{"package":"wwbn/avideo","ecosystem":"composer","latest_version":"29.0","description":"Audio Video Platform","license":"proprietary","license_risk":"proprietary","commercial_use_notes":"Proprietary / custom license — do NOT use in commercial products without reviewing terms.","homepage":"","repository":"https://github.com/WWBN/AVideo","downloads_weekly":0,"health":{"score":34,"risk":"critical","breakdown":{"maintenance":25,"popularity":0,"security":0,"maturity":9,"community":0},"deprecated":false,"max_score":100},"vulnerabilities":{"count":19,"critical":1,"high":8,"medium":10,"low":0,"details":[{"vuln_id":"GHSA-52hf-63q4-r926","severity":"medium","summary":"WWBN AVideo has an Unauthenticated Information Disclosure via git.json.php Exposes Developer Emails and Deployed Version","affected_versions":"<=29.0|=10.4|=10.8|=11|=11.1|=11.1.1|=11.5|=11.6|=12.4|=14.3|=14.3.1|=14.4|=18.0|=21.0|=22.0|=24.0|=25.0|=26.0|=29.0","fixed_version":null,"source":"osv","published_at":"2026-04-14T22:49:25Z"},{"vuln_id":"GHSA-5879-4fmr-xwf2","severity":"medium","summary":"WWBN AVideo has an incomplete fix for CVE-2026-33293: Path Traversal","affected_versions":"<=29.0|=10.4|=10.8|=11|=11.1|=11.1.1|=11.5|=11.6|=12.4|=14.3|=14.3.1|=14.4|=18.0|=21.0|=22.0|=24.0|=25.0|=26.0|=29.0","fixed_version":null,"source":"osv","published_at":"2026-04-14T23:21:31Z"},{"vuln_id":"GHSA-6rc6-p838-686f","severity":"high","summary":"WWBN AVideo has a Path Traversal in Locale Save Endpoint Enables Arbitrary PHP File Write to Any Web-Accessible Directory (RCE)","affected_versions":"<=29.0|=10.4|=10.8|=11|=11.1|=11.1.1|=11.5|=11.6|=12.4|=14.3|=14.3.1|=14.4|=18.0|=21.0|=22.0|=24.0|=25.0|=26.0|=29.0","fixed_version":null,"source":"osv","published_at":"2026-04-14T22:49:48Z"},{"vuln_id":"GHSA-793q-xgj6-7frp","severity":"medium","summary":"WWBN AVideo has an incomplete fix for CVE-2026-33039: SSRF","affected_versions":"<=29.0|=10.4|=10.8|=11|=11.1|=11.1.1|=11.5|=11.6|=12.4|=14.3|=14.3.1|=14.4|=18.0|=21.0|=22.0|=24.0|=25.0|=26.0|=29.0","fixed_version":null,"source":"osv","published_at":"2026-04-14T23:15:43Z"},{"vuln_id":"GHSA-8pv3-29pp-pf8f","severity":"medium","summary":"WWBN AVideo has Stored XSS via Unanchored Duration Regex in Video Encoder Receiver","affected_versions":"<=29.0|=10.4|=10.8|=11|=11.1|=11.1.1|=11.5|=11.6|=12.4|=14.3|=14.3.1|=14.4|=18.0|=21.0|=22.0|=24.0|=25.0|=26.0|=29.0","fixed_version":null,"source":"osv","published_at":"2026-04-14T23:22:21Z"},{"vuln_id":"GHSA-8qm8-g55h-xmqr","severity":"medium","summary":"WWBN AVideo is missing CSRF protection in objects/commentDelete.json.php enables mass comment deletion against moderators and content creators","affected_versions":"<=29.0|=10.4|=10.8|=11|=11.1|=11.1.1|=11.5|=11.6|=12.4|=14.3|=14.3.1|=14.4|=18.0|=21.0|=22.0|=24.0|=25.0|=26.0|=29.0","fixed_version":null,"source":"osv","published_at":"2026-04-14T23:13:08Z"},{"vuln_id":"GHSA-ccq9-r5cw-5hwq","severity":"high","summary":"WWBN AVideo has CORS Origin Reflection with Credentials on Sensitive API Endpoints Enables Cross-Origin Account Takeover","affected_versions":"<=29.0|=10.4|=10.8|=11|=11.1|=11.1.1|=11.5|=11.6|=12.4|=14.3|=14.3.1|=14.4|=18.0|=21.0|=22.0|=24.0|=25.0|=26.0|=29.0","fixed_version":null,"source":"osv","published_at":"2026-04-14T23:18:19Z"},{"vuln_id":"GHSA-ff5q-cc22-fgp4","severity":"high","summary":"WWBN AVideo has a CORS Origin Reflection Bypass via plugin/API/router.php and allowOrigin(true) Exposes Authenticated API Responses","affected_versions":"<=29.0|=10.4|=10.8|=11|=11.1|=11.1.1|=11.5|=11.6|=12.4|=14.3|=14.3.1|=14.4|=18.0|=21.0|=22.0|=24.0|=25.0|=26.0|=29.0","fixed_version":null,"source":"osv","published_at":"2026-04-14T23:18:28Z"},{"vuln_id":"GHSA-ffw8-fwxp-h64w","severity":"high","summary":"WWBN