Avideo

WWBN AVideo versions 29.0 and below contain a path traversal vulnerability (CVE-2026-41058) in the CloneSite functionality, allowing unauthenticated attackers to delete arbitrary files via manipulation of the `deleteDump` parameter.

WWBN AVideo versions 29.0 and below are vulnerable to Server-Side Request Forgery (SSRF) due to an incomplete fix in the LiveLinks proxy, potentially allowing attackers to redirect traffic to internal endpoints.

WWBN AVideo versions up to 29.0 contain an OS Command Injection vulnerability (CVE-2026-41064) in the `test.php` file, allowing unauthenticated remote code execution due to insufficient input sanitization, especially affecting `file_get_contents` and `curl` code paths.

WWBN AVideo is vulnerable to Server-Side Request Forgery (SSRF) due to an incomplete fix for CVE-2026-27732, allowing authenticated uploaders to bypass SSRF protection by providing a `downloadURL` with a common media extension, leading to internal response exfiltration.

WWBN AVideo, up to version 26.0, contains an improper authentication vulnerability (CVE-2026-33512) in the API plugin's `decryptString` action, allowing unauthenticated users to decrypt publicly accessible ciphertext and potentially recover protected tokens/metadata.

WWBN AVideo platform versions up to 26.0 are vulnerable to SQL injection (CVE-2026-33723), allowing authenticated attackers to inject arbitrary SQL commands via the 'user_id' POST parameter and extract sensitive data such as password hashes, API keys, and encryption salts.

WWBN AVideo platform versions up to 26.0 allows a 'Videos Moderator' to escalate privileges and perform unauthorized video management operations due to inconsistent authorization checks.

AVideo versions up to 26.0 are vulnerable to an unauthenticated server-side request forgery (SSRF) vulnerability in the `plugin/Live/test.php` endpoint, allowing attackers to make the server send arbitrary HTTP requests, potentially exposing internal resources and cloud metadata.

WWBN AVideo platform versions up to 26.0 are vulnerable to unauthorized file access and deletion, where an authenticated user with upload permissions can exploit the `objects/import.json.php` endpoint by manipulating the `fileURI` parameter to steal private video files, read adjacent text files, and delete `.mp4` and other writable files on the filesystem.