Security: WWBN/AVideo
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
AVideo CVE-2026-43884 incomplete fix - six (or more) `isSSRFSafeURL()` call sites still discard the `$resolvedIP` out-param at master HEAD post-`603e7bf`GHSA-c3ch-22rq-xfwr published
May 11, 2026 by DanielnetoDotComModerate -
plugin/LoginControl/set.json.php: 2FA toggle endpoint has no CSRF protection, letting an attacker page silently disable a logged-in victim's 2FAGHSA-3mv2-vmwh-rwfx published
May 11, 2026 by DanielnetoDotComModerate -
Live: stored XSS via unescaped stream key in modeYoutubeLive.php class attributeGHSA-m5j4-7r85-2cj2 published
May 11, 2026 by DanielnetoDotComModerate -
Live: OS command injection in on_publish.php execAsync via unescaped m3u8 URLGHSA-xw67-cg5f-4m2r published
May 11, 2026 by DanielnetoDotComHigh -
Meet plugin: `uploadRecordedVideo.json.php` derives `users_id` from the uploaded filename and calls passwordless `User->login()`, allowing any caller with the Meet shared secret to obtain a session as arbitrary users including adminGHSA-qxvm-r42f-5p8j published
May 11, 2026 by DanielnetoDotComHigh -
Exposure of Sensitive Information to an Unauthorized Actor and Missing Authorization in WWBN/AVideoGHSA-xr49-f4rh-qcjf published
Apr 27, 2026 by DanielnetoDotComHigh -
SSRF Protection Bypass via HTTP Redirect and DNS Rebinding in isSSRFSafeURL()GHSA-2hch-c97c-g99x published
Apr 27, 2026 by DanielnetoDotComHigh -
IDOR in PayPalYPT agreementCancel.json.php Allows Any Authenticated User to Cancel Arbitrary PayPal Subscription AgreementsGHSA-958h-qp3x-q4gj published
Apr 27, 2026 by DanielnetoDotComModerate -
Unauthenticated CRLF/ICS Injection in Scheduler downloadICS.php Allows Calendar Event SpoofingGHSA-mwgh-92m2-wvhv published
Apr 27, 2026 by DanielnetoDotComModerate -
Unauthenticated User Enumeration in `objects/users.json.php` via `isCompany` Parameter Flips `$ignoreAdmin = true` and Defeats Admin-Only Listing GuardGHSA-6rvw-7p8v-mjfq published
Apr 27, 2026 by DanielnetoDotComModerate