SB2026050472 - Multiple vulnerabilities in AVideo

Description

This security bulletin contains information about 54 vulnerabilities.

1) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CVE-ID: CVE-2026-33499)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.

The vulnerability exists due to cross-site scripting in view/forbiddenPage.php and view/warningPage.php when rendering the unlockPassword request parameter into HTML input attributes. A remote attacker can send a specially crafted link to execute arbitrary script in the victim's browser.

User interaction is required because the victim must click the crafted link.

2) Path traversal (CVE-ID: CVE-2026-33493)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to read arbitrary files, delete arbitrary files, and bypass access controls to access private video content.

The vulnerability exists due to path traversal in objects/import.json.php when processing a user-supplied fileURI parameter. A remote user can send a specially crafted request to read arbitrary files, delete arbitrary files, and bypass access controls to access private video content.

Exploitation requires upload permission. Adjacent .txt, .html, and .htm files may be disclosed through the imported video's description field, and deletion succeeds only for files writable by the web server process.

3) Session Fixation (CVE-ID: CVE-2026-33492)

CWE-ID: CWE-384 - Session Fixation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to hijack an authenticated session.

The vulnerability exists due to session fixation in _session_start() and User::login() when processing a crafted same-domain link containing the PHPSESSID GET parameter. A remote user can send a specially crafted link to hijack an authenticated session.

User interaction is required, and exploitation relies on the victim following the link from within the AVideo platform so the request is treated as same-domain.

4) Inadequate Encryption Strength (CVE-ID: CVE-2026-33488)

CWE-ID: CWE-326 - Inadequate Encryption Strength

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to bypass two-factor authentication and take over an account.

The vulnerability exists due to inadequate encryption strength in the LoginControl plugin PGP 2FA key generation function when generating RSA keys for PGP-based login challenges. A remote attacker can obtain a target user's public key, factor the 512-bit RSA modulus, and decrypt the challenge to bypass two-factor authentication and take over an account.

Only accounts that enabled PGP 2FA using the built-in key generator are affected; users who imported adequately sized external keys are not affected by the weak-key issue.

5) Improper Authentication (CVE-ID: CVE-2026-33512)

CWE-ID: CWE-287 - Improper Authentication

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper authentication in the API plugin decryptString action when handling crafted requests to the unauthenticated API endpoint. A remote attacker can submit ciphertext to recover plaintext and disclose sensitive information.

Publicly accessible ciphertext returned by url2Embed.json.php can be decrypted through this oracle.

6) Improper Control of Filename for Include/Require Statement in PHP Program (CVE-ID: CVE-2026-33513)

CWE-ID: CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to disclose sensitive information and execute arbitrary code.

The vulnerability exists due to improper control of filename for include statement in PHP program in the API locale endpoint when processing a crafted language parameter. A remote attacker can send a specially crafted request with path traversal sequences to disclose sensitive information and execute arbitrary code.

Only deployments with the API plugin enabled are vulnerable, and code execution requires a writable or otherwise attacker-controlled PHP file to be present under the web root.

7) Incorrect authorization (CVE-ID: CVE-2026-33650)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to delete arbitrary videos.

The vulnerability exists due to incorrect authorization in videoAddNew.json.php and videoDelete.json.php when handling video edit and delete requests. A remote user can transfer ownership of a target video to their account and then delete it to delete arbitrary videos.

The issue affects users granted the "Videos Moderator" permission, which is documented as allowing only video publicity changes.

8) Observable Response Discrepancy (CVE-ID: CVE-2026-33688)

CWE-ID: CWE-204 - Observable Response Discrepancy

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to enumerate valid usernames and disclose account status information.

The vulnerability exists due to observable response discrepancy in objects/userRecoverPass.php when handling password recovery requests before captcha validation. A remote attacker can send specially crafted password recovery requests to enumerate valid usernames and disclose account status information.

No user interaction is required, and distinct JSON error responses reveal whether an account is active, inactive, or non-existent.

9) SQL injection (CVE-ID: CVE-2026-33723)

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information and modify data.

