIHighAI2026-04-21
CVE-2026-41064 AVideo has an incomplete fix for CVE-2026-33502 (Command Injection) CWE-78 9.3 Critical2026-04-21
CVE-2026-41063 WWBN AVideo has incomplete fix for CVE-2026-33500 (XSS) CWE-79 5.4 Medium2026-04-21
CVE-2026-41062 WWBN/AVideo has an incomplete fix for a directory traversal bypass via query string in ReceiveImage downloadURL parameters CWE-22 6.5 Medium2026-04-21
CVE-2026-41061 WWBN AVideo Vulnerable to stored XSS via Unanchored Duration Regex in Video Encoder Receiver CWE-79 5.4 Medium2026-04-21
CVE-2026-41060 AVideo's SSRF via same-domain hostname with alternate port bypasses isSSRFSafeURL CWE-918 7.7 High2026-04-21
CVE-2026-41058 AVideo has an incomplete fix for CVE-2026-33293 (Path Traversal) in AVideo CWE-22 8.1 High2026-04-21
CVE-2026-41057 AVideo has CORS Origin Reflection Bypass via plugin/API/router.php and allowOrigin(true) that Exposes Authenticated API Responses CWE-346 7.1 High2026-04-21
CVE-2026-41056 AVideos has CORS Origin Reflection with Credentials on Sensitive API Endpoints that Enables Cross-Origin Account Takeover CWE-942 8.1 High2026-04-21
CVE-2026-41055 AVideo has an incomplete fix for CVE-2026-33039 (SSRF) CWE-918 8.6 High2026-04-21
CVE-2026-40935 WWBN/AVideo has CAPTCHA Bypass via Attacker-Controlled Length Parameter and Missing Token Invalidation on Failure CWE-804 5.3 Medium2026-04-21
CVE-2026-40929 WWBN AVideo's missing CSRF protection in objects/commentDelete.json.php enables mass comment deletion against moderators and content creators CWE-352 5.4 Medium2026-04-21
CVE-2026-40928 AVideo: Missing CSRF Protection on State-Changing JSON Endpoints Enables Forced Comment Creation, Vote Manipulation, and Category Asset Deletion CWE-352 5.4 Medium2026-04-21
CVE-2026-40926 WWBN AVideo Vulnerable to CSRF in Admin JSON Endpoints (Category CRUD, Plugin Update Script) CWE-352 7.1 High2026-04-21
CVE-2026-40925 WWBN AVideo has CSRF in configurationUpdate.json.php Enables Full Site Configuration Takeover Including Encoder URL and SMTP Credentials CWE-352 8.3 High2026-04-21
CVE-2026-40911 WWBN AVideo YPTSocket WebSocket Broadcast Relay Leads to Unauthenticated Cross-User JavaScript Execution via Client-Side eval() Sinks CWE-94 10.0 Critical2026-04-21
CVE-2026-40909 WWBN AVideo has a Path Traversal in Locale Save Endpoint that Enables Arbitrary PHP File Write to Any Web-Accessible Directory (RCE) CWE-22 8.7 High2026-04-21
CVE-2026-40908 WWBN AVideo has an Unauthenticated Information Disclosure via git.json.php that Exposes Developer Emails and Deployed Version CWE-200 5.3 Medium2026-04-21
CVE-2026-40907 WWBN AVideo has IDOR in Live Restreams list.json.php that Exposes Other Users' Stream Keys and OAuth Tokens CWE-639 6.5 Medium2026-04-21
CVE-2026-39370 WWBN AVideo has an Allowlisted downloadURL media extensions bypass SSRF protection and enable internal response exfiltration (Incomplete fix for CVE-2026-27732) CWE-918 7.1 High2026-04-07
CVE-2026-39369 WWBN AVideo's GIF poster fetch bypasses traversal scrubbing and exposes local files through public media URLs CWE-22 7.6 High2026-04-07
CVE-2026-39368 WWBN AVideo has a Live restream log callback flow enabling stored SSRF to internal services CWE-918 6.5 Medium2026-04-07
CVE-2026-39367 WWBN AVideo has Stored XSS via Malicious EPG XML Program Titles in AVideo EPG Page CWE-79 5.4 Medium2026-04-07
CVE-2026-39366 WWBN AVideo Affected by a PayPal IPN Replay Attack Enabling Wallet Balance Inflation via Missing Transaction Deduplication in ipn.php CWE-345 6.5 Medium2026-04-07
CVE-2026-35452 WWBN AVideo has Unauthenticated Information Disclosure via Missing Auth on CloneSite client.log.php CWE-200 5.3 Medium2026-04-06
CVE-2026-35450 WWBN AVideo has Unauthenticated FFmpeg Remote Server Status Disclosure via check.ffmpeg.json.php CWE-306 5.3 Medium2026-04-06
CVE-2026-35449 WWBN AVideo has Unauthenticated Information Disclosure via Disabled CLI Guard in install/test.php CWE-200 5.3 Medium2026-04-06
CVE-2026-35448 WWBN AVideo Provides Unauthenticated Access to Payment Order Data via BlockonomicsYPT check.php CWE-862 3.7 Low2026-04-06
CVE-2026-35181 WWBN AVideo Affected by CSRF on Player Skin Configuration via admin/playerUpdate.json.php CWE-352 4.3 Medium2026-04-06
CVE-2026-35180 WWBN AVideo affected by CSRF on Site Customization Endpoint Enables Logo Overwrite via Base64 File Write CWE-352 4.3 Medium2026-04-06

All 171 known CVE vulnerabilities affecting AVideo with full Chinese analysis, references, and POCs where available.