Audio Video Platform
wwbn/avideo has critical vulnerabilities — do not use
| Severity | ID | Summary | Fixed in |
|---|---|---|---|
| medium | GHSA-52hf-63q4-r926 | WWBN AVideo has an Unauthenticated Information Disclosure via git.json.php Exposes Developer Emails and Deployed Version | — |
| medium | GHSA-5879-4fmr-xwf2 | WWBN AVideo has an incomplete fix for CVE-2026-33293: Path Traversal | — |
| high | GHSA-6rc6-p838-686f | WWBN AVideo has a Path Traversal in Locale Save Endpoint Enables Arbitrary PHP File Write to Any Web-Accessible Directory (RCE) | — |
| medium | GHSA-793q-xgj6-7frp | WWBN AVideo has an incomplete fix for CVE-2026-33039: SSRF | — |
| medium | GHSA-8pv3-29pp-pf8f | WWBN AVideo has Stored XSS via Unanchored Duration Regex in Video Encoder Receiver | — |
| medium | GHSA-8qm8-g55h-xmqr | WWBN AVideo is missing CSRF protection in objects/commentDelete.json.php enables mass comment deletion against moderators and content creators | — |
| high | GHSA-ccq9-r5cw-5hwq | WWBN AVideo has CORS Origin Reflection with Credentials on Sensitive API Endpoints Enables Cross-Origin Account Takeover | — |
| high | GHSA-ff5q-cc22-fgp4 | WWBN AVideo has a CORS Origin Reflection Bypass via plugin/API/router.php and allowOrigin(true) Exposes Authenticated API Responses | — |
| high | GHSA-ffw8-fwxp-h64w | WWBN AVideo has Multiple CSRF Vulnerabilities in Admin JSON Endpoints (Category CRUD, Plugin Update Script) | — |
| medium | GHSA-gpgp-w4x2-h3h7 | WWBN AVideo has an IDOR in Live Restreams list.json.php Exposes Other Users' Stream Keys and OAuth Tokens | — |
| critical | GHSA-gph2-j4c9-vhhr | WWBN AVideo YPTSocket WebSocket Broadcast Relay Leads to Unauthenticated Cross-User JavaScript Execution via Client-Side eval() Sinks | — |
| medium | GHSA-hg7g-56h5-5pqr | CAPTCHA Bypass in WWBN/AVideo via Attacker-Controlled Length Parameter and Missing Token Invalidation on Failure | — |
| high | GHSA-j432-4w3j-3w8j | WWBN AVideo has a SSRF via same-domain hostname with alternate port bypasses isSSRFSafeURL | — |
| medium | GHSA-m63r-m9jh-3vc6 | WWBN AVideo has an Incomplete fix: Directory traversal bypass via query string in ReceiveImage downloadURL parameters | — |
| medium | GHSA-m7r8-6q9j-m2hc | WWBN AVideo has an incomplete fix for CVE-2026-33500: XSS | — |
| high | GHSA-pq8p-wc4f-vg7j | WWBN AVideo has an incomplete fix for CVE-2026-33502: Command Injection | — |
| high | GHSA-vvfw-4m39-fjqf | WWBN AVideo has CSRF in configurationUpdate.json.php Enables Full Site Configuration Takeover Including Encoder URL and SMTP Credentials | — |
| medium | GHSA-x2pw-9c38-cp2j | WWBN AVideo: Missing CSRF Protection on State-Changing JSON Endpoints Enables Forced Comment Creation, Vote Manipulation, and Category Asset Deletion | — |
| high | GHSA-xr6f-h4x7-r6qp | WWBN AVideo: RCE cause by clonesite plugin | — |
Get this data programmatically — free, no authentication.
curl https://depscope.dev/api/check/composer/wwbn/avideoLast updated · 2026-04-07T15:55:24+00:00