The vulnerability exists due to SQL injection in the Subscribe::save() method in objects/subscribe.php when handling crafted POST requests to subscribe.json.php or subscribeNotify.json.php through the user_id parameter. A remote user can send a specially crafted user_id parameter to disclose sensitive information and modify data.

Exploitation requires an authenticated session and is reachable through both subscribe.json.php and subscribeNotify.json.php.

10) Missing Authentication for Critical Function (CVE-ID: CVE-2026-33719)

CWE-ID: CWE-306 - Missing Authentication for Critical Function

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to modify CDN configuration and cause a denial of service.

The vulnerability exists due to missing authentication for critical function in plugin/CDN/status.json.php and plugin/CDN/disable.json.php when handling requests with an unconfigured default key. A remote attacker can send specially crafted requests with attacker-controlled par parameters to modify CDN configuration and cause a denial of service.

Exploitation is possible only when the CDN plugin is enabled and its key remains in the default empty state.

11) Arbitrary file upload (CVE-ID: CVE-2026-33717)

CWE-ID: CWE-434 - Unrestricted Upload of File with Dangerous Type

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to unrestricted upload of file with dangerous type in the downloadVideoFromDownloadURL() function in objects/aVideoEncoder.json.php when processing a downloadURL request with an invalid resolution value. A remote user can supply a crafted remote URL pointing to a php file and trigger early termination after the file is written to leave an executable file under the web root to execute arbitrary code.

Exploitation requires upload permissions and an attacker-controlled server hosting the payload file.

12) Improper Authentication (CVE-ID: CVE-2026-33716)

CWE-ID: CWE-287 - Improper Authentication

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to bypass authentication and control live streams.

The vulnerability exists due to improper authentication in plugin/Live/standAloneFiles/control.json.php when processing a user-supplied streamerURL parameter for token verification. A remote attacker can supply a crafted streamerURL that redirects token verification to an attacker-controlled server to bypass authentication and control live streams.

The issue can be used to drop active publishers, start or stop recordings, probe stream existence, and trigger server-side requests to attacker-controlled URLs.

13) Improper Restriction of Excessive Authentication Attempts (CVE-ID: CVE-2026-33763)

CWE-ID: CWE-307 - Improper Restriction of Excessive Authentication Attempts

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper restriction of excessive authentication attempts in the get_api_video_password_is_correct API endpoint when handling password-verification requests for password-protected videos. A remote attacker can send repeated password guesses and use the boolean passwordIsCorrect response to disclose sensitive information.

The endpoint is reachable without authentication and requires no user interaction.

14) Missing Authorization (CVE-ID: CVE-2026-33761)

CWE-ID: CWE-862 - Missing Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to missing authorization in Scheduler plugin list.json.php endpoints when handling GET requests. A remote attacker can send simple GET requests to disclose sensitive information.

The exposed data includes scheduled tasks, internal callback URLs and parameters, admin-composed email subjects and HTML bodies, and mappings between users and email campaigns.

15) Missing Authorization (CVE-ID: CVE-2026-33759)

CWE-ID: CWE-862 - Missing Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to missing authorization in objects/playlistsVideos.json.php when handling requests with a playlists_id parameter. A remote attacker can send a specially crafted request with a sequential playlist identifier to disclose sensitive information.

Private playlists, including watch_later and favorite playlists, can be enumerated because playlist identifiers are sequential integers.

16) Missing Authorization (CVE-ID: CVE-2026-34369)

CWE-ID: CWE-862 - Missing Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose protected video playback URLs.

The vulnerability exists due to missing authorization in the get_api_video_file and get_api_video API endpoints when handling requests for password-protected videos. A remote attacker can send a specially crafted API request to disclose protected video playback URLs.

The issue affects password-protected videos because the API code path does not invoke the intended video password verification, and the video listing API can expose which videos are password-protected.

17) Race condition (CVE-ID: CVE-2026-34368)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to create wallet balance from nothing.

The vulnerability exists due to a race condition in the transferBalance() method in plugin/YPTWallet/YPTWallet.php when handling concurrent transfer requests. A remote user can send concurrent transfer requests from multiple authenticated sessions to create wallet balance from nothing.

