Vulnerabilities in WWBN
187 resultsCVE-2026-33237MEDIUMAVideo has SSRF in Scheduler Plugin via callbackURL Missing `isSSRFSafeURL()` ValidationEPSS 0.3%CVE-2026-41056HIGHAVideos has CORS Origin Reflection with Credentials on Sensitive API Endpoints that Enables Cross-Origin Account TakeoverEPSS 0.3%CVE-2026-41064CRITICALAVideo has an incomplete fix for CVE-2026-33502 (Command Injection)EPSS 0.3%CVE-2026-33493HIGHAVideo has a Path Traversal in import.json.php that Allows Private Video Theft and Arbitrary File Read/Deletion via fileURI ParameterEPSS 0.3%CVE-2026-35449MEDIUMWWBN AVideo has Unauthenticated Information Disclosure via Disabled CLI Guard in install/test.phpEPSS 0.3%CVE-2026-33041MEDIUMAVideo has an Unauthenticated Password Hash Oracle via encryptPass.json.phpEPSS 0.3%CVE-2026-33319MEDIUMAVideo Vulnerable to OS Command Injection via Unescaped URL in LinkedIn Video Upload Shell CommandEPSS 0.3%CVE-2026-34740MEDIUMAVideo: Stored SSRF via Video EPG Link Missing isSSRFSafeURL() ValidationEPSS 0.3%CVE-2026-33480HIGHAVideo has a SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in Unauthenticated LiveLinks ProxyEPSS 0.3%CVE-2026-33763MEDIUMAVideo has an Unauthenticated Video Password Brute-Force Vulnerability via Unrate-Limited Boolean OracleEPSS 0.3%CVE-2026-34364MEDIUMAVideo has User Group-Based Category Access Control Bypass via Missing and Broken Group Filtering in categories.json.phpEPSS 0.3%CVE-2026-35448LOWWWBN AVideo Provides Unauthenticated Access to Payment Order Data via BlockonomicsYPT check.phpEPSS 0.3%CVE-2026-45578HIGHWWBN AVideo Live: OS command injection in on_publish.php execAsync via unescaped m3u8 URLEPSS 0.3%CVE-2026-33035MEDIUMUnauthenticated Reflected XSS via innerHTML in AVideoEPSS 0.3%CVE-2026-34395MEDIUMAVideo: Mass User PII Disclosure via Missing Authorization in YPTWallet users.json.phpEPSS 0.3%CVE-2026-33685MEDIUMAVideo Allows Unauthenticated Access to AD_Server reports.json.php that Exposes Ad Campaign Analytics and User DataEPSS 0.3%CVE-2026-41060HIGHAVideo's SSRF via same-domain hostname with alternate port bypasses isSSRFSafeURLEPSS 0.3%CVE-2026-34375HIGHAVideo Vulnerable to Reflected XSS via Unsanitized plugin Parameter in YPTWallet Stripe Payment PageEPSS 0.3%CVE-2026-33492HIGHAVideo has Session Fixation via GET PHPSESSID Parameter With Disabled Login Session RegenerationEPSS 0.3%CVE-2026-33759MEDIUMAVideo: Unauthenticated IDOR in playlistsVideos.json.php Exposes Private Playlist ContentsEPSS 0.3%