AVideo has Multiple CSRF Vulnerabilities in Admin JSON Endpoints (Category CRUD, Plugin Update Script)","affected_versions":"<=29.0|=10.4|=10.8|=11|=11.1|=11.1.1|=11.5|=11.6|=12.4|=14.3|=14.3.1|=14.4|=18.0|=21.0|=22.0|=24.0|=25.0|=26.0|=29.0","fixed_version":null,"source":"osv","published_at":"2026-04-14T23:12:39Z"},{"vuln_id":"GHSA-gpgp-w4x2-h3h7","severity":"medium","summary":"WWBN AVideo has an IDOR in Live Restreams list.json.php Exposes Other Users' Stream Keys and OAuth Tokens","affected_versions":"<=29.0|=10.4|=10.8|=11|=11.1|=11.1.1|=11.5|=11.6|=12.4|=14.3|=14.3.1|=14.4|=18.0|=21.0|=22.0|=24.0|=25.0|=26.0|=29.0","fixed_version":null,"source":"osv","published_at":"2026-04-14T22:49:05Z"},{"vuln_id":"GHSA-gph2-j4c9-vhhr","severity":"critical","summary":"WWBN AVideo YPTSocket WebSocket Broadcast Relay Leads to Unauthenticated Cross-User JavaScript Execution via Client-Side eval() Sinks","affected_versions":"<=29.0|=10.4|=10.8|=11|=11.1|=11.1.1|=11.5|=11.6|=12.4|=14.3|=14.3.1|=14.4|=18.0|=21.0|=22.0|=24.0|=25.0|=26.0|=29.0","fixed_version":null,"source":"osv","published_at":"2026-04-14T22:50:05Z"},{"vuln_id":"GHSA-hg7g-56h5-5pqr","severity":"medium","summary":"CAPTCHA Bypass in WWBN/AVideo via Attacker-Controlled Length Parameter and Missing Token Invalidation on Failure","affected_versions":"<=29.0|=10.4|=10.8|=11|=11.1|=11.1.1|=11.5|=11.6|=12.4|=14.3|=14.3.1|=14.4|=18.0|=21.0|=22.0|=24.0|=25.0|=26.0|=29.0","fixed_version":null,"source":"osv","published_at":"2026-04-14T23:13:21Z"},{"vuln_id":"GHSA-j432-4w3j-3w8j","severity":"high","summary":"WWBN AVideo has a SSRF via same-domain hostname with alternate port bypasses isSSRFSafeURL","affected_versions":"<=29.0|=10.4|=10.8|=11|=11.1|=11.1.1|=11.5|=11.6|=12.4|=14.3|=14.3.1|=14.4|=18.0|=21.0|=22.0|=24.0|=25.0|=26.0|=29.0","fixed_version":null,"source":"osv","published_at":"2026-04-14T23:22:01Z"},{"vuln_id":"GHSA-m63r-m9jh-3vc6","severity":"medium","summary":"WWBN AVideo has an Incomplete fix: Directory traversal bypass via query string in ReceiveImage downloadURL parameters","affected_versions":"<=29.0|=10.4|=10.8|=11|=11.1|=11.1.1|=11.5|=11.6|=12.4|=14.3|=14.3.1|=14.4|=18.0|=21.0|=22.0|=24.0|=25.0|=26.0|=29.0","fixed_version":null,"source":"osv","published_at":"2026-04-14T23:23:14Z"},{"vuln_id":"GHSA-m7r8-6q9j-m2hc","severity":"medium","summary":"WWBN AVideo has an incomplete fix for CVE-2026-33500: XSS","affected_versions":"<=29.0|=10.4|=10.8|=11|=11.1|=11.1.1|=11.5|=11.6|=12.4|=14.3|=14.3.1|=14.4|=18.0|=21.0|=22.0|=24.0|=25.0|=26.0|=29.0","fixed_version":null,"source":"osv","published_at":"2026-04-14T23:25:28Z"},{"vuln_id":"GHSA-pq8p-wc4f-vg7j","severity":"high","summary":"WWBN AVideo has an incomplete fix for CVE-2026-33502: Command Injection","affected_versions":"<=29.0|=10.4|=10.8|=11|=11.1|=11.1.1|=11.5|=11.6|=12.4|=14.3|=14.3.1|=14.4|=18.0|=21.0|=22.0|=24.0|=25.0|=26.0|=29.0","fixed_version":null,"source":"osv","published_at":"2026-04-14T23:27:18Z"},{"vuln_id":"GHSA-vvfw-4m39-fjqf","severity":"high","summary":"WWBN AVideo has CSRF in configurationUpdate.json.php Enables Full Site Configuration Takeover Including Encoder URL and SMTP Credentials","affected_versions":"<=29.0|=10.4|=10.8|=11|=11.1|=11.1.1|=11.5|=11.6|=12.4|=14.3|=14.3.1|=14.4|=18.0|=21.0|=22.0|=24.0|=25.0|=26.0|=29.0","fixed_version":null,"source":"osv","published_at":"2026-04-14T23:12:30Z"},{"vuln_id":"GHSA-x2pw-9c38-cp2j","severity":"medium","summary":"WWBN AVideo: Missing CSRF Protection on State-Changing JSON Endpoints Enables Forced Comment Creation, Vote Manipulation, and Category Asset