The issue requires multiple authenticated sessions for the same account, and captcha validation can be reused within each session.

18) Incorrect authorization (CVE-ID: CVE-2026-34364)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to incorrect authorization in categories.json.php when handling category listing requests. A remote attacker can send a specially crafted request to disclose sensitive information.

The issue affects both the default request path, where group filtering is skipped, and requests using the ?user= parameter, where a boolean-to-integer type confusion causes the admin user's group memberships to be used.

19) Insufficient Session Expiration (CVE-ID: CVE-2026-34362)

CWE-ID: CWE-613 - Insufficient Session Expiration

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information and impersonate users over WebSocket connections.

The vulnerability exists due to insufficient session expiration in verifyTokenSocket() in plugin/YPTSocket/functions.php when validating WebSocket tokens. A remote user can reuse a captured or previously obtained WebSocket token to disclose sensitive information and impersonate users over WebSocket connections.

Admin tokens can expose real-time connection data for online users, including IP addresses, browser information, and page locations, and tokens remain usable even after account deletion, banning, or privilege demotion.

20) Missing Authorization (CVE-ID: CVE-2026-34247)

CWE-ID: CWE-862 - Missing Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to overwrite scheduled live stream posters and disclose sensitive information.

The vulnerability exists due to missing authorization in plugin/Live/uploadPoster.php when handling authenticated file upload requests with an arbitrary live_schedule_id. A remote user can upload a crafted poster for another user's scheduled stream to overwrite scheduled live stream posters and disclose sensitive information.

The issue also triggers a socketLiveOFFCallback broadcast to all connected WebSocket clients and schedule IDs are sequential integers that can be trivially enumerated.

21) Missing Authorization (CVE-ID: CVE-2026-34245)

CWE-ID: CWE-862 - Missing Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to modify broadcast schedules for other users' playlists.

The vulnerability exists due to missing authorization in plugin/PlayLists/View/Playlists_schedules/add.json.php when handling schedule creation or modification requests. A remote user can send a specially crafted request to modify broadcast schedules for other users' playlists.

When the schedule executes, the rebroadcast runs under the targeted playlist owner's identity.

22) SQL injection (CVE-ID: CVE-2026-34374)

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to disclose sensitive information and modify data.

The vulnerability exists due to sql injection in Live_schedule::keyExists() when handling a crafted stream key during RTMP publish authentication. A remote attacker can send a specially crafted POST request to disclose sensitive information and modify data.

The issue is reachable through a fallback lookup path, and the p query parameter is required to reach the vulnerable code path.

23) Missing Authorization (CVE-ID: CVE-2026-34395)

CWE-ID: CWE-862 - Missing Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to missing authorization in plugin/YPTWallet/view/users.json.php when handling requests to the users.json.php endpoint. A remote user can send a request to retrieve all platform users' personal information and wallet balances to disclose sensitive information.

The endpoint is accessible to any authenticated user and exposes data for all users, including admin accounts.

24) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CVE-ID: CVE-2026-34716)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

The vulnerability allows a remote user to execute arbitrary script code in the victim's browser.

The vulnerability exists due to cross-site scripting in the YPTSocket caller notification handling in plugin/YPTSocket/caller.js when processing forged WebSocket call messages. A remote user can send a specially crafted WebSocket call message with a malicious from_identification value to execute arbitrary script code in the victim's browser.

The issue is triggered without user interaction when the victim is online and connected to the WebSocket, and exploitation requires a custom WebSocket client because the normal UI sanitizes display names.

25) Improper Authorization (CVE-ID: CVE-2026-34738)

CWE-ID: CWE-285 - Improper Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to bypass content moderation workflows.

The vulnerability exists due to improper authorization in the video publishing workflow when handling upload requests with the overrideStatus parameter. A remote user can send a specially crafted upload request to bypass content moderation workflows.

Only users with upload permissions can exploit this issue, and exploitation can make uploaded videos immediately publicly visible when moderation is enabled.

