Security: WWBN/AVideo
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
CSRF in userSavePhoto.php Allows Cross-Origin Overwrite of Any Logged-in User's Profile Photo with Arbitrary BytesGHSA-jw8g-5j46-44rp published
Apr 25, 2026 by DanielnetoDotComModerate -
Reflected XSS in plugin/Meet/iframe.php via Unescaped `user`/`pass` Parameters Reflected into JavaScript String LiteralGHSA-mm5f-8q57-4fc4 published
Apr 25, 2026 by DanielnetoDotComModerate -
HTML Injection in notifySubscribers.json.php Enables Platform-Branded Phishing Emails to Channel SubscribersGHSA-g9cm-rxp7-6gv5 published
Apr 25, 2026 by DanielnetoDotComModerate -
Password Hash Leaked in MobileManager OAuth Redirect URL Enables Account TakeoverGHSA-5w8w-26ch-v5cw published
Apr 25, 2026 by DanielnetoDotComModerate -
Incomplete Fix for YPTSocket autoEvalCodeOnHTML Strip: Unauthenticated Cross-User JavaScript Execution via `$msg['json']` Relay BypassGHSA-ghcv-22jf-vfxm published
Apr 25, 2026 by DanielnetoDotComHigh -
Unauthenticated Disclosure of CloneSite `myKey` via Error Echo in `cloneClient.json.php` Enables Cross-Site DB Dump of the Configured Clone ServerGHSA-qm9p-p5pw-jrx2 published
Apr 25, 2026 by DanielnetoDotComHigh -
RCE cause by clonesite pluginGHSA-xr6f-h4x7-r6qp published
Apr 15, 2026 by DanielnetoDotComHigh -
Incomplete fix for CVE-2026-33502: Command Injection in AVideoGHSA-pq8p-wc4f-vg7j published
Apr 13, 2026 by DanielnetoDotComHigh -
Incomplete fix for CVE-2026-33500: XSS in AVideoGHSA-m7r8-6q9j-m2hc published
Apr 13, 2026 by DanielnetoDotComModerate -
Incomplete fix: Directory traversal bypass via query string in ReceiveImage downloadURL parametersGHSA-m63r-m9jh-3vc6 published
Apr 13, 2026 by DanielnetoDotComModerate