Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

AVideo — Vulnerabilities & Security Advisories 171

All 171 CVE vulnerabilities found in AVideo, with AI-generated Chinese analysis, references, and POCs.

Vendor: WWBN

CVE IDTitleCVSSSeverityPublished
CVE-2026-33723 AVideo Vulnerable to SQL Injection in Subscribe Endpoint via Unsanitized user_id Parameter in subscribe.php CWE-89 7.1 High2026-03-23
CVE-2026-33719 AVideo Vulnerable to Unauthenticated CDN Configuration Takeover via Empty Default Key Bypass and Mass-Assignment in status.json.php CWE-306 8.6 High2026-03-23
CVE-2026-33717 AVideo Vulnerable to Remote Code Execution via Persistent PHP Temp File in Encoder downloadURL with Resolution Validation Abort CWE-434 8.8 High2026-03-23
CVE-2026-33716 AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php CWE-287 9.4 Critical2026-03-23
CVE-2026-33690 AVideo vulnerable to IP Address Spoofing via Untrusted HTTP Headers in getRealIpAddr() CWE-348 5.3 Medium2026-03-23
CVE-2026-33688 AVideo has Pre-Captcha User Enumeration and Account Status Disclosure in Password Recovery Endpoint CWE-204 5.3 Medium2026-03-23
CVE-2026-33685 AVideo Allows Unauthenticated Access to AD_Server reports.json.php that Exposes Ad Campaign Analytics and User Data CWE-862 5.3 Medium2026-03-23
CVE-2026-33683 AVideo vulnerable to Stored XSS via html_entity_decode() Reversing xss_esc() Sanitization in Channel About Field CWE-79 5.4 Medium2026-03-23
CVE-2026-33681 AVideo has Path Traversal in pluginRunDatabaseScript.json.php Enables Arbitrary SQL File Execution via Unsanitized Plugin Name CWE-22 7.2 High2026-03-23
CVE-2026-33651 AVideo has a Blind SQL Injection in Live Schedule Reminder via Unsanitized live_schedule_id in Scheduler_commands::getAllActiveOrToRepeat() CWE-89 8.1 High2026-03-23
CVE-2026-33650 AVideo's Video Moderator Privilege Escalation via Ownership Transfer Enables Arbitrary Video Deletion CWE-863 7.6 High2026-03-23
CVE-2026-33649 AVideo's GET-Based CSRF in setPermission.json.php Enables Privilege Escalation via Arbitrary Permission Modification CWE-352 8.1 High2026-03-23
CVE-2026-33648 AVideo Vulnerable to OS Command Injection via Unsanitized `users_id` and `liveTransmitionHistory_id` in Restreamer Log File Path CWE-78 8.8 High2026-03-23
CVE-2026-33647 AVideo Vulnerable to Remote Code Execution via MIME/Extension Mismatch in ImageGallery File Upload CWE-434 8.8 High2026-03-23
CVE-2026-33513 AVideo has an Unauthenticated Local File Inclusion in API locale (RCE possible with writable PHP) CWE-22 8.6 High2026-03-23
CVE-2026-33512 AVideo has an unauthenticated decrypt oracle leaking any ciphertext CWE-287 7.5 High2026-03-23
CVE-2026-33507 AVideo Affected by CSRF on Plugin Import Endpoint Enables Unauthenticated Remote Code Execution via Malicious Plugin Upload CWE-352 8.8 High2026-03-23
CVE-2026-33502 AVideo has Unauthenticated SSRF via plugin/Live/test.php CWE-918 9.3 Critical2026-03-23
CVE-2026-33501 AVideo has Unauthenticated Information Disclosure of User Group Permission Mappings via Permissions Plugin CWE-862 5.3 Medium2026-03-23
CVE-2026-33500 AVideo Vulnerable to Stored XSS via Markdown `javascript:` URI Bypasses ParsedownSafeWithLinks Sanitization CWE-79 5.4 Medium2026-03-23
CVE-2026-33499 AVideo has Reflected XSS via unlockPassword Parameter in forbiddenPage.php and warningPage.php CWE-79 6.1 Medium2026-03-23
CVE-2026-33493 AVideo has a Path Traversal in import.json.php that Allows Private Video Theft and Arbitrary File Read/Deletion via fileURI Parameter CWE-22 7.1 High2026-03-23
CVE-2026-33492 AVideo has Session Fixation via GET PHPSESSID Parameter With Disabled Login Session Regeneration CWE-384 7.3 High2026-03-23
CVE-2026-33488 AVideo has a PGP 2FA Bypass via Cryptographically Broken 512-bit RSA Key Generation in LoginControl Plugin CWE-326 7.4 High2026-03-23
CVE-2026-33485 AVideo has an Unauthenticated Blind SQL Injection in RTMP on_publish Callback via Stream Name Parameter CWE-89 7.5 High2026-03-23
CVE-2026-33483 AVideo Affected by Unauthenticated Disk Space Exhaustion via Unlimited Temp File Creation in aVideoEncoderChunk.json.php CWE-770 7.5 High2026-03-23
CVE-2026-33482 AVideo has an OS Command Injection via $() Shell Substitution Bypass in sanitizeFFmpegCommand() CWE-78 8.1 High2026-03-23
CVE-2026-33480 AVideo has a SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in Unauthenticated LiveLinks Proxy CWE-918 8.6 High2026-03-23
CVE-2026-33479 AVideo has PHP Code Injection via eval() in Gallery saveSort.json.php Exploitable Through CSRF Against Admin CWE-94 8.8 High2026-03-23
CVE-2026-33478 AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection CWE-78 10.0 Critical2026-03-23

All 171 known CVE vulnerabilities affecting AVideo with full Chinese analysis, references, and POCs where available.