26) Missing Authorization (CVE-ID: CVE-2026-34737)

CWE-ID: CWE-862 - Missing Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to cancel arbitrary Stripe subscriptions.

The vulnerability exists due to improper access control in the StripeYPT test.php debug endpoint when processing user-supplied Stripe webhook-style payloads. A remote user can send a specially crafted payload containing a target subscription ID to cancel arbitrary Stripe subscriptions.

The issue is triggered through the retrieveSubscriptions() method, which cancels a subscription instead of only retrieving it.

27) Improper access control (CVE-ID: CVE-2026-34733)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to delete files and disclose sensitive information.

The vulnerability exists due to improper access control in install/deleteSystemdPrivate.php when handling HTTP requests to the CLI-only endpoint. A remote attacker can send a specially crafted request to delete files and disclose sensitive information.

The issue is caused by a PHP operator precedence bug in the CLI guard, and repeated requests can interfere with temp-dependent operations.

28) Missing Authentication for Critical Function (CVE-ID: CVE-2026-34732)

CWE-ID: CWE-306 - Missing Authentication for Critical Function

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to missing authentication in CreatePlugin/templates/list.json.php when handling requests to generated list.json.php endpoints. A remote attacker can send a specially crafted request to disclose sensitive information.

The issue affects list endpoints generated by the CreatePlugin code generator and can expose user PII, payment transaction logs, IP addresses, user agents, and internal system records.

29) Missing Authentication for Critical Function (CVE-ID: CVE-2026-34731)

CWE-ID: CWE-306 - Missing Authentication for Critical Function

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to missing authentication for critical function in the on_publish_done.php endpoint in the Live plugin when handling RTMP callback requests. A remote attacker can send a crafted POST request with a stream key to cause a denial of service.

Active stream keys can be enumerated through the unauthenticated stats.json.php endpoint.

30) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-34740)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to perform server-side requests to arbitrary internal and external targets and disclose sensitive information.

The vulnerability exists due to server-side request forgery in the EPG link processing path when handling a stored user-supplied EPG URL. A remote user can store a crafted URL that the server fetches on subsequent EPG page visits to perform server-side requests to arbitrary internal and external targets and disclose sensitive information.

The issue is persistent because the URL is stored and re-fetched on every EPG page visit.

31) Missing Authorization (CVE-ID: CVE-2026-35179)

CWE-ID: CWE-862 - Missing Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to modify content on the platform's Instagram account.

The vulnerability exists due to missing authorization in publishInstagram.json.php when handling requests to proxy Instagram Graph API calls. A remote attacker can send a specially crafted request with user-controlled Graph API parameters to modify content on the platform's Instagram account.

The endpoint forwards the request to Facebook's servers and uses the server's IP address for the API calls.

32) Missing Authentication for Critical Function (CVE-ID: CVE-2026-35450)

CWE-ID: CWE-306 - Missing Authentication for Critical Function

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to missing authentication for a critical function in plugin/API/check.ffmpeg.json.php when handling requests to the FFmpeg status endpoint. A remote attacker can send a request to the endpoint to disclose sensitive information.

The issue reveals whether the platform uses a standalone FFmpeg server and its current reachability, which may aid infrastructure reconnaissance.

33) Information disclosure (CVE-ID: CVE-2026-35449)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in install/test.php when handling HTTP requests to the diagnostic script. A remote attacker can send a specially crafted request with a video identifier to disclose sensitive information.

The issue can expose viewer IP addresses, session identifiers, user agents, and internal filesystem paths through PHP error output.

34) Missing Authorization (CVE-ID: CVE-2026-35448)

CWE-ID: CWE-862 - Missing Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to disclose sensitive payment order information.

The vulnerability exists due to missing authorization in the BlockonomicsYPT check.php endpoint when handling requests for a supplied Bitcoin address. A remote attacker can send a specially crafted request with a known Bitcoin address to disclose sensitive payment order information.

Bitcoin addresses used by the platform may be discoverable from public blockchain data, and no session cookie or API key is required.

