By vendor
Wwbn vulnerabilities
Known CVEs affecting Wwbn products, prioritized by severity, with SEC.co remediation and detection guidance.
9 published vulnerabilities
- CVE-2026-45578HIGH 8.8
WWBN AVideo, an open-source video streaming platform, contains a command injection vulnerability in its live streaming notification system. An authenticated attacker can inject shell commands by crafting input with special characters, allowing them to execute arbitrary code on the server. The flaw exists because the application builds system commands by concatenating user-supplied values without properly escaping shell metacharacters.
- CVE-2026-45619MEDIUM 6.5
WWBN AVideo, an open-source video hosting platform, contains a DNS-rebinding vulnerability in its Server-Side Request Forgery (SSRF) protections. When the application checks whether a URL is safe to fetch, it validates the domain name but then makes the actual network request without
- CVE-2026-45610MEDIUM 5.7
WWBN AVideo, an open-source video hosting platform, contains a cross-site request forgery (CSRF) flaw that allows an attacker to disable two-factor authentication (2FA) on a victim's account without their knowledge. If a logged-in AVideo user visits a malicious website controlled by an attacker, that site can silently turn off the victim's 2FA protection in a single HTTP request. This happens because the vulnerable endpoint doesn't validate the origin of the request or require re-authentication. Once 2FA is disabled, the account becomes significantly easier to compromise if credentials are later leaked or guessed.
- CVE-2026-45580MEDIUM 5.4
WWBN AVideo, an open-source video streaming platform, contains a stored cross-site scripting (XSS) vulnerability in its Live plugin. A user with streaming permissions can inject malicious JavaScript into the stream configuration, which then executes in the browsers of anyone—logged-in or anonymous—who views that live stream. The vulnerability persists because user-controlled input (the stream key) is inserted directly into an HTML class attribute without proper sanitization.
- CVE-2026-47694MEDIUM 5.4
WWBN AVideo, an open-source video platform, contains a stored cross-site scripting (XSS) vulnerability in how it handles category descriptions. Any user with permission to create or modify video categories can inject malicious JavaScript code into the description field. This code then executes in the browsers of other users who view that category's gallery page. Unlike previously patched XSS issues affecting video titles or comments, this flaw specifically targets the category description rendering pipeline.
- CVE-2026-45620MEDIUM 5.3
CVE-2026-45620 is a user enumeration vulnerability in WWBN AVideo version 29.0 and earlier. The `objects/mention.json.php` endpoint lacks proper authentication controls and allows attackers to discover valid usernames on the platform without logging in. An attacker can craft requests to the endpoint and enumerate users by checking responses, potentially gathering intelligence for follow-up attacks like credential stuffing or targeted social engineering.
- CVE-2026-46337MEDIUM 5.3
WWBN AVideo, an open-source video platform, contains a path-traversal vulnerability in version 29.0 and earlier that allows anyone on the internet to download image files from the server without logging in. An attacker can bypass the application's permission controls to access private user profile photos, admin-uploaded thumbnails, encrypted-video poster frames, and files in neighboring directories. The vulnerability exists because the affected endpoint does not validate or restrict file paths before serving images.
- CVE-2026-45731MEDIUM 4.9
WWBN AVideo, an open-source video hosting platform, contains a file-read vulnerability in its database migration feature. An authenticated administrator can manipulate the migration process to read sensitive text files from the server's filesystem. This requires existing admin access, so it poses a targeted insider risk rather than a mass-exploitation threat, but it can expose configuration files, credentials, or other data to a compromised or malicious admin account.
- CVE-2026-47696MEDIUM 4.3
WWBN AVideo, an open-source video hosting platform, contains a payment processing vulnerability in versions 29.0 and earlier. When both the AuthorizeNet and YPTWallet plugins are active, any logged-in user can artificially inflate their account wallet balance without actually paying. The vulnerable endpoint accepts a user-supplied amount parameter and immediately credits the wallet without verifying that a real payment transaction occurred through Authorize.Net. This is a financial manipulation flaw that bypasses payment authentication entirely.