Security: WWBN/AVideo
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
AVideo: Missing CSRF Protection on State-Changing JSON Endpoints Enables Forced Comment Creation, Vote Manipulation, and Category Asset DeletionGHSA-x2pw-9c38-cp2j published
Apr 13, 2026 by DanielnetoDotComModerate -
Multiple CSRF Vulnerabilities in Admin JSON Endpoints (Category CRUD, Plugin Update Script)GHSA-ffw8-fwxp-h64w published
Apr 13, 2026 by DanielnetoDotComHigh -
CSRF in configurationUpdate.json.php Enables Full Site Configuration Takeover Including Encoder URL and SMTP CredentialsGHSA-vvfw-4m39-fjqf published
Apr 13, 2026 by DanielnetoDotComHigh -
AVideo YPTSocket WebSocket Broadcast Relay Leads to Unauthenticated Cross-User JavaScript Execution via Client-Side eval() SinksGHSA-gph2-j4c9-vhhr published
Apr 13, 2026 by DanielnetoDotComCritical -
Path Traversal in Locale Save Endpoint Enables Arbitrary PHP File Write to Any Web-Accessible Directory (RCE)GHSA-6rc6-p838-686f published
Apr 13, 2026 by DanielnetoDotComHigh -
Unauthenticated Information Disclosure via git.json.php Exposes Developer Emails and Deployed VersionGHSA-52hf-63q4-r926 published
Apr 13, 2026 by DanielnetoDotComModerate -
IDOR in Live Restreams list.json.php Exposes Other Users' Stream Keys and OAuth TokensGHSA-gpgp-w4x2-h3h7 published
Apr 13, 2026 by DanielnetoDotComModerate -
Allowlisted downloadURL media extensions bypass SSRF protection and enable internal response exfiltration (Incomplete fix for CVE-2026-27732)GHSA-cmcr-q4jf-p6q9 published
Apr 6, 2026 by DanielnetoDotComHigh -
GIF poster fetch bypasses traversal scrubbing and exposes local files through public media URLsGHSA-f4f9-627c-jh33 published
Apr 6, 2026 by DanielnetoDotComHigh -
Live restream log callback flow enables stored SSRF to internal servicesGHSA-q4x6-6mm2-crg9 published
Apr 6, 2026 by DanielnetoDotComModerate