Security: WWBN/AVideo
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
Stored XSS via Unanchored Duration Regex in Video Encoder ReceiverGHSA-8pv3-29pp-pf8f published
Apr 13, 2026 by DanielnetoDotComModerate -
SSRF via same-domain hostname with alternate port bypasses isSSRFSafeURLGHSA-j432-4w3j-3w8j published
Apr 13, 2026 by DanielnetoDotComHigh -
Incomplete fix for CVE-2026-33293: Path Traversal in AVideoGHSA-5879-4fmr-xwf2 published
Apr 13, 2026 by DanielnetoDotComModerate -
CORS Origin Reflection Bypass via plugin/API/router.php and allowOrigin(true) Exposes Authenticated API ResponsesGHSA-ff5q-cc22-fgp4 published
Apr 13, 2026 by DanielnetoDotComHigh -
CORS Origin Reflection with Credentials on Sensitive API Endpoints Enables Cross-Origin Account TakeoverGHSA-ccq9-r5cw-5hwq published
Apr 13, 2026 by DanielnetoDotComHigh -
Incomplete fix for CVE-2026-33039: SSRF in AVideoGHSA-793q-xgj6-7frp published
Apr 13, 2026 by DanielnetoDotComModerate -
CAPTCHA Bypass in WWBN/AVideo via Attacker-Controlled Length Parameter and Missing Token Invalidation on FailureGHSA-hg7g-56h5-5pqr published
Apr 13, 2026 by DanielnetoDotComModerate -
Missing CSRF protection in objects/commentDelete.json.php enables mass comment deletion against moderators and content creatorsGHSA-8qm8-g55h-xmqr published
Apr 13, 2026 by DanielnetoDotComModerate -
AVideo: Missing CSRF Protection on State-Changing JSON Endpoints Enables Forced Comment Creation, Vote Manipulation, and Category Asset DeletionGHSA-x2pw-9c38-cp2j published
Apr 13, 2026 by DanielnetoDotComModerate -
Multiple CSRF Vulnerabilities in Admin JSON Endpoints (Category CRUD, Plugin Update Script)GHSA-ffw8-fwxp-h64w published
Apr 13, 2026 by DanielnetoDotComHigh