35) Information disclosure (CVE-ID: CVE-2026-35452)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in plugin/CloneSite/client.log.php when handling requests to the log endpoint. A remote attacker can send a request to the endpoint to disclose sensitive information.

If the CloneSite feature has been used, the exposed log may contain internal filesystem paths, remote server URLs, SSH connection metadata, and SQL dump file locations.

36) Cross-site request forgery (CVE-ID: CVE-2026-33507)

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to cross-site request forgery in the plugin import endpoint when handling plugin upload requests. A remote attacker can trick a victim into submitting a crafted request to upload a malicious plugin to execute arbitrary code.

User interaction is required.

37) SQL injection (CVE-ID: CVE-2026-33651)

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to disclose sensitive information and modify data.

The vulnerability exists due to sql injection in Scheduler_commands::getAllActiveOrToRepeat() when handling a crafted live_schedule_id value through the remindMe.json.php endpoint. A remote user can send a specially crafted request to disclose sensitive information and modify data.

The issue is exploitable through time-based blind techniques, and no user interaction is required.

38) Cross-site request forgery (CVE-ID: CVE-2026-33649)

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to escalate privileges.

The vulnerability exists due to improper access control in setPermission.json.php when handling GET requests that modify permissions. A remote attacker can trick a victim into following a crafted link to escalate privileges.

User interaction is required to follow the crafted link.

39) OS Command Injection (CVE-ID: CVE-2026-33648)

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary OS commands on the server.

The vulnerability exists due to improper neutralization of special elements used in an OS command in plugin/Live/standAloneFiles/restreamer.json.php when constructing a log file path from user-supplied users_id and liveTransmitionHistory_id values and passing it to exec(). A remote user can send a specially crafted JSON request containing shell metacharacters to execute arbitrary OS commands on the server.

Exploitation requires valid restream functionality access, including a valid restream token and live streaming permissions.

40) Arbitrary file upload (CVE-ID: CVE-2026-33647)

CWE-ID: CWE-434 - Unrestricted Upload of File with Dangerous Type

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to unrestricted upload of file with dangerous type in ImageGallery::saveFile() when handling file uploads through the ImageGallery upload endpoint. A remote user can upload a specially crafted polyglot file with a dangerous extension to execute arbitrary code.

Exploitation requires the ImageGallery plugin to be enabled, and the user must have manage permission on the targeted Image or Gallery video.

41) Use of Less Trusted Source (CVE-ID: CVE-2026-33690)

CWE-ID: CWE-348 - Use of Less Trusted Source

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to spoof the client IP address and bypass IP-based access controls or audit logging.

The vulnerability exists due to use of a less trusted source in the getRealIpAddr() function in objects/functions.php when processing user-supplied HTTP headers. A remote attacker can send a specially crafted request with forged IP-related headers to spoof the client IP address and bypass IP-based access controls or audit logging.

The issue can also affect IP-based rate limiting and may have greater impact where localhost is trusted.

42) Server-Side Request Forgery (SSRF) (CVE-ID: N/A)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information from internal, localhost, or cloud metadata services.

The vulnerability exists due to server-side request forgery in plugin/Live/test.php when processing the statsURL parameter without isSSRFSafeURL() validation. A remote privileged user can send a specially crafted request to disclose sensitive information from internal, localhost, or cloud metadata services.

The endpoint returns the full fetched response content in the HTML output, and the issue affects authenticated admin access.

43) Missing Authorization (CVE-ID: CVE-2026-33685)

CWE-ID: CWE-862 - Missing Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive ad campaign analytics and user data.

The vulnerability exists due to missing authorization in plugin/AD_Server/reports.json.php when handling requests to the JSON reporting endpoint. A remote attacker can send a specially crafted request with report parameters to disclose sensitive ad campaign analytics and user data.

The endpoint can expose video titles, channel names, user IDs, campaign names, and impression or click counts, and user enumeration is possible by iterating users_id values.

44) Cross-site scripting (CVE-ID: CVE-2026-33683)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

The vulnerability allows a remote user to execute arbitrary JavaScript in another user's browser.

