pkg:Packagist/WWBN/AVideo

所有已知漏洞

• HIGH8.8CVE-2026-45578AVideo: OS command injection in on_publish.php execAsync via unescaped m3u8 URL
  from 0, <= 29.0
• HIGH7.6CVE-2026-39369WWBN AVideo's GIF poster fetch bypasses traversal scrubbing and exposes local files through public media URLs
  from 0, <= 26.0
• HIGH7.1CVE-2026-39370WWBN AVideo has an Allowlisted downloadURL media extensions bypass SSRF protection and enable internal response exfiltration (Incomplete fix for CVE-2026-27732)
  from 0, <= 26.0
• MEDIUM6.5CVE-2026-45619AVideo CVE-2026-43884 incomplete fix - six (or more) `isSSRFSafeURL()` call sites still discard the `$resolvedIP` out-param at master HEAD post-`603e7bf`
  from 0, <= 29.0
• MEDIUM6.5CVE-2026-39368WWBN AVideo has a Live restream log callback flow enabling stored SSRF to internal services
  from 0, <= 26.0
• MEDIUM5.7CVE-2026-45610AVideo: 2FA toggle endpoint has no CSRF protection, letting an attacker page silently disable a logged-in victim's 2FA
  from 0, <= 29.0
• MEDIUM5.4CVE-2026-45580AVideo: stored XSS via unescaped stream key in modeYoutubeLive.php class attribute
  from 0, <= 29.0
• MEDIUM5.3CVE-2026-45620AVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unauthenticated user enumeration sibling that survives `d9cdc7024`
  from 0, <= 29.0
• —CVE-2026-46337AVideo: Unauthenticated Arbitrary Image Read via Path Traversal in `view/img/image404Raw.php`
  from 0, <= 29.0
• —CVE-2026-45731AVideo: Authenticated Arbitrary File Read in view/update.php
  from 0, <= 29.0