Security Vulnerabilities
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the restreamer endpoint constructs a log file path by embedding user-controlled `users_id` and `liveTransmitionHistory_id` values from the JSON request body without any sanitization. This log file path is then concatenated directly into shell commands passed to `exec()`, allowing an authenticated user to achieve arbitrary command execution on the server via shell metacharacters such as `$()` or backticks. Commit 99b865413172045fef6a98b5e9bfc7b24da11678 contains a patch.
CVSS Score
8.8
EPSS Score
0.001
Published
2026-03-23
cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. Versions prior to 5.9.0 are vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding deeply nested CBOR structures. This vulnerability affects both the pure Python implementation and the C extension `_cbor2`. The C extension relies on Python's internal recursion limits `Py_EnterRecursiveCall` rather than a data-driven depth limit, meaning it still raises `RecursionError` and crashes the worker process when the limit is hit. While the library handles moderate nesting levels, it lacks a hard depth limit. An attacker can supply a crafted CBOR payload containing approximately 100,000 nested arrays `0x81`. When `cbor2.loads()` attempts to parse this, it hits the Python interpreter's maximum recursion depth or exhausts the stack, causing the process to crash with a `RecursionError`. Because the library does not enforce its own limits, it allows an external attacker to exhaust the host application's stack resource. In many web application servers (e.g., Gunicorn, Uvicorn) or task queues (Celery), an unhandled `RecursionError` terminates the worker process immediately. By sending a stream of these small (<100KB) malicious packets, an attacker can repeatedly crash worker processes, resulting in a complete Denial of Service for the application. Version 5.9.0 patches the issue.
CVSS Score
7.5
EPSS Score
0.0
Published
2026-03-23
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `view/forbiddenPage.php` and `view/warningPage.php` templates reflect the `$_REQUEST['unlockPassword']` parameter directly into an HTML `<input>` tag's attributes without any output encoding or sanitization. An attacker can craft a URL that breaks out of the `value` attribute and injects arbitrary HTML attributes including JavaScript event handlers, achieving reflected XSS against any visitor who clicks the link. Commit f154167251c9cf183ce09cd018d07e9352310457 contains a patch.
CVSS Score
6.1
EPSS Score
0.0
Published
2026-03-23
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the fix for CVE-2026-27568 (GHSA-rcqw-6466-3mv7) introduced a custom `ParsedownSafeWithLinks` class that sanitizes raw HTML `<a>` and `<img>` tags in comments, but explicitly disables Parsedown's `safeMode`. This creates a bypass: markdown link syntax `[text](javascript:alert(1))` is processed by Parsedown's `inlineLink()` method, which does not go through the custom `sanitizeATag()` sanitization (that only handles raw HTML tags). With `safeMode` disabled, Parsedown's built-in `javascript:` URI filtering (`sanitiseElement()`/`filterUnsafeUrlInAttribute()`) is also inactive. An attacker can inject stored XSS via comment markdown links. Commit 3ae02fa240939dbefc5949d64f05790fd25d728d contains a patch.
CVSS Score
5.4
EPSS Score
0.0
Published
2026-03-23
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the endpoint `plugin/Permissions/View/Users_groups_permissions/list.json.php` lacks any authentication or authorization check, allowing unauthenticated users to retrieve the complete permission matrix mapping user groups to plugins. All sibling endpoints in the same directory (`add.json.php`, `delete.json.php`, `index.php`) properly require `User::isAdmin()`, indicating this is an oversight. Commits dc3c825734628bb32550d0daa125f05bacb6829c and b583acdc9a9d1eab461543caa363e1a104fb4516 contain patches.
CVSS Score
5.3
EPSS Score
0.001
Published
2026-03-23
WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated server-side request forgery vulnerability in `plugin/Live/test.php` allows any remote user to make the AVideo server send HTTP requests to arbitrary URLs. This can be used to probe localhost/internal services and, when reachable, access internal HTTP resources or cloud metadata endpoints. Commit 1e6cf03e93b5a5318204b010ea28440b0d9a5ab3 contains a patch.
CVSS Score
9.3
EPSS Score
0.0
Published
2026-03-23
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/pluginImport.json.php` endpoint allows admin users to upload and install plugin ZIP files containing executable PHP code, but lacks any CSRF protection. Combined with the application explicitly setting `session.cookie_samesite = 'None'` for HTTPS connections, an unauthenticated attacker can craft a page that, when visited by an authenticated admin, silently uploads a malicious plugin containing a PHP webshell, achieving Remote Code Execution on the server. Commit d1bc1695edd9ad4468a48cea0df6cd943a2635f3 contains a patch.
CVSS Score
8.8
EPSS Score
0.001
Published
2026-03-23
XnSoft NConvert 7.230 is vulnerable to Use-After-Free via a crafted .tiff file
CVSS Score
6.2
EPSS Score
0.0
Published
2026-03-23
XnSoft NConvert 7.230 is vulnerable to Stack Buffer Overrun via a crafted .tiff file.
CVSS Score
6.2
EPSS Score
0.0
Published
2026-03-23
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `createKeys()` function in the LoginControl plugin's PGP 2FA system generates 512-bit RSA keys, which have been publicly factorable since 1999. An attacker who obtains a target user's public key can factor the 512-bit RSA modulus on commodity hardware in hours, derive the complete private key, and decrypt any PGP 2FA challenge issued by the system — completely bypassing the second authentication factor. Additionally, the `generateKeys.json.php` and `encryptMessage.json.php` endpoints lack any authentication checks, exposing CPU-intensive key generation to anonymous users. Commit 00d979d87f8182095c8150609153a43f834e351e contains a patch.
CVSS Score
7.4
EPSS Score
0.0
Published
2026-03-23