The vulnerability exists due to improper neutralization of input during web page generation in the channel about field when processing user-supplied profile content. A remote user can submit crafted HTML or script content to execute arbitrary JavaScript in another user's browser.

User interaction is required when a victim visits the attacker's channel page.

45) Path traversal (CVE-ID: CVE-2026-33681)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to execute arbitrary SQL files.

The vulnerability exists due to path traversal in pluginRunDatabaseScript.json.php when processing an unsanitized plugin name. A remote privileged user can supply a specially crafted plugin name to execute arbitrary SQL files.

46) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-33764)

CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the AI plugin save.json.php endpoint when handling attacker-controlled AI response identifiers. A remote user can supply a crafted request referencing another user's AI response ID to disclose sensitive information.

Exploitation requires AI permissions and the ability to edit at least one video. Sequential AI response IDs make enumeration possible.

47) Missing Authorization (CVE-ID: N/A)

CWE-ID: CWE-862 - Missing Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to missing authorization in payment plugin list.json.php endpoints when handling unauthenticated requests for payment log data. A remote attacker can send a specially crafted request to disclose sensitive information.

The exposed records include PayPal billing agreement IDs, Express Checkout tokens, Authorize.Net webhook payloads, Bitcoin payment records, user identifiers, and payment amounts.

48) Cross-site scripting (CVE-ID: CVE-2026-34375)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to execute arbitrary script in a user's browser.

The vulnerability exists due to improper neutralization of input during web page generation in the YPTWallet Stripe payment page when handling a plugin parameter. A remote attacker can supply a specially crafted parameter value to execute arbitrary script in a user's browser.

User interaction is required to load the crafted page or URL.

49) Cross-site scripting (CVE-ID: CVE-2026-34396)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to execute arbitrary script code in a victim's browser in the context of the admin panel.

The vulnerability exists due to improper neutralization of input during web page generation in plugin configuration values in the admin panel when rendering stored configuration data. A remote attacker can inject specially crafted configuration values to execute arbitrary script code in a victim's browser in the context of the admin panel.

User interaction is required for an administrator to view the affected admin panel content.

50) Cross-site request forgery (CVE-ID: CVE-2026-34394)

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to modify payment credentials.

The vulnerability exists due to improper request authorization in the admin plugin configuration functionality when handling crafted cross-site requests. A remote attacker can trick an administrator into visiting a malicious page to modify payment credentials.

User interaction is required, and exploitation depends on an administrator visiting attacker-controlled content while authenticated.

51) Path traversal (CVE-ID: CVE-2026-39369)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to path traversal in objects/aVideoEncoderReceiveImage.json.php when processing a crafted same-origin /videos/... URL through downloadURL_gifimage. A remote user can supply a specially crafted downloadURL_gifimage value to disclose sensitive information.

The issue can expose server-local files by leaving fetched non-image content accessible through a public GIF media URL.

52) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-39368)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information from internal services.

The vulnerability exists due to server-side request forgery (SSRF) in the Live restream log callback flow when processing a stored attacker-controlled restreamerURL. A remote user can store a crafted callback URL and trigger server-side requests to internal or loopback services to disclose sensitive information from internal services.

Exploitation requires streaming permission, and the server-fetched response can be returned through normal application endpoints.

53) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CVE-ID: CVE-2026-39367)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

The vulnerability allows a remote user to execute arbitrary script in the victim's browser.

The vulnerability exists due to cross-site scripting in the EPG page when rendering program titles from user-controlled XML content. A remote user can set a video's epg_link to a malicious XML file containing crafted program titles to execute arbitrary script in the victim's browser.

User interaction is required to visit the public EPG page, and the malicious content may persist due to server-side caching.

54) Insufficient verification of data authenticity (CVE-ID: CVE-2026-39366)

CWE-ID: CWE-345 - Insufficient Verification of Data Authenticity

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to inflate wallet balances and renew subscriptions without additional payment.

The vulnerability exists due to insufficient verification of data authenticity in the PayPal IPN v1 handler in plugin/PayPalYPT/ipn.php when processing replayed legitimate IPN notifications. A remote user can replay a previously captured valid IPN request to inflate wallet balances and renew subscriptions without additional payment.

