pkg:Packagist/wwbn/avideo

共 134 筆 CVECRITICAL13HIGH46MEDIUM61LOW1

✅ 檢查你的版本

所有已知漏洞

CRITICAL10.0CVE-2026-40911WWBN AVideo YPTSocket WebSocket Broadcast Relay Leads to Unauthenticated Cross-User JavaScript Execution via Client-Side eval() Sinks
from 0, <= 29.0
CRITICAL10.0CVE-2026-33478AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection
from 0, <= 26.0
CRITICAL9.8CVE-2026-41304WWBN AVideo: RCE cause by clonesite plugin
from 0, <= 29.0
CRITICAL9.8CVE-2026-33352AVideo has an Unauthenticated SQL Injection via `doNotShowCats` Parameter (Backslash Escape Bypass)
from 0, <= 26.0
CRITICAL9.8CVE-2026-29058WWBN AVideo is vulnerable to unauthenticated OS Command Injection via base64Url in objects/getImage.php
from 0, < 7.0.0
CRITICAL9.8CVE-2026-28501AVideo has Unauthenticated SQL Injection via JSON Request Bypass in objects/videos.json.php
from 0, <= 21.0.0
CRITICAL9.8CVE-2024-31819WWBN AVideo Remote Code Execution
>= 12.4, < 14.3
CRITICAL9.8CVE-2023-49599WWBN AVideo Insufficient Entropy vulnerbaility
from 0, <= 12.4
CRITICAL9.6CVE-2023-25313AVideo contains Command injection when embedding a video link
from 0, < 12.4
CRITICAL9.4CVE-2026-33716AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php
from 0, <= 26.0
CRITICAL9.3CVE-2026-41064WWBN AVideo has an incomplete fix for CVE-2026-33502: Command Injection
from 0, <= 29.0
CRITICAL9.3CVE-2026-33502AVideo has Unauthenticated SSRF via plugin/Live/test.php
from 0, <= 26.0
CRITICAL9.1CVE-2026-33351AVideo has Unauthenticated SSRF via `webSiteRootURL` Parameter in saveDVR.json.php, Chaining to Verification Bypass
from 0, <= 26.0
HIGH8.8CVE-2026-33717AVideo: Remote Code Execution via PHP Temp File in Encoder downloadURL
from 0, <= 26.0
HIGH8.8CVE-2026-33648AVideo Vulnerable to OS Command Injection via Unsanitized `users_id` and `liveTransmitionHistory_id` in Restreamer Log File Path
from 0, <= 26.0
HIGH8.8CVE-2026-33647AVideo Vulnerable to Remote Code Execution via MIME/Extension Mismatch in ImageGallery File Upload
from 0, <= 26.0
HIGH8.8CVE-2026-33507AVideo Affected by CSRF on Plugin Import Endpoint Enables Unauthenticated Remote Code Execution via Malicious Plugin Upload
from 0, <= 26.0
HIGH8.8CVE-2026-33479AVideo has PHP Code Injection via eval() in Gallery saveSort.json.php Exploitable Through CSRF Against Admin
from 0, <= 26.0
HIGH8.8CVE-2023-32073WWBN AVideo command injection vulnerability
from 0, <= 12.4
HIGH8.8CVE-2023-30854Remote code injection in wwbn/avideo
from 0, < 12.4
HIGH8.8CVE-2020-23489AVideo vulnerable to Improper Privilege Management
from 0, < 8.9
HIGH8.7CVE-2026-40909WWBN AVideo has a Path Traversal in Locale Save Endpoint Enables Arbitrary PHP File Write to Any Web-Accessible Directory (RCE)
from 0, <= 29.0
HIGH8.6CVE-2026-33719AVideo: Unauthenticated CDN Configuration Takeover via Empty Default Key Bypass and Mass-Assignment
from 0, <= 26.0
HIGH8.6CVE-2026-33513AVideo has an Unauthenticated Local File Inclusion in API locale (RCE possible with writable PHP)
from 0, <= 26.0
