Security: WWBN/AVideo
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
Stored XSS via Hostile YouTube Video Title in AVideo YouTubeAPI Gallery SectionGHSA-66q5-cj5g-wrfx published
May 28, 2026 by DanielnetoDotComModerate -
Unauthenticated Reflected XSS via $_GET['search'] in AVideo YouTubeAPI Gallery PaginationGHSA-hgjh-6wj8-gcgf published
May 28, 2026 by DanielnetoDotComModerate -
Stored XSS via autoEvalCodeOnHTML in MessageSQLite WebSocket HandlerGHSA-2fhx-q92v-5fhv published
May 25, 2026 by DanielnetoDotComHigh -
Authenticated wallet credit bypass in AuthorizeNet processPayment endpointGHSA-9392-pj54-qqf8 published
May 19, 2026 by DanielnetoDotComHigh -
Stored XSS via unescaped Gallery category descriptionGHSA-c8h8-vq34-9fw2 published
May 19, 2026 by DanielnetoDotComModerate -
Unauthenticated Arbitrary Image Read via Path Traversal in `view/img/image404Raw.php`GHSA-w4qq-74h6-58wq published
May 13, 2026 by DanielnetoDotComModerate -
Authenticated Arbitrary File Read in view/update.phpGHSA-3mjv-375j-6h92 published
May 12, 2026 by DanielnetoDotComModerate -
AVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unauthenticated user enumeration sibling that survives `d9cdc7024`GHSA-vpfx-pxqw-2w79 published
May 11, 2026 by DanielnetoDotComModerate -
AVideo CVE-2026-43884 incomplete fix - six (or more) `isSSRFSafeURL()` call sites still discard the `$resolvedIP` out-param at master HEAD post-`603e7bf`GHSA-c3ch-22rq-xfwr published
May 11, 2026 by DanielnetoDotComModerate -
plugin/LoginControl/set.json.php: 2FA toggle endpoint has no CSRF protection, letting an attacker page silently disable a logged-in victim's 2FAGHSA-3mv2-vmwh-rwfx published
May 11, 2026 by DanielnetoDotComModerate