Please report security issues to developer@streamphp.com
Security: WWBN/AVideo
Security
.github/SECURITY.md
-
Allowlisted downloadURL media extensions bypass SSRF protection and enable internal response exfiltration (Incomplete fix for CVE-2026-27732)GHSA-cmcr-q4jf-p6q9 published
Apr 6, 2026 by DanielnetoDotComHigh -
GIF poster fetch bypasses traversal scrubbing and exposes local files through public media URLsGHSA-f4f9-627c-jh33 published
Apr 6, 2026 by DanielnetoDotComHigh -
Live restream log callback flow enables stored SSRF to internal servicesGHSA-q4x6-6mm2-crg9 published
Apr 6, 2026 by DanielnetoDotComModerate -
Stored XSS via Malicious EPG XML Program Titles in AVideo EPG PageGHSA-rqp3-gf5h-mrqx published
Apr 6, 2026 by DanielnetoDotComModerate -
PayPal IPN Replay Attack Enables Wallet Balance Inflation via Missing Transaction Deduplication in ipn.phpGHSA-mmw7-wq3c-wf9p published
Apr 6, 2026 by DanielnetoDotComModerate -
Unauthenticated Information Disclosure via Missing Auth on CloneSite client.log.phpGHSA-99j6-hj87-6fcf published
Apr 2, 2026 by DanielnetoDotComModerate -
Unauthenticated FFmpeg Remote Server Status Disclosure via check.ffmpeg.json.phpGHSA-2vg4-rrx4-qcpq published
Apr 2, 2026 by DanielnetoDotComModerate -
Unauthenticated Information Disclosure via Disabled CLI Guard in install/test.phpGHSA-hg8q-8wqr-35xx published
Apr 2, 2026 by DanielnetoDotComModerate -
Unauthenticated Access to Payment Order Data via BlockonomicsYPT check.phpGHSA-3v7m-qg4x-58h9 published
Apr 2, 2026 by DanielnetoDotComLow -
CSRF on Player Skin Configuration via admin/playerUpdate.json.phpGHSA-4q27-4rrq-fx95 published
Apr 1, 2026 by DanielnetoDotComModerate
Learn more about advisories related to WWBN/AVideo in the GitHub Advisory Database