HIGH8.8CVE-2026-45578AVideo: OS command injection in on_publish.php execAsync via unescaped m3u8 URL from 0, <= 29.0
HIGH7.6CVE-2026-39369WWBN AVideo's GIF poster fetch bypasses traversal scrubbing and exposes local files through public media URLs from 0, <= 26.0
HIGH7.1CVE-2026-39370WWBN AVideo has an Allowlisted downloadURL media extensions bypass SSRF protection and enable internal response exfiltration (Incomplete fix for CVE-2026-27732) from 0, <= 26.0
MEDIUM6.5AVideo CVE-2026-43884 incomplete fix - six (or more) `isSSRFSafeURL()` call sites still discard the `$resolvedIP` out-param at master HEAD post-`603e7bf`
from 0, <= 29.0
MEDIUM6.5WWBN AVideo has a Live restream log callback flow enabling stored SSRF to internal services
from 0, <= 26.0
MEDIUM6.1WWBN AVideo: Unauthenticated Reflected XSS via $_GET['search'] in AVideo YouTubeAPI Gallery Pagination
from 0, <= 29.0
MEDIUM5.7AVideo: 2FA toggle endpoint has no CSRF protection, letting an attacker page silently disable a logged-in victim's 2FA
from 0, <= 29.0
MEDIUM5.4WWBN AVideo: Stored XSS via unescaped Gallery category description
from 0, <= 29.0
MEDIUM5.4AVideo: stored XSS via unescaped stream key in modeYoutubeLive.php class attribute
from 0, <= 29.0
MEDIUM5.3AVideo: Unauthenticated Arbitrary Image Read via Path Traversal in `view/img/image404Raw.php`
from 0, <= 29.0
MEDIUM5.3AVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unauthenticated user enumeration sibling that survives `d9cdc7024`
from 0, <= 29.0
MEDIUM4.9AVideo: Authenticated Arbitrary File Read in view/update.php
from 0, <= 29.0
MEDIUM4.7WWBN AVideo: Stored XSS via Hostile YouTube Video Title in AVideo YouTubeAPI Gallery Section
from 0, <= 29.0
MEDIUM4.3WWBN AVideo: Authenticated wallet credit bypass in AuthorizeNet processPayment endpoint
from 0, <= 29.0