Skip to content
Threat Feed

Vendor

AVideo

10 briefs RSS
critical advisory

AVideo OS Command Injection Vulnerability (CVE-2026-33482)

AVideo versions up to 26.0 are vulnerable to OS command injection due to insufficient sanitization of shell metacharacters in the `sanitizeFFmpegCommand()` function, potentially allowing arbitrary command execution.

AVideo command-injection cve-2026-33482 webserver
2r 1t
high advisory

AVideo Unauthenticated Access to Payment Log DataTables Endpoints

AVideo is vulnerable to unauthenticated access to multiple `list.json.php` endpoints due to missing authorization checks, allowing attackers to retrieve sensitive payment transaction records, including PayPal billing agreement IDs, Express Checkout tokens, Authorize.Net webhook payloads, and Bitcoin payment records, leading to financial data exposure and potential PII leakage.

AVideo authentication-bypass payment-data-leak
2r 2t 3i
high advisory

AVideo CDN Plugin Unauthenticated Configuration Modification

AVideo is vulnerable to unauthenticated configuration modification in its CDN plugin due to a bypassed key validation check when the default empty key is used, allowing modification of CDN URLs, storage credentials, and the authentication key itself.

AVideo cdn configuration-modification vulnerability
2r 3t
high advisory

AVideo CORS Origin Reflection with Credentials Leads to Account Takeover

The AVideo platform is vulnerable to CORS origin reflection, allowing attackers to steal user PII, livestream keys, and perform unauthorized actions by exploiting the permissive `allowOrigin` function on sensitive API endpoints.

AVideo cors account-takeover web-application
2r 4t 3i
critical advisory

AVideo Remote Code Execution via Polyglot File Upload (CVE-2026-33647)

AVideo versions up to 26.0 are vulnerable to remote code execution (CVE-2026-33647) due to insufficient file validation in the `ImageGallery::saveFile()` method, allowing attackers to upload polyglot files with a `.php` extension to achieve code execution.

AVideo CVE-2026-33647 RCE File Upload Polyglot
2r 1t
critical advisory

AVideo Platform Unauthenticated Live Stream Control via streamerURL Manipulation

AVideo platform versions up to 26.0 are vulnerable to unauthenticated control of live streams due to manipulation of the `streamerURL` parameter in the `control.json.php` endpoint, enabling actions like dropping publishers or starting/stopping recordings.

AVideo Platform avideo authentication-bypass cve-2026-33716
2r 1t
critical advisory

AVideo SSRF Vulnerability via IPv4-Mapped IPv6 Bypass (CVE-2026-33480)

AVideo versions up to 26.0 are vulnerable to server-side request forgery (SSRF) due to a bypass in the `isSSRFSafeURL()` function, allowing unauthenticated attackers to access internal resources.

AVideo ssrf cve-2026-33480 webserver
2r 1t
critical advisory

AVideo SQL Injection Vulnerability (CVE-2026-33651)

AVideo versions up to 26.0 are vulnerable to time-based blind SQL injection via the `live_schedule_id` parameter in `remindMe.json.php`, allowing authenticated users to extract arbitrary database contents.

AVideo sql-injection cve-2026-33651 webserver
2r 1t
high advisory

AVideo Session Fixation Vulnerability (CVE-2026-33492)

AVideo versions 26.0 and earlier are vulnerable to session fixation due to accepting arbitrary session IDs via the `PHPSESSID` GET parameter and disabled session regeneration, allowing attackers to hijack authenticated sessions.

AVideo cve-2026-33492 session-fixation web-application
2r 1t
high advisory

AVideo EncoderReceiveImage Local File Inclusion Vulnerability

AVideo is vulnerable to local file inclusion (LFI) via the EncoderReceiveImage endpoint, allowing authenticated uploaders to read sensitive server files by bypassing path traversal restrictions.

AVideo lfi file-disclosure php
2r 1t 1c