Security: WWBN/AVideo
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
Live: stored XSS via unescaped stream key in modeYoutubeLive.php class attributeGHSA-m5j4-7r85-2cj2 published
May 11, 2026 by DanielnetoDotComModerate -
Live: OS command injection in on_publish.php execAsync via unescaped m3u8 URLGHSA-xw67-cg5f-4m2r published
May 11, 2026 by DanielnetoDotComHigh -
Meet plugin: `uploadRecordedVideo.json.php` derives `users_id` from the uploaded filename and calls passwordless `User->login()`, allowing any caller with the Meet shared secret to obtain a session as arbitrary users including adminGHSA-qxvm-r42f-5p8j published
May 11, 2026 by DanielnetoDotComHigh -
Exposure of Sensitive Information to an Unauthorized Actor and Missing Authorization in WWBN/AVideoGHSA-xr49-f4rh-qcjf published
Apr 27, 2026 by DanielnetoDotComHigh -
SSRF Protection Bypass via HTTP Redirect and DNS Rebinding in isSSRFSafeURL()GHSA-2hch-c97c-g99x published
Apr 27, 2026 by DanielnetoDotComHigh -
IDOR in PayPalYPT agreementCancel.json.php Allows Any Authenticated User to Cancel Arbitrary PayPal Subscription AgreementsGHSA-958h-qp3x-q4gj published
Apr 27, 2026 by DanielnetoDotComModerate -
Unauthenticated CRLF/ICS Injection in Scheduler downloadICS.php Allows Calendar Event SpoofingGHSA-mwgh-92m2-wvhv published
Apr 27, 2026 by DanielnetoDotComModerate -
Unauthenticated User Enumeration in `objects/users.json.php` via `isCompany` Parameter Flips `$ignoreAdmin = true` and Defeats Admin-Only Listing GuardGHSA-6rvw-7p8v-mjfq published
Apr 27, 2026 by DanielnetoDotComModerate -
Unauthenticated Arbitrary Email Sending via sendEmail.json.php Allows Phishing from Site's Legitimate From AddressGHSA-5hgj-7gm9-cff5 published
Apr 27, 2026 by DanielnetoDotComModerate -
Blind SSRF in YPTWallet Donation Webhook via Missing isSSRFSafeURL() Check and CURLOPT_FOLLOWLOCATION Redirect BypassGHSA-wp38-whx3-xffh published
Apr 27, 2026 by DanielnetoDotComModerate