These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-56345 is a critical authorization bypass vulnerability in AVideo's Meet plugin. The vulnerability exists in the uploadRecordedVideo.json.php endpoint, which allows an attacker to derive the target user's ID from the uploaded filename without verification. This enables an attacker with knowledge of the Meet shared secret to craft a malicious file upload and establish an authenticated session as an [truncated]
CVE-2026-56342 is a medium-severity server-side request forgery (SSRF) vulnerability in AVideo versions up to 27.0. The vulnerability exists in the plugin/Live/test.php file and allows authenticated administrators to read arbitrary URLs via the statsURL parameter. This parameter lacks proper validation, enabling requests to private IP ranges and cloud metadata endpoints. The vulnerability's CVSS score is [truncated]
CVE-2026-56341 is a high-severity vulnerability in AVideo, exposing payment transaction data, including PayPal tokens and financial records, to unauthenticated attackers. The issue arises from multiple unauthenticated list.json.php endpoints in payment plugins lacking proper authorization checks. This vulnerability allows direct retrieval of sensitive data via GET requests to vulnerable endpoints. AVideo [truncated]