6.5
CVE-2026-34737 - AVideo: Arbitrary Stripe Subscription Cancellation via Debug Endpoint and retrieveSubscriptions() Bβ¦
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the StripeYPT plugin includes a test.php debug endpoint that is accessible to any logged-in user, not just administrators. This endpoint processes Stripe webhook-style payloads and triggers subscription operations, including β¦
6.5
CVE-2026-34733 - AVideo: Unauthenticated File Deletion via PHP Operator Precedence Bug in CLI Guard
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo installation script install/deleteSystemdPrivate.php contains a PHP operator precedence bug in its CLI-only access guard. The script is intended to run exclusively from the command line, but the guard condition !phβ¦
5.3
CVE-2026-34732 - AVideo: Missing Authentication in CreatePlugin list.json.php Template Affects 21 Endpoints
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo CreatePlugin template for list.json.php does not include any authentication or authorization check. While the companion templates add.json.php and delete.json.php both require admin privileges, the list.json.php teβ¦
7.5
CVE-2026-34731 - AVideo: Unauthenticated Live Stream Termination via RTMP Callback on_publish_done.php
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo on_publish_done.php endpoint in the Live plugin allows unauthenticated users to terminate any active live stream. The endpoint processes RTMP callback events to mark streams as finished in the database, but performβ¦
6.4
CVE-2026-34716 - AVideo: DOM XSS via Unsanitized Display Name in WebSocket Call Notification
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo YPTSocket plugin's caller feature renders incoming call notifications using the jQuery Toast Plugin, passing the caller's display name directly as the heading parameter. The toast plugin constructs the heading as rβ¦
6.5
CVE-2026-34613 - AVideo: CSRF on Plugin Enable/Disable Endpoint Allows Disabling Security Plugins
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/pluginSwitch.json.php allows administrators to enable or disable any installed plugin. The endpoint checks for an active admin session but does not validate a CSRF token. Additionally, the plugins β¦
6.5
CVE-2026-34611 - AVideo: CSRF on emailAllUsers.json.php Enables Mass Phishing Email to All Users
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/emailAllUsers.json.php allows administrators to send HTML emails to every registered user on the platform. While the endpoint verifies admin session status, it does not validate a CSRF token. Becauβ¦
6.1
CVE-2026-34396 - AVideo: Stored XSS via Unescaped Plugin Configuration Values in Admin Panel
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo admin panel renders plugin configuration values in HTML forms without applying htmlspecialchars() or any other output encoding. The jsonToFormElements() function in admin/functions.php directly interpolates user-coβ¦
8.1
CVE-2026-34394 - AVideo: CSRF on Admin Plugin Configuration Enables Payment Credential Hijacking
WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's admin plugin configuration endpoint (admin/save.json.php) lacks any CSRF token validation. There is no call to isGlobalTokenValid() or verifyToken() before processing the request. Combined with the application's explβ¦
6.5
CVE-2026-34395 - AVideo: Mass User PII Disclosure via Missing Authorization in YPTWallet users.json.php
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/YPTWallet/view/users.json.php endpoint returns all platform users with their personal information and wallet balances to any authenticated user. The endpoint checks User::isLogged() but does not check User::isAdminβ¦