Vulnerabilities in WWBN
187 resultsCVE-2026-43875MEDIUMWWBN AVideo: Password Hash Leaked in MobileManager OAuth Redirect URL Enables Account TakeoverEPSS 0.3%CVE-2026-34737MEDIUMAVideo: Arbitrary Stripe Subscription Cancellation via Debug Endpoint and retrieveSubscriptions() BugEPSS 0.3%CVE-2026-34716MEDIUMAVideo: DOM XSS via Unsanitized Display Name in WebSocket Call NotificationEPSS 0.3%CVE-2026-33688MEDIUMAVideo has Pre-Captcha User Enumeration and Account Status Disclosure in Password Recovery EndpointEPSS 0.3%CVE-2026-33294MEDIUMAVideo has SSRF in BulkEmbed Thumbnail Fetch that Allows Reading Internal Network ResourcesEPSS 0.3%CVE-2026-43881MEDIUMWWBN AVideo: Unauthenticated User Enumeration in `objects/users.json.php` via `isCompany` Parameter Flips `$ignoreAdmin = true` and Defeats Admin-Only Listing GuardEPSS 0.3%CVE-2026-40907MEDIUMWWBN AVideo has IDOR in Live Restreams list.json.php that Exposes Other Users' Stream Keys and OAuth TokensEPSS 0.3%CVE-2026-43885HIGHWWBN AVideo: Exposure of Sensitive Information to an Unauthorized Actor and Missing AuthorizationEPSS 0.3%CVE-2026-43873HIGHWWBN AVideo: Unauthenticated Disclosure of CloneSite `myKey` via Error Echo in `cloneClient.json.php` Enables Cross-Site DB Dump of the Configured Clone ServerEPSS 0.3%CVE-2026-33354HIGHAVideo has an authenticated arbitrary local file read via `chunkFile` path injection in `aVideoEncoder.json.php`EPSS 0.3%CVE-2026-33488HIGHAVideo has a PGP 2FA Bypass via Cryptographically Broken 512-bit RSA Key Generation in LoginControl PluginEPSS 0.3%CVE-2026-40908MEDIUMWWBN AVideo has an Unauthenticated Information Disclosure via git.json.php that Exposes Developer Emails and Deployed VersionEPSS 0.3%CVE-2026-34245MEDIUMAVideo's Missing Authorization in Playlist Schedule Creation Allows Cross-User Broadcast HijackingEPSS 0.2%CVE-2026-34362MEDIUMAVideo's WebSocket Token Never Expires Due to Commented-Out Timeout Validation in verifyTokenSocket()EPSS 0.2%CVE-2026-34247MEDIUMAVideo's IDOR in uploadPoster.php Allows Any Authenticated User to Overwrite Scheduled Live Stream Posters and Trigger False Socket NotificationsEPSS 0.2%CVE-2026-33650HIGHAVideo's Video Moderator Privilege Escalation via Ownership Transfer Enables Arbitrary Video DeletionEPSS 0.2%CVE-2026-43874HIGHWWBN AVideo: Incomplete Fix for YPTSocket autoEvalCodeOnHTML Strip: Unauthenticated Cross-User JavaScript Execution via `$msg['json']` Relay BypassEPSS 0.2%CVE-2026-34738MEDIUMAVideo: Video Publishing Workflow Bypass via Unauthorized overrideStatus Request ParameterEPSS 0.2%CVE-2026-27732HIGHAVideo has Authenticated Server-Side Request Forgery via downloadURL in aVideoEncoder.json.phpEPSS 0.2%CVE-2026-33512HIGHAVideo has an unauthenticated decrypt oracle leaking any ciphertextEPSS 0.2%