HIGH8.6CVE-2026-33480AVideo has a SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in Unauthenticated LiveLinks Proxy
from 0, <= 26.0
HIGH8.6CVE-2026-33039AVideo vulnerable to unauthenticated SSRF via HTTP redirect bypass in LiveLinks proxy
from 0, <= 25.0
HIGH8.3CVE-2026-40925WWBN AVideo has CSRF in configurationUpdate.json.php Enables Full Site Configuration Takeover Including Encoder URL and SMTP Credentials
from 0, <= 29.0
HIGH8.2CVE-2026-34375AVideo Vulnerable to Reflected XSS via Unsanitized plugin Parameter in YPTWallet Stripe Payment Page
from 0, <= 26.0
HIGH8.1CVE-2026-41058WWBN AVideo has an incomplete fix for CVE-2026-33293: Path Traversal
from 0, <= 29.0
HIGH8.1CVE-2026-41056WWBN AVideo has CORS Origin Reflection with Credentials on Sensitive API Endpoints Enables Cross-Origin Account Takeover
from 0, <= 29.0
HIGH8.1CVE-2026-34394AVideo's CSRF on Admin Plugin Configuration Enables Payment Credential Hijacking
from 0, <= 26.0
HIGH8.1CVE-2026-33651AVideo has a Blind SQL Injection in Live Schedule Reminder via Unsanitized live_schedule_id in Scheduler_commands::getAllActiveOrToRepeat()
from 0, <= 26.0
HIGH8.1CVE-2026-33649AVideo's GET-Based CSRF in setPermission.json.php Enables Privilege Escalation via Arbitrary Permission Modification
from 0, <= 26.0
HIGH8.1CVE-2026-33482AVideo has an OS Command Injection via $() Shell Substitution Bypass in sanitizeFFmpegCommand()
from 0, <= 26.0
HIGH8.1CVE-2026-33293AVideo Affected by Arbitrary File Deletion via Path Traversal in CloneSite deleteDump Parameter
from 0, <= 25.0
HIGH8.1CVE-2026-33043AVideo affected by Session Hijacking via Unauthenticated Session ID Disclosure with Permissive CORS
from 0, <= 25.0
HIGH8.1CVE-2026-33038AVideo affected by unauthenticated application takeover via exposed web installer on uninitialized deployments
from 0, <= 25.0
HIGH8.1CVE-2026-29093AVideo: Unauthenticated PHP session store exposed to host network via published memcached port
from 0, <= 21.0
HIGH8.1CVE-2026-27732AVideo has Authenticated Server-Side Request Forgery via downloadURL in aVideoEncoder.json.php
from 0, <= 21.0.0
HIGH8.0CVE-2023-30860WWBN/AVideo stored XSS vulnerability leads to takeover of any user's account, including admin's account
from 0, < 12.4
HIGH7.7CVE-2026-43884AVideo has SSRF Protection Bypass via HTTP Redirect and DNS Rebinding in isSSRFSafeURL()
from 0, <= 29.0
HIGH7.7CVE-2026-41060WWBN AVideo has a SSRF via same-domain hostname with alternate port bypasses isSSRFSafeURL
from 0, <= 29.0
HIGH7.6CVE-2026-33650AVideo: Video Moderator Privilege Escalation via Ownership Transfer Enables Arbitrary Video Deletion
from 0, <= 26.0
HIGH7.6CVE-2026-33354AVideo has an authenticated arbitrary local file read via `chunkFile` path injection in `aVideoEncoder.json.php`
from 0, <= 26.0
HIGH7.5CVE-2026-43873AVideo: Unauthenticated Disclosure of CloneSite `myKey` via Error Echo in `cloneClient.json.php` Enables Cross-Site DB Dump of the Configured Clone Server
from 0, <= 29.0
