Vulnerabilidades en WWBN
187 resultadosCVE-2026-45620MEDIUMAVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unauthenticated user enumerationEPSS 0.2%CVE-2026-33296LOWAVideo has an Open Redirect via Unvalidated redirectUri in userLogin.phpEPSS 0.2%CVE-2026-43882MEDIUMWWBN AVideo: Unauthenticated CRLF/ICS Injection in Scheduler downloadICS.php Allows Calendar Event SpoofingEPSS 0.2%CVE-2026-33683MEDIUMAVideo vulnerable to Stored XSS via html_entity_decode() Reversing xss_esc() Sanitization in Channel About FieldEPSS 0.2%CVE-2026-33690MEDIUMAVideo vulnerable to IP Address Spoofing via Untrusted HTTP Headers in getRealIpAddr()EPSS 0.2%CVE-2026-41061MEDIUMWWBN AVideo Vulnerable to stored XSS via Unanchored Duration Regex in Video Encoder ReceiverEPSS 0.2%CVE-2026-40925HIGHWWBN AVideo has CSRF in configurationUpdate.json.php Enables Full Site Configuration Takeover Including Encoder URL and SMTP CredentialsEPSS 0.2%CVE-2026-33649HIGHAVideo's GET-Based CSRF in setPermission.json.php Enables Privilege Escalation via Arbitrary Permission ModificationEPSS 0.2%CVE-2026-39366MEDIUMWWBN AVideo Affected by a PayPal IPN Replay Attack Enabling Wallet Balance Inflation via Missing Transaction Deduplication in ipn.phpEPSS 0.2%CVE-2026-56347MEDIUMAVideo TopMenu Plugin - Stored Cross-Site Scripting via Unescaped Menu Item FieldsEPSS 0.2%CVE-2026-43883MEDIUMWWBN AVideo: IDOR in PayPalYPT agreementCancel.json.php Allows Any Authenticated User to Cancel Arbitrary PayPal Subscription AgreementsEPSS 0.2%CVE-2026-40926HIGHWWBN AVideo Vulnerable to CSRF in Admin JSON Endpoints (Category CRUD, Plugin Update Script)EPSS 0.2%CVE-2026-43879MEDIUMWWBN AVideo: Blind SSRF in YPTWallet Donation Webhook via Missing isSSRFSafeURL() Check and CURLOPT_FOLLOWLOCATION Redirect BypassEPSS 0.2%CVE-2026-47694MEDIUMWWBN AVideo: Stored XSS via unescaped Gallery category descriptionEPSS 0.2%CVE-2026-34611MEDIUMAVideo: CSRF on emailAllUsers.json.php Enables Mass Phishing Email to All UsersEPSS 0.2%CVE-2026-43876MEDIUMWWBN AVideo: HTML Injection in notifySubscribers.json.php Enables Platform-Branded Phishing Emails to Channel SubscribersEPSS 0.2%CVE-2026-33867CRITICALAVideo has Plaintext Video Password StorageEPSS 0.2%CVE-2026-45580MEDIUMWWBN AVideo Live: stored XSS via unescaped stream key in modeYoutubeLive.php class attributeEPSS 0.1%CVE-2026-45619MEDIUMAVideo CVE-2026-43884 incomplete fix - `isSSRFSafeURL()` call sites still discard the `$resolvedIP` out-param at master HEAD postEPSS 0.1%CVE-2026-35181MEDIUMWWBN AVideo Affected by CSRF on Player Skin Configuration via admin/playerUpdate.json.phpEPSS 0.1%