Avideo

AVideo is vulnerable to OS command injection (CVE-2026-45578) in the `on_publish.php` file due to improper sanitization of the m3u8 URL, allowing attackers to execute arbitrary commands by injecting shell metacharacters.

WWBN AVideo versions 29.0 and below contain a path traversal vulnerability (CVE-2026-41058) in the CloneSite functionality, allowing unauthenticated attackers to delete arbitrary files via manipulation of the `deleteDump` parameter.

WWBN AVideo versions 29.0 and below are vulnerable to Server-Side Request Forgery (SSRF) due to an incomplete fix in the LiveLinks proxy, potentially allowing attackers to redirect traffic to internal endpoints.

WWBN AVideo versions up to 29.0 contain an OS Command Injection vulnerability (CVE-2026-41064) in the `test.php` file, allowing unauthenticated remote code execution due to insufficient input sanitization, especially affecting `file_get_contents` and `curl` code paths.

WWBN AVideo is vulnerable to Server-Side Request Forgery (SSRF) due to an incomplete fix for CVE-2026-27732, allowing authenticated uploaders to bypass SSRF protection by providing a `downloadURL` with a common media extension, leading to internal response exfiltration.

WWBN AVideo, up to version 26.0, contains an improper authentication vulnerability (CVE-2026-33512) in the API plugin's `decryptString` action, allowing unauthenticated users to decrypt publicly accessible ciphertext and potentially recover protected tokens/metadata.

WWBN AVideo platform versions up to 26.0 are vulnerable to SQL injection (CVE-2026-33723), allowing authenticated attackers to inject arbitrary SQL commands via the 'user_id' POST parameter and extract sensitive data such as password hashes, API keys, and encryption salts.

WWBN AVideo platform versions up to 26.0 allows a 'Videos Moderator' to escalate privileges and perform unauthorized video management operations due to inconsistent authorization checks.

AVideo versions up to 26.0 are vulnerable to an unauthenticated server-side request forgery (SSRF) vulnerability in the `plugin/Live/test.php` endpoint, allowing attackers to make the server send arbitrary HTTP requests, potentially exposing internal resources and cloud metadata.

WWBN AVideo platform versions up to 26.0 are vulnerable to unauthorized file access and deletion, where an authenticated user with upload permissions can exploit the `objects/import.json.php` endpoint by manipulating the `fileURI` parameter to steal private video files, read adjacent text files, and delete `.mp4` and other writable files on the filesystem.

AVideo version 29.0 and earlier is vulnerable to unauthenticated API secret disclosure via a publicly accessible endpoint, allowing unauthorized access to protected API endpoints.

AVideo is vulnerable to Server-Side Request Forgery (SSRF) due to improper validation of user-supplied URLs that does not prevent HTTP redirects, and DNS rebinding due to discarded resolved IP addresses.

AVideo is vulnerable to unauthenticated information disclosure via the `plugin/CloneSite/cloneClient.json.php` endpoint, which echoes the local CloneSite shared secret (`$objClone->myKey`) in HTTP responses without authentication, enabling cross-site database dumps of the configured clone server.

AVideo is vulnerable to unauthenticated cross-site scripting (XSS) due to an incomplete server-side fix for a YPTSocket `autoEvalCodeOnHTML` eval sink, allowing an attacker to bypass the fix by nesting the payload under a top-level `json` field, leading to arbitrary JavaScript execution in any logged-in user's browser session.