Please report security issues to developer@streamphp.com
Security: WWBN/AVideo
Security
.github/SECURITY.md
-
Incomplete fix of CVE-2026-33482: sanitizeFFmpegCommand still allows a single '&' (background operator), giving OS command execution at the same execAsync sh -c sinkGHSA-wc3f-xc32-435f published
Jun 10, 2026 by DanielnetoDotComHigh -
Unauthenticated Stored DOM Cross-Site Scripting via Per-Client Metadata Broadcast in YPTSocket PluginGHSA-8whc-2wmv-ww35 published
Jun 4, 2026 by DanielnetoDotComCritical -
Stored XSS via Hostile YouTube Video Title in AVideo YouTubeAPI Gallery SectionGHSA-66q5-cj5g-wrfx published
May 28, 2026 by DanielnetoDotComModerate -
Unauthenticated Reflected XSS via $_GET['search'] in AVideo YouTubeAPI Gallery PaginationGHSA-hgjh-6wj8-gcgf published
May 28, 2026 by DanielnetoDotComModerate -
Stored XSS via autoEvalCodeOnHTML in MessageSQLite WebSocket HandlerGHSA-2fhx-q92v-5fhv published
May 25, 2026 by DanielnetoDotComHigh -
Authenticated wallet credit bypass in AuthorizeNet processPayment endpointGHSA-9392-pj54-qqf8 published
May 19, 2026 by DanielnetoDotComHigh -
Stored XSS via unescaped Gallery category descriptionGHSA-c8h8-vq34-9fw2 published
May 19, 2026 by DanielnetoDotComModerate -
Unauthenticated Arbitrary Image Read via Path Traversal in `view/img/image404Raw.php`GHSA-w4qq-74h6-58wq published
May 13, 2026 by DanielnetoDotComModerate -
Authenticated Arbitrary File Read in view/update.phpGHSA-3mjv-375j-6h92 published
May 12, 2026 by DanielnetoDotComModerate -
AVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unauthenticated user enumeration sibling that survives `d9cdc7024`GHSA-vpfx-pxqw-2w79 published
May 11, 2026 by DanielnetoDotComModerate
Learn more about advisories related to WWBN/AVideo in the GitHub Advisory Database