Deletion","affected_versions":"<=29.0|=10.4|=10.8|=11|=11.1|=11.1.1|=11.5|=11.6|=12.4|=14.3|=14.3.1|=14.4|=18.0|=21.0|=22.0|=24.0|=25.0|=26.0|=29.0","fixed_version":null,"source":"osv","published_at":"2026-04-14T23:12:53Z"},{"vuln_id":"GHSA-xr6f-h4x7-r6qp","severity":"high","summary":"WWBN AVideo: RCE cause by clonesite plugin","affected_versions":"<=29.0|=10.4|=10.8|=11|=11.1|=11.1.1|=11.5|=11.6|=12.4|=14.3|=14.3.1|=14.4|=18.0|=21.0|=22.0|=24.0|=25.0|=26.0|=29.0","fixed_version":null,"source":"osv","published_at":"2026-04-16T21:25:19Z"}],"actively_exploited_count":0,"likely_exploited_count":0},"versions":{"latest":"29.0","total_count":18,"recent":["29.0","26.0","25.0","24.0","22.0","21.0","18.0","14.4","14.3.1","14.3","12.4","11.6","11.5","11.1.1","11.1","11","10.8","10.4"]},"metadata":{"deprecated":false,"deprecated_message":null,"maintainers_count":0,"first_published":null,"last_published":"2026-04-07T15:55:24+00:00","dependencies_count":45,"dependencies":["php","ext-curl","ext-json","ezyang/htmlpurifier","google/apiclient","google/apiclient-services","google/auth","guzzlehttp/guzzle","guzzlehttp/psr7","hybridauth/hybridauth","james-heinrich/getid3","monolog/monolog","phpmailer/phpmailer","psr/cache","psr/http-message","singpolyma/openpgp-php","aws/aws-sdk-php","gliterd/backblaze-b2","paypal/rest-api-sdk-php","paypal/paypal-payouts-sdk","paypal/paypal-checkout-sdk","emojione/assets","mervick/emojionearea","emojione/emojione","abraham/twitteroauth","symfony/http-client","norkunas/onesignal-php-api","stripe/stripe-php","symfony/translation","amphp/amp","scssphp/scssphp","vimeo/vimeo-api","phpseclib/phpseclib","bunnycdn/storage","chillerlan/php-qrcode","erusev/parsedown","spomky-labs/otphp","christian-riesen/base32","react/socket","react/event-loop","elephantio/elephant.io","iamcal/sql-parser","ratchet/pawl","zircote/swagger-php","authorizenet/authorizenet"]},"github_stats":null,"bundle":null,"typescript":null,"known_issues":{"bugs_count":0,"bugs_severity":{},"status_breakdown":{},"link":null,"scope":"none"},"historical_compromise":null,"recommendation":{"action":"do_not_use","issues":["Moderate health score (34/100) — verify manually","8 high severity vulnerabilities","1 critical vulnerabilities"],"use_version":"29.0","version_hint":null,"summary":"wwbn/avideo has critical vulnerabilities — do not use"},"version_scoped":null,"_meta":{"endpoint":"check","tier":"full","philosophy":"DepScope is free. Use the cheapest endpoint that answers your real question.","cheaper_alternatives":[{"endpoint":"/api/exists/composer/wwbn%2Favideo","tokens_estimated":12,"use_when":"you only need to know if the package exists (hallucination guard)"},{"endpoint":"/api/health/composer/wwbn%2Favideo","tokens_estimated":80,"use_when":"you only need a 0-100 score for go/no-go (>=70 = safe)"},{"endpoint":"/api/prompt/composer/wwbn%2Favideo","tokens_estimated":280,"use_when":"you want a plain-text LLM-friendly brief instead of JSON"},{"endpoint":"POST /api/check_bulk","tokens_estimated":60,"use_when":"you have 5+ packages to check; sends one round-trip instead of N"}],"docs":"https://depscope.dev/integrate","hint_bulk":"You've called /api/check 44 times in 60s. Save bandwidth + tokens with POST /api/check_bulk (1 round-trip for N pkgs)."},"requested_version":null,"_cache":"hit","_response_ms":0,"_powered_by":"depscope.dev — free package intelligence for AI agents","typosquat":{"is_suspected":false},"maintainer_trust":{"available":false},"malicious":{"is_malicious":false},"scorecard":{"available":false},"quality":{"available":false},"version_history_summary":{"total_versions":18,"first_release_age_days":null,"last_release_days_ago":25,"avg_days_between_releases":null,"release_velocity":"active"}}