SB20260408175 - Multiple vulnerabilities in AVideo
Published: April 8, 2026 Updated: April 15, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 9 secuirty vulnerabilities.
1) Cleartext storage of sensitive information (CVE-ID: CVE-2026-33867)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to cleartext storage of sensitive information in objects/video.php when storing and checking video passwords. A remote attacker can obtain read access to the database to disclose sensitive information.
Passwords for protected videos are stored and compared in plaintext, and exposure can occur through database reads such as SQL injection, backup disclosure, or misconfigured access controls.
2) Cross-site request forgery (CVE-ID: CVE-2026-34613)
The vulnerability allows a remote attacker to disable security plugins.
The vulnerability exists due to improper access control in the plugin enable/disable endpoint when handling cross-site requests. A remote attacker can trick the victim into sending a crafted request to disable security plugins.
User interaction is required for exploitation.
3) Cross-site request forgery (CVE-ID: CVE-2026-34611)
The vulnerability allows a remote attacker to send phishing email to all users.
The vulnerability exists due to missing cross-site request forgery protection in emailAllUsers.json.php when handling requests to send email to all users. A remote attacker can trick a victim into submitting a crafted request to send phishing email to all users.
User interaction is required.
4) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CVE-ID: CVE-2026-34739)
The vulnerability allows a remote attacker to execute arbitrary script code in the victim's browser.
The vulnerability exists due to cross-site scripting in testIP.php when handling the ip parameter. A remote attacker can send a specially crafted link to execute arbitrary script code in the victim's browser.
User interaction is required to open a crafted link.
5) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary script code in a victim's browser.
The vulnerability exists due to improper neutralization of input during web page generation in TopMenu plugin menu item fields when rendering stored menu item content. A remote attacker can inject a specially crafted script payload to execute arbitrary script code in a victim's browser.
User interaction is required for a victim to view the affected content.
6) Cross-site request forgery (CVE-ID: CVE-2026-35181)
The vulnerability allows a remote attacker to modify player skin configuration.
The vulnerability exists due to improper request validation in admin/playerUpdate.json.php when handling crafted cross-site requests. A remote attacker can trick a victim into submitting a crafted request to modify player skin configuration.
User interaction is required to trigger the request.
7) Cross-site request forgery (CVE-ID: CVE-2026-35180)
The vulnerability allows a remote attacker to overwrite the site logo.
The vulnerability exists due to cross-site request forgery in the site customization endpoint when handling crafted requests from a victim's browser. A remote attacker can trick a victim into submitting a specially crafted request to overwrite the site logo.
User interaction is required to trigger the crafted request.
8) Cross-site scripting (CVE-ID: CVE-2026-33500)
The vulnerability allows a remote user to execute arbitrary script in a victim's browser.
The vulnerability exists due to cross-site scripting in comment markdown link processing when rendering markdown links containing a javascript: URI. A remote user can post a specially crafted comment containing a markdown link to execute arbitrary script in a victim's browser.
User interaction is required because the victim must click the rendered link.
9) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-33502)
The vulnerability allows a remote attacker to send server-side requests to arbitrary URLs and disclose sensitive information.
The vulnerability exists due to server-side request forgery (SSRF) in plugin/Live/test.php when handling the statsURL request parameter. A remote attacker can send a specially crafted request to send server-side requests to arbitrary URLs and disclose sensitive information.
The issue can be used to probe localhost and internal network services, including reachable cloud metadata endpoints, and reflected upstream content or errors may be returned to the client.
Remediation
Install update from vendor's website.
References
- https://github.com/WWBN/AVideo/security/advisories/GHSA-363v-5rh8-23wg
- https://github.com/advisories/GHSA-363v-5rh8-23wg
- https://github.com/WWBN/AVideo/security/advisories/GHSA-hqxf-mhfw-rc44
- https://github.com/WWBN/AVideo/security/advisories
- https://github.com/WWBN/AVideo/security/advisories/GHSA-c4xj-x7p8-3x7q
- https://github.com/WWBN/AVideo/security/advisories/GHSA-jqrj-chh6-8h78
- https://github.com/WWBN/AVideo/security
- https://github.com/WWBN/AVideo/security/advisories/GHSA-gmpc-fxg2-vcmq
- https://github.com/WWBN/AVideo/security/advisories/GHSA-4q27-4rrq-fx95
- https://github.com/WWBN/AVideo/security/advisories/GHSA-5572-2jgx-fc7c
- https://github.com/WWBN/AVideo
- https://github.com/WWBN/AVideo/security/advisories/GHSA-72h5-39r7-r26j
- https://github.com/advisories/GHSA-72h5-39r7-r26j
- https://github.com/WWBN/AVideo/security/advisories/GHSA-3fpm-8rjr-v5mc
- https://github.com/advisories/GHSA-3fpm-8rjr-v5mc