Please report security issues to developer@streamphp.com
Security: WWBN/AVideo
Security
.github/SECURITY.md
-
** Incomplete fix for CVE-2026-45578: `execAsync()` re-wrapping in `sh -c "…"`GHSA-rc5x-vh5v-473f published
Jul 7, 2026 by DanielnetoDotComHigh -
AVideo: Encoder downloadURL SSRF via unpinned retry fallback (incomplete fix for CVE-2026-39370)GHSA-fr98-mjq9-7jmj published
Jul 7, 2026 by DanielnetoDotComModerate -
OS command injection in plugin/API/standAlone/functions.php listFFmpegProcesses() via unescaped keyword grep breakout (list / isKeywordRunning modes)GHSA-j44m-77cc-p3cc published
Jul 1, 2026 by DanielnetoDotComHigh -
OS command injection in plugin/API/standAlone/ffmpeg.json.php via unescaped notifyCode/callback fields in the execAsync completion hookGHSA-g9x9-q7qj-6mv5 published
Jul 1, 2026 by DanielnetoDotComHigh -
Meet plugin: anonymous-to-admin stored XSS via unescaped participant User-Agent in getMeetInfo.json.php Participants panelGHSA-7cqp-7cfv-6c3q published
Jun 22, 2026 by DanielnetoDotComHigh -
Incomplete fix of CVE-2026-33482: sanitizeFFmpegCommand still allows a single '&' (background operator), giving OS command execution at the same execAsync sh -c sinkGHSA-wc3f-xc32-435f published
Jun 10, 2026 by DanielnetoDotComHigh -
Unauthenticated Stored DOM Cross-Site Scripting via Per-Client Metadata Broadcast in YPTSocket PluginGHSA-8whc-2wmv-ww35 published
Jun 4, 2026 by DanielnetoDotComCritical -
Stored XSS via Hostile YouTube Video Title in AVideo YouTubeAPI Gallery SectionGHSA-66q5-cj5g-wrfx published
May 28, 2026 by DanielnetoDotComModerate -
Unauthenticated Reflected XSS via $_GET['search'] in AVideo YouTubeAPI Gallery PaginationGHSA-hgjh-6wj8-gcgf published
May 28, 2026 by DanielnetoDotComModerate -
Stored XSS via autoEvalCodeOnHTML in MessageSQLite WebSocket HandlerGHSA-2fhx-q92v-5fhv published
May 25, 2026 by DanielnetoDotComHigh
Learn more about advisories related to WWBN/AVideo in the GitHub Advisory Database