Exploitation requires a legitimate prior PayPal subscription payment and access to the corresponding IPN POST data.

Remediation

Install update from vendor's website.

References

• https://github.com/WWBN/AVideo/security/advisories/GHSA-7292-w8qp-mhq2
• https://github.com/advisories/GHSA-7292-w8qp-mhq2
• https://github.com/WWBN/AVideo/security/advisories/GHSA-83xq-8jxj-4rxm
• https://github.com/WWBN/AVideo/security/advisories/GHSA-x3pr-vrhq-vq43
• https://github.com/advisories/GHSA-x3pr-vrhq-vq43
• https://github.com/WWBN/AVideo/security/advisories/GHSA-6m5f-j7w2-w953
• https://github.com/advisories/GHSA-6m5f-j7w2-w953
• https://github.com/WWBN/AVideo/security/advisories/GHSA-mwjc-5j4x-r686
• https://github.com/advisories/GHSA-mwjc-5j4x-r686
• https://github.com/WWBN/AVideo/security/advisories/GHSA-8fw8-q79c-fp9m
• https://github.com/advisories/GHSA-8fw8-q79c-fp9m
• https://github.com/WWBN/AVideo/security/advisories/GHSA-8x77-f38v-4m5j
• https://github.com/advisories/GHSA-8x77-f38v-4m5j
• https://github.com/WWBN/AVideo/security/advisories/GHSA-m99f-mmvg-3xmx
• https://github.com/advisories/GHSA-m99f-mmvg-3xmx
• https://github.com/WWBN/AVideo/security/advisories/GHSA-ffr8-fxhv-fv8h
• https://github.com/advisories/GHSA-ffr8-fxhv-fv8h
• https://github.com/WWBN/AVideo/security/advisories/GHSA-r64r-883r-wcwh
• https://github.com/advisories/GHSA-r64r-883r-wcwh
• https://github.com/WWBN/AVideo/security/advisories/GHSA-8wf4-c4x3-h952
• https://github.com/advisories/GHSA-8wf4-c4x3-h952
• https://github.com/WWBN/AVideo/security/advisories/GHSA-9hv9-gvwm-95f2
• https://github.com/advisories/GHSA-9hv9-gvwm-95f2
• https://github.com/WWBN/AVideo/security/advisories/GHSA-8prq-2jr2-cm92
• https://github.com/WWBN/AVideo/security/advisories/GHSA-j724-5c6c-68g5
• https://github.com/advisories/GHSA-j724-5c6c-68g5
• https://github.com/WWBN/AVideo/security/advisories/GHSA-75qq-68m8-pvfr
• https://github.com/advisories/GHSA-75qq-68m8-pvfr
• https://github.com/WWBN/AVideo/security/advisories/GHSA-q6jj-r49p-94fh
• https://github.com/WWBN/AVideo/security/advisories/GHSA-h54m-c522-h6qr
• https://github.com/advisories/GHSA-h54m-c522-h6qr
• https://github.com/WWBN/AVideo/security/advisories/GHSA-73gr-r64q-7jh4
• https://github.com/WWBN/AVideo/security/advisories/GHSA-2mg4-pfgx-64cf
• https://github.com/advisories/GHSA-2mg4-pfgx-64cf
• https://github.com/WWBN/AVideo/security/advisories/GHSA-g3hj-mf85-679g
• https://github.com/advisories/GHSA-g3hj-mf85-679g
• https://github.com/WWBN/AVideo/security/advisories/GHSA-2rm7-j397-3fqg
• https://github.com/advisories/GHSA-2rm7-j397-3fqg
• https://github.com/WWBN/AVideo/security/advisories/GHSA-xgv5-66wp-ch88
• https://github.com/advisories/GHSA-xgv5-66wp-ch88
• https://github.com/WWBN/AVideo/security/advisories/GHSA-77jp-mgcw-rfmr
• https://github.com/WWBN/AVideo/security/advisories/GHSA-w4hp-w536-jg64