HIGH7.5CVE-2026-34731AVideo: Unauthenticated Live Stream Termination via RTMP Callback on_publish_done.php
from 0, <= 26.0
HIGH7.5CVE-2026-33512AVideo has an unauthenticated decrypt oracle leaking any ciphertext
from 0, <= 26.0
HIGH7.5CVE-2026-33485AVideo has an Unauthenticated Blind SQL Injection in RTMP on_publish Callback via Stream Name Parameter
from 0, <= 26.0
HIGH7.5CVE-2026-33483AVideo Affected by Unauthenticated Disk Space Exhaustion via Unlimited Temp File Creation in aVideoEncoderChunk.json.php
from 0, <= 26.0
HIGH7.5CVE-2026-33292AVideo has an Authorization Bypass via Path Traversal in HLS Endpoint Allows Streaming Private/Paid Videos
from 0, <= 25.0
HIGH7.4CVE-2026-33488AVideo has a PGP 2FA Bypass via Cryptographically Broken 512-bit RSA Key Generation in LoginControl Plugin
from 0, <= 26.0
HIGH7.3CVE-2026-33492AVideo has Session Fixation via GET PHPSESSID Parameter With Disabled Login Session Regeneration
from 0, <= 26.0
HIGH7.3CVE-2023-49810WWBN AVideo Improper Restriction of Excessive Authentication Attempts vulnerability
from 0, <= 12.4
HIGH7.2CVE-2026-43874AVideo has an Incomplete Fix for YPTSocket autoEvalCodeOnHTML Strip: Unauthenticated Cross-User JavaScript Execution via `$msg['json']` Relay Bypass
from 0, <= 29.0
HIGH7.2CVE-2026-33681AVideo has Path Traversal in pluginRunDatabaseScript.json.php Enables Arbitrary SQL File Execution via Unsanitized Plugin Name
from 0, <= 26.0
HIGH7.1CVE-2026-41057WWBN AVideo has a CORS Origin Reflection Bypass via plugin/API/router.php and allowOrigin(true) Exposes Authenticated API Responses
from 0, <= 29.0
HIGH7.1CVE-2026-40926WWBN AVideo has Multiple CSRF Vulnerabilities in Admin JSON Endpoints (Category CRUD, Plugin Update Script)
from 0, <= 29.0
HIGH7.1CVE-2026-33723AVideo is Vulnerable to SQL Injection through Subscribe Endpoint via Unsanitized user_id Parameter
from 0, <= 26.0
HIGH7.1CVE-2026-33493AVideo has a Path Traversal in import.json.php Allows Private Video Theft and Arbitrary File Read/Deletion via fileURI Parameter
from 0, <= 26.0
MEDIUM6.8CVE-2026-43875AVideo: Password Hash Leak in MobileManager OAuth Redirect URL Enables Account Takeover
from 0, <= 29.0
MEDIUM6.5CVE-2026-41062WWBN AVideo has an Incomplete fix: Directory traversal bypass via query string in ReceiveImage downloadURL parameters
from 0, <= 29.0
MEDIUM6.5CVE-2026-40907WWBN AVideo has an IDOR in Live Restreams list.json.php Exposes Other Users' Stream Keys and OAuth Tokens
from 0, <= 29.0
MEDIUM6.5CVE-2026-39366WWBN AVideo Affected by a PayPal IPN Replay Attack Enabling Wallet Balance Inflation via Missing Transaction Deduplication in ipn.php
from 0, <= 26.0
MEDIUM6.5CVE-2026-34740AVideo: Stored SSRF via Video EPG Link Missing isSSRFSafeURL() Validation
from 0, <= 26.0
MEDIUM6.5CVE-2026-34737AVideo: Arbitrary Stripe Subscription Cancellation via Debug Endpoint and retrieveSubscriptions() Bug
from 0, <= 26.0
MEDIUM6.5CVE-2026-34733AVideo: Unauthenticated File Deletion via PHP Operator Precedence Bug in CLI Guard
from 0, <= 26.0
