These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
## Summary CVE-2026-47696 is a **HIGH-severity (CVSS 7.1)** vulnerability in WWBN AVideo, an open-source video platform. In versions 29.0 and earlier, the Authorize.Net payment processing endpoint