• https://github.com/WWBN/AVideo/security/advisories/GHSA-m577-w9j8-ch7j
• https://github.com/WWBN/AVideo/security/advisories/GHSA-38rh-4v39-vfxv
• https://github.com/WWBN/AVideo/security/advisories/GHSA-wwpw-hrx8-79r5
• https://github.com/advisories/GHSA-wwpw-hrx8-79r5
• https://github.com/WWBN/AVideo/security/advisories/GHSA-g2mg-cgr6-vmv7
• https://github.com/WWBN/AVideo/security/advisories/GHSA-4jcg-jxpf-5vq3
• https://github.com/advisories/GHSA-4jcg-jxpf-5vq3
• https://github.com/WWBN/AVideo/security/advisories/GHSA-x5vx-vrpf-r45f
• https://github.com/WWBN/AVideo/security/advisories/GHSA-x9w5-xccw-5h9w
• https://github.com/advisories/GHSA-x9w5-xccw-5h9w
• https://github.com/WWBN/AVideo/security/advisories/GHSA-2vg4-rrx4-qcpq
• https://github.com/WWBN/AVideo/security/advisories/GHSA-hg8q-8wqr-35xx
• https://github.com/WWBN/AVideo/security/advisories/GHSA-3v7m-qg4x-58h9
• https://github.com/WWBN/AVideo/security/advisories/GHSA-99j6-hj87-6fcf
• https://github.com/WWBN/AVideo/security/advisories/GHSA-hv36-p4w4-6vmj
• https://github.com/WWBN/AVideo/security/advisories/GHSA-pvw4-p2jm-chjm
• https://github.com/advisories/GHSA-pvw4-p2jm-chjm
• https://github.com/WWBN/AVideo/security/advisories/GHSA-g8x9-7mgh-7cvj
• https://github.com/WWBN/AVideo/security/advisories/GHSA-5m4q-5cvx-36mw
• https://github.com/advisories/GHSA-5m4q-5cvx-36mw
• https://github.com/WWBN/AVideo/security/advisories/GHSA-wxjw-phj6-g75w
• https://github.com/advisories/GHSA-wxjw-phj6-g75w
• https://github.com/WWBN/AVideo/security/advisories/GHSA-8p2x-5cpm-qrqw
• https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-33690.md
• https://github.com/WWBN/AVideo/security/advisories/GHSA-wxjx-r2j2-96fx
• https://github.com/advisories/GHSA-wxjx-r2j2-96fx
• https://github.com/WWBN/AVideo/security/advisories/GHSA-j36m-74g2-7m95
• https://github.com/advisories/GHSA-j36m-74g2-7m95
• https://github.com/WWBN/AVideo/security/advisories/GHSA-ghx5-7jjg-q2j7
• https://github.com/advisories/GHSA-ghx5-7jjg-q2j7
• https://github.com/WWBN/AVideo/security/advisories/GHSA-3hwv-x8g3-9qpr
• https://github.com/WWBN/AVideo/security/advisories/GHSA-g39v-qrj6-jxrh
• https://github.com/WWBN/AVideo/security/advisories/GHSA-wprj-9cvc-5w37
• https://github.com/WWBN/AVideo/commit/83390ab1fa8dca2de3f8fa76116a126428405431
• https://github.com/WWBN/AVideo/security/advisories/GHSA-pm37-62g7-p768
• https://github.com/WWBN/AVideo/security/advisories
• https://github.com/WWBN/AVideo/security/advisories/GHSA-v4h7-3x43-qqw4
• https://github.com/WWBN/AVideo/security/advisories/GHSA-4wwr-7h7c-chqr
• https://github.com/WWBN/AVideo/security/advisories/GHSA-f4f9-627c-jh33
• https://github.com/WWBN/AVideo/security/advisories/GHSA-q4x6-6mm2-crg9
• https://github.com/WWBN/AVideo/security/advisories/GHSA-rqp3-gf5h-mrqx
• https://github.com/WWBN/AVideo/security/advisories/GHSA-mmw7-wq3c-wf9p
• https://github.com/advisories/GHSA-mmw7-wq3c-wf9p