MEDIUM6.5CVE-2026-34613AVideo: CSRF on Plugin Enable/Disable Endpoint Allows Disabling Security Plugins
from 0, <= 26.0
MEDIUM6.5CVE-2026-34611AVideo: CSRF on emailAllUsers.json.php Enables Mass Phishing Email to All Users
from 0, <= 26.0
MEDIUM6.5CVE-2026-34395AVideo vulnerable to Mass User PII Disclosure via Missing Authorization in YPTWallet users.json.php
from 0, <= 26.0
MEDIUM6.4CVE-2026-43876AVideo: HTML Injection in notifySubscribers.json.php Allows Platform-Branded Phishing Emails to Channel Subscribers
from 0, <= 29.0
MEDIUM6.4CVE-2026-34716AVideo: DOM XSS via Unsanitized Display Name in WebSocket Call Notification
from 0, <= 26.0
MEDIUM6.3CVE-2026-34245AVideo: Missing Authorization in Playlist Schedule Creation Allows Cross-User Broadcast Hijacking
from 0, <= 26.0
MEDIUM6.1CVE-2026-43878Video: Reflected XSS in plugin/Meet/iframe.php via Unescaped user and pass Parameters in JavaScript String Literal
from 0, <= 29.0
MEDIUM6.1CVE-2026-34739AVideo: Reflected XSS via Unescaped ip Parameter in User_Location testIP.php
from 0, <= 26.0
MEDIUM6.1CVE-2026-34396AVideo has Stored XSS via Unescaped Plugin Configuration Values in Admin Panel
from 0, <= 26.0
MEDIUM6.1CVE-2026-33499AVideo has Reflected XSS via unlockPassword Parameter in forbiddenPage.php and warningPage.php
from 0, <= 26.0
MEDIUM6.1CVE-2024-34899AVideo cross-site scripting vulnerability in the view/about.php page
from 0, < 14.3
MEDIUM6.1CVE-2022-27463Open redirect in wwbn/avideo
from 0, <= 11.6
MEDIUM5.9CVE-2026-33319AVideo has an OS Command Injection via Unescaped URL in LinkedIn Video Upload Shell Command
from 0, <= 25.0
MEDIUM5.5CVE-2026-33237AVideo has SSRF in Scheduler Plugin via callbackURL Missing `isSSRFSafeURL()` Validation
from 0, < 26.0
MEDIUM5.4CVE-2026-43879AVideo has Blind SSRF in YPTWallet Donation Webhook via Missing isSSRFSafeURL() Check and CURLOPT_FOLLOWLOCATION Redirect Bypass
from 0, <= 29.0
MEDIUM5.4CVE-2026-43877AVideo: CSRF in userSavePhoto.php Allows Cross-Origin Overwrite of Authenticated Users' Profile Photos with Arbitrary Content
from 0, <= 29.0
MEDIUM5.4CVE-2026-41063WWBN AVideo has an incomplete fix for CVE-2026-33500: XSS
from 0, <= 29.0
MEDIUM5.4CVE-2026-41061WWBN AVideo has Stored XSS via Unanchored Duration Regex in Video Encoder Receiver
from 0, <= 29.0
MEDIUM5.4CVE-2026-40929WWBN AVideo is missing CSRF protection in objects/commentDelete.json.php enables mass comment deletion against moderators and content creators
from 0, <= 29.0
MEDIUM5.4CVE-2026-40928WWBN AVideo: Missing CSRF Protection on State-Changing JSON Endpoints Enables Forced Comment Creation, Vote Manipulation, and Category Asset Deletion
from 0, <= 29.0
MEDIUM5.4CVE-2026-39367WWBN AVideo has Stored XSS via Malicious EPG XML Program Titles in AVideo EPG Page
from 0, <= 26.0
MEDIUM5.4CVE-2026-34362AVideo's WebSocket Token Never Expires Due to Commented-Out Timeout Validation in verifyTokenSocket()
from 0, <= 26.0
