pkg:Packagist/WWBN/AVideo
14 total CVEsHIGH3MEDIUM9
✅ Check your installed version
All known vulnerabilities
- HIGH8.8CVE-2026-45578AVideo: OS command injection in on_publish.php execAsync via unescaped m3u8 URLfrom 0, <= 29.0
- HIGH7.6CVE-2026-39369WWBN AVideo's GIF poster fetch bypasses traversal scrubbing and exposes local files through public media URLsfrom 0, <= 26.0
- HIGH7.1CVE-2026-39370WWBN AVideo has an Allowlisted downloadURL media extensions bypass SSRF protection and enable internal response exfiltration (Incomplete fix for CVE-2026-27732)from 0, <= 26.0
- MEDIUM6.5CVE-2026-45619AVideo CVE-2026-43884 incomplete fix - six (or more) `isSSRFSafeURL()` call sites still discard the `$resolvedIP` out-param at master HEAD post-`603e7bf`from 0, <= 29.0
- MEDIUM6.5CVE-2026-39368WWBN AVideo has a Live restream log callback flow enabling stored SSRF to internal servicesfrom 0, <= 26.0
- MEDIUM6.1CVE-2026-50182WWBN AVideo: Unauthenticated Reflected XSS via $_GET['search'] in AVideo YouTubeAPI Gallery Paginationfrom 0, <= 29.0
- MEDIUM5.7CVE-2026-45610AVideo: 2FA toggle endpoint has no CSRF protection, letting an attacker page silently disable a logged-in victim's 2FAfrom 0, <= 29.0
- from 0, <= 29.0
- MEDIUM5.4CVE-2026-45580AVideo: stored XSS via unescaped stream key in modeYoutubeLive.php class attributefrom 0, <= 29.0
- MEDIUM5.3CVE-2026-45620AVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unauthenticated user enumeration sibling that survives `d9cdc7024`from 0, <= 29.0
- MEDIUM4.7CVE-2026-50183WWBN AVideo: Stored XSS via Hostile YouTube Video Title in AVideo YouTubeAPI Gallery Sectionfrom 0, <= 29.0
- MEDIUM4.3CVE-2026-47696WWBN AVideo: Authenticated wallet credit bypass in AuthorizeNet processPayment endpointfrom 0, <= 29.0
- —CVE-2026-46337AVideo: Unauthenticated Arbitrary Image Read via Path Traversal in `view/img/image404Raw.php`from 0, <= 29.0
- from 0, <= 29.0