Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

AVideo — Vulnerabilities & Security Advisories 171

All 171 CVE vulnerabilities found in AVideo, with AI-generated Chinese analysis, references, and POCs.

Vendor: WWBN

CVE IDTitleCVSSSeverityPublished
CVE-2026-33354 AVideo has an authenticated arbitrary local file read via `chunkFile` path injection in `aVideoEncoder.json.php` CWE-73 7.6 High2026-03-23
CVE-2026-33352 AVideo has an Unauthenticated SQL Injection via `doNotShowCats` Parameter (Backslash Escape Bypass) CWE-89 9.8 Critical2026-03-23
CVE-2026-33351 AVideo has Unauthenticated SSRF via `webSiteRootURL` Parameter in saveDVR.json.php, Chaining to Verification Bypass CWE-918 9.1 Critical2026-03-23
CVE-2026-33297 AVideo has an IDOR - Any Admin Can Set Another User's Channel Password via setPassword.json.php CWE-639 9.1 -2026-03-23
CVE-2026-33296 AVideo has an Open Redirect via Unvalidated redirectUri in userLogin.php CWE-601 6.1 -2026-03-22
CVE-2026-33295 AVideo Vulnerable to Stored XSS via Unescaped Video Title in CDN downloadButtons.php CWE-79 5.4 -2026-03-22
CVE-2026-33294 AVideo has SSRF in BulkEmbed Thumbnail Fetch that Allows Reading Internal Network Resources CWE-918 5.0 Medium2026-03-22
CVE-2026-33293 AVideo Affected by Arbitrary File Deletion via Path Traversal in CloneSite deleteDump Parameter CWE-22 8.1 High2026-03-22
CVE-2026-33319 AVideo Vulnerable to OS Command Injection via Unescaped URL in LinkedIn Video Upload Shell Command CWE-78 5.9 Medium2026-03-22
CVE-2026-33292 AVideo has Authorization Bypass via Path Traversal in HLS Endpoint Allows Streaming Private/Paid Videos CWE-22 7.5 High2026-03-22
CVE-2026-33238 AVideo has a Path Traversal in listFiles.json.php that Enables Server Filesystem Enumeration CWE-22 4.3 Medium2026-03-20
CVE-2026-33237 AVideo has SSRF in Scheduler Plugin via callbackURL Missing `isSSRFSafeURL()` Validation CWE-918 5.5 Medium2026-03-20
CVE-2026-33043 AVideo affected by Session Hijacking via Unauthenticated Session ID Disclosure with Permissive CORS CWE-942 8.1 High2026-03-20
CVE-2026-33041 AVideo has an Unauthenticated Password Hash Oracle via encryptPass.json.php CWE-200 5.3 Medium2026-03-20
CVE-2026-33039 AVideo vulnerable to unauthenticated SSRF via HTTP redirect bypass in LiveLinks proxy CWE-918 8.6 High2026-03-20
CVE-2026-33038 AVideo affected by unauthenticated application takeover via exposed web installer on uninitialized deployments CWE-306 8.1 High2026-03-20
CVE-2026-33037 WWBN AVideo has predictable default admin credentials in official Docker deployment path CWE-1188 8.1 High2026-03-20
CVE-2026-33035 Unauthenticated Reflected XSS via innerHTML in AVideo CWE-79 6.1 -2026-03-20
CVE-2026-30885 WWBN AVideo - Unauthenticated IDOR - Playlist Information Disclosure CWE-306 5.3AIMediumAI2026-03-09
CVE-2026-28501 WWBN AVideo: Unauthenticated SQL Injection via JSON Request Bypass in objects/videos.json.php CWE-89 9.8 Critical2026-03-06
CVE-2026-28502 WWBN AVideo: Authenticated Remote Code Execution via Unsafe Plugin ZIP Extraction CWE-434 7.2 -2026-03-06
CVE-2026-29093 WWBN AVideo: Unauthenticated PHP session store exposed to host network via published memcached port CWE-287 8.1 High2026-03-06
CVE-2026-27732 AVideo has Authenticated Server-Side Request Forgery via downloadURL in aVideoEncoder.json.php CWE-918 8.1 -2026-02-24
CVE-2026-27568 AVideo has Stored Cross-Site Scripting via Markdown Comment Injection CWE-79 9.0 -2026-02-24
CVE-2025-34433 AVideo < 20.1 Unauthenticated RCE via Predictable Installation Salt CWE-94 9.8AICriticalAI2025-12-19
CVE-2025-34438 AVideo < 20.1 IDOR Arbitrary Video Rotation CWE-639 4.3AIMediumAI2025-12-17
CVE-2025-34437 AVideo < 20.1 IDOR Arbitrary Comment Image Upload CWE-639 4.3AIMediumAI2025-12-17
CVE-2025-34435 AVideo < 20.1 IDOR Arbitrary File Deletion CWE-639 6.5AIMediumAI2025-12-17
CVE-2025-34436 AVideo < 20.1 IDOR Arbitrary File Upload CWE-639 6.5AIMediumAI2025-12-17
CVE-2025-34434 AVideo < 20.1 ImageGallery Plugin Unauthenticated File Upload and Deletion CWE-306 9.1AICriticalAI2025-12-17

All 171 known CVE vulnerabilities affecting AVideo with full Chinese analysis, references, and POCs where available.