MEDIUM5.4CVE-2026-34247AVideo: IDOR in uploadPoster.php Allows Any Authenticated User to Overwrite Scheduled Live Stream Posters and Trigger False Socket Notifications
from 0, <= 26.0
MEDIUM5.4CVE-2026-33683AVideo vulnerable to Stored XSS via html_entity_decode() Reversing xss_esc() Sanitization in Channel About Field
from 0, <= 26.0
MEDIUM5.4CVE-2026-33500AVideo - Incomplete Fix for CVE-2026-27568: Stored XSS via Markdown `javascript:` URI Bypasses ParsedownSafeWithLinks Sanitization
from 0, <= 26.0
MEDIUM5.3CVE-2026-43881AVideo: Unauthenticated User Enumeration in objects/users.json.php via isCompany Parameter Allows Bypass of the Admin-Only Listing Restriction
from 0, <= 29.0
MEDIUM5.3CVE-2026-43880AVideo: Unauthenticated Arbitrary Email Sending via sendEmail.json.php Enables Phishing from the Site’s Legitimate From Address
from 0, <= 29.0
MEDIUM5.3CVE-2026-41055WWBN AVideo has an incomplete fix for CVE-2026-33039: SSRF
from 0, <= 29.0
MEDIUM5.3CVE-2026-40935CAPTCHA Bypass in WWBN/AVideo via Attacker-Controlled Length Parameter and Missing Token Invalidation on Failure
from 0, <= 29.0
MEDIUM5.3CVE-2026-40908WWBN AVideo has an Unauthenticated Information Disclosure via git.json.php Exposes Developer Emails and Deployed Version
from 0, <= 29.0
MEDIUM5.3CVE-2026-35452AVideo: Unauthenticated Information Disclosure via Missing Auth on CloneSite client.log.php
from 0, <= 26.0
MEDIUM5.3CVE-2026-35450AVideo: Unauthenticated FFmpeg Remote Server Status Disclosure via check.ffmpeg.json.php
from 0, <= 26.0
MEDIUM5.3CVE-2026-35449AVideo: Unauthenticated Information Disclosure via Disabled CLI Guard in install/test.php
from 0, <= 26.0
MEDIUM5.3CVE-2026-35179AVideo: Unauthenticated Instagram Graph API Proxy via publishInstagram.json.php
from 0, <= 26.0
MEDIUM5.3CVE-2026-34732AVideo: Missing Authentication in CreatePlugin list.json.php Template Affects 21 Endpoints
from 0, <= 26.0
MEDIUM5.3CVE-2026-34369AVideo has Video Password Protection Bypass via API Endpoints Returning Full Playback Sources Without Password Verification
from 0, <= 26.0
MEDIUM5.3CVE-2026-34368AVideo Vulnerable to Wallet Balance Double-Spend via TOCTOU Race Condition in transferBalance
from 0, <= 26.0
MEDIUM5.3CVE-2026-34364AVideo has User Group-Based Category Access Control Bypass via Missing and Broken Group Filtering in categories.json.php
from 0, <= 26.0
MEDIUM5.3CVE-2026-33763AVideo has an Unauthenticated Video Password Brute-Force Vulnerability via Unrate-Limited Boolean Oracle
from 0, <= 26.0
MEDIUM5.3CVE-2026-33761AVideo: Unauthenticated Access to Scheduler Plugin Endpoints Leaks Scheduled Tasks, Email Content, and User Mappings
from 0, <= 26.0
MEDIUM5.3CVE-2026-33759AVideo: Unauthenticated IDOR in playlistsVideos.json.php Exposes Private Playlist Contents
from 0, <= 26.0
MEDIUM5.3CVE-2026-33690AVideo vulnerable to IP Address Spoofing via Untrusted HTTP Headers in getRealIpAddr()
from 0, <= 26.0
MEDIUM5.3CVE-2026-33688AVideo has Pre-Captcha User Enumeration and Account Status Disclosure in Password Recovery Endpoint
from 0, <= 26.0
