Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

AVideo — Vulnerabilities & Security Advisories 193

All 193 CVE vulnerabilities found in AVideo, with AI-generated Chinese analysis, references, and POCs.

This page is a comprehensive vulnerability aggregation resource for AVideo, focusing on common weakness enumeration tags associated with the platform. It collects and organizes detailed reports on security flaws, including cross-site scripting, SQL injection, path traversal, and authentication bypass issues discovered within the AVideo software ecosystem. The data spans from the initial public disclosure of early vulnerabilities through to the most recent patches released by the vendor, ensuring a complete historical record of security incidents. By navigating this collection, security professionals and administrators can efficiently track the vendor’s advisory timeline to understand the pace and nature of remediation efforts. Users can also delve into the specifics of particular weakness classes to analyze attack vectors and mitigation strategies relevant to AVideo deployments. Additionally, the page serves as a lookup tool for reviewing a specific product version’s vulnerability history, helping teams assess risk exposure and prioritize updates based on past incident patterns. This centralized view facilitates informed decision-making for system hardening and compliance audits without requiring searches across multiple disparate sources. The information is presented to support proactive security management, allowing teams to anticipate potential threats and apply appropriate controls effectively. All entries are curated to provide accurate technical context, enabling deeper analysis of how specific defects impact the overall security posture of the application. This resource aims to reduce the time spent on information gathering, thereby accelerating the response to emerging security challenges in environments utilizing AVideo.

Vendor: WWBN

CVE IDTitleCVSSSeverityPublished
CVE-2026-34716 AVideo: DOM XSS via Unsanitized Display Name in WebSocket Call Notification CWE-79 6.4 Medium2026-03-31
CVE-2026-34613 AVideo: CSRF on Plugin Enable/Disable Endpoint Allows Disabling Security Plugins CWE-352 6.5 Medium2026-03-31
CVE-2026-34611 AVideo: CSRF on emailAllUsers.json.php Enables Mass Phishing Email to All Users CWE-352 6.5 Medium2026-03-31
CVE-2026-34396 AVideo: Stored XSS via Unescaped Plugin Configuration Values in Admin Panel CWE-79 6.1 Medium2026-03-31
CVE-2026-34394 AVideo: CSRF on Admin Plugin Configuration Enables Payment Credential Hijacking CWE-352 8.1 High2026-03-31
CVE-2026-34395 AVideo: Mass User PII Disclosure via Missing Authorization in YPTWallet users.json.php CWE-862 6.5 Medium2026-03-31
CVE-2026-34375 AVideo Vulnerable to Reflected XSS via Unsanitized plugin Parameter in YPTWallet Stripe Payment Page CWE-79 8.2 High2026-03-27
CVE-2026-34374 AVideo has SQL Injection in Live_schedule::keyExists() via Unparameterized Stream Key CWE-89 9.1 Critical2026-03-27
CVE-2026-34369 AVIdeo has Video Password Protection Bypass via API Endpoints Returning Full Playback Sources Without Password Verification CWE-862 5.3 Medium2026-03-27
CVE-2026-34368 AVideo Vulnerable to Wallet Balance Double-Spend via TOCTOU Race Condition in transferBalance CWE-362 5.3 Medium2026-03-27
CVE-2026-34364 AVideo has User Group-Based Category Access Control Bypass via Missing and Broken Group Filtering in categories.json.php CWE-863 5.3 Medium2026-03-27
CVE-2026-34362 AVideo's WebSocket Token Never Expires Due to Commented-Out Timeout Validation in verifyTokenSocket() CWE-613 5.4 Medium2026-03-27
CVE-2026-34247 AVideo's IDOR in uploadPoster.php Allows Any Authenticated User to Overwrite Scheduled Live Stream Posters and Trigger False Socket Notifications CWE-862 5.4 Medium2026-03-27
CVE-2026-34245 AVideo's Missing Authorization in Playlist Schedule Creation Allows Cross-User Broadcast Hijacking CWE-862 6.3 Medium2026-03-27
CVE-2026-33867 AVideo has Plaintext Video Password Storage CWE-312 8.1 -2026-03-27
CVE-2026-33770 AVideo has SQL Injection in category.php fixCleanTitle() via Unparameterized clean_title and id Variables CWE-89 9.8 -2026-03-27
CVE-2026-33767 AVideo has SQL Injection via Partial Prepared Statement — videos_id Concatenated Directly into Query CWE-89 9.8 -2026-03-27
CVE-2026-33766 AVideo has SSRF Protection Bypass via HTTP Redirect in Image Download Endpoints CWE-918 8.2 -2026-03-27
CVE-2026-33764 AVideo: IDOR in AI Plugin Allows Stealing Other Users' AI-Generated Metadata and Transcriptions CWE-639 4.3 Medium2026-03-27
CVE-2026-33763 AVideo has an Unauthenticated Video Password Brute-Force Vulnerability via Unrate-Limited Boolean Oracle CWE-307 5.3 Medium2026-03-27
CVE-2026-33761 AVideo: Unauthenticated Access to Scheduler Plugin Endpoints Leaks Scheduled Tasks, Email Content, and User Mappings CWE-862 5.3 Medium2026-03-27
CVE-2026-33759 AVideo: Unauthenticated IDOR in playlistsVideos.json.php Exposes Private Playlist Contents CWE-862 5.3 Medium2026-03-27
CVE-2026-33723 AVideo Vulnerable to SQL Injection in Subscribe Endpoint via Unsanitized user_id Parameter in subscribe.php CWE-89 7.1 High2026-03-23
CVE-2026-33719 AVideo Vulnerable to Unauthenticated CDN Configuration Takeover via Empty Default Key Bypass and Mass-Assignment in status.json.php CWE-306 8.6 High2026-03-23
CVE-2026-33717 AVideo Vulnerable to Remote Code Execution via Persistent PHP Temp File in Encoder downloadURL with Resolution Validation Abort CWE-434 8.8 High2026-03-23
CVE-2026-33716 AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php CWE-287 9.4 Critical2026-03-23
CVE-2026-33690 AVideo vulnerable to IP Address Spoofing via Untrusted HTTP Headers in getRealIpAddr() CWE-348 5.3 Medium2026-03-23
CVE-2026-33688 AVideo has Pre-Captcha User Enumeration and Account Status Disclosure in Password Recovery Endpoint CWE-204 5.3 Medium2026-03-23
CVE-2026-33685 AVideo Allows Unauthenticated Access to AD_Server reports.json.php that Exposes Ad Campaign Analytics and User Data CWE-862 5.3 Medium2026-03-23
CVE-2026-33683 AVideo vulnerable to Stored XSS via html_entity_decode() Reversing xss_esc() Sanitization in Channel About Field CWE-79 5.4 Medium2026-03-23

All 193 known CVE vulnerabilities affecting AVideo with full Chinese analysis, references, and POCs where available.