MEDIUM5.3CVE-2026-33685AVideo Allows Unauthenticated Access to AD_Server reports.json.php that Exposes Ad Campaign Analytics and User Data
from 0, <= 26.0
MEDIUM5.3CVE-2026-33501AVideo has Unauthenticated Information Disclosure of User Group Permission Mappings via Permissions Plugin
from 0, <= 26.0
MEDIUM5.3CVE-2026-33041AVideo has an Unauthenticated Password Hash Oracle via encryptPass.json.php
from 0, <= 25.0
MEDIUM5.3CVE-2023-50172WWBN AVideo recovery notification bypass vulnerability
from 0, <= 12.4
MEDIUM5.0CVE-2026-33294AVideo Affected by SSRF in BulkEmbed Thumbnail Fetch Allows Reading Internal Network Resources
from 0, <= 25.0
MEDIUM4.3CVE-2026-43882AVideo: Unauthenticated CRLF/ICS Injection in Scheduler downloadICS.php Allows Calendar Event Spoofing
from 0, <= 29.0
MEDIUM4.3CVE-2026-35181AVideo: CSRF on Player Skin Configuration via admin/playerUpdate.json.php
from 0, <= 26.0
MEDIUM4.3CVE-2026-34738AVideo: Video Publishing Workflow Bypass via Unauthorized overrideStatus Request Parameter
from 0, <= 26.0
MEDIUM4.3CVE-2026-33764AVideo: IDOR in AI Plugin Allows Stealing Other Users' AI-Generated Metadata and Transcriptions
from 0, <= 26.0
MEDIUM4.3CVE-2026-33238AVideo has a Path Traversal in listFiles.json.php Enables Server Filesystem Enumeration
from 0, < 26.0
MEDIUM4.2CVE-2026-43883AVideo: IDOR in PayPalYPT Plugin Allows Any Authenticated User to Cancel Arbitrary PayPal Subscription Agreements
from 0, <= 29.0
LOW3.7CVE-2026-35448AVideo: Unauthenticated Access to Payment Order Data via BlockonomicsYPT check.php
from 0, <= 26.0
—CVE-2026-49279WWBN AVideo: Stored XSS via autoEvalCodeOnHTML Bypass in MessageSQLite WebSocket Handler (CVE-2026-43874 Bypass)
from 0, <= 29.0
—CVE-2026-43885AVideo Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor and Missing Authorization
from 0, <= 29.0
—CVE-2026-33867AVideo has Plaintext Video Password Storage
from 0, <= 26.0
—CVE-2026-33770AVideo has SQL Injection in category.php fixCleanTitle() via Unparameterized clean_title and id Variables
from 0, <= 26.0
—CVE-2026-33767AVideo has SQL Injection via Partial Prepared Statement — videos_id Concatenated Directly into Query
from 0, < 26.0
—CVE-2026-33766AVideo has SSRF Protection Bypass via HTTP Redirect in Image Download Endpoints
from 0, <= 26.0
—CVE-2026-33297AVideo: IDOR - Any Admin Can Set Another User's Channel Password via setPassword.json.php
from 0, <= 25.0
—CVE-2026-33296AVideo has an Open Redirect via Unvalidated redirectUri in userLogin.php
from 0, <= 25.0
—CVE-2026-33295AVideo Affected by Stored XSS via Unescaped Video Title in CDN downloadButtons.php
from 0, <= 25.0
—CVE-2026-33035Unauthenticated Reflected XSS via innerHTML in AVideo
from 0, <= 25.0
—CVE-2026-30885AVideo has Unauthenticated IDOR - Playlist Information Disclosure
from 0, < 25.0
—CVE-2026-28502AVideo has Authenticated Remote Code Execution via Unsafe Plugin ZIP Extraction
from 0
—CVE-2026-27568AVideo has Stored Cross-Site Scripting via Markdown Comment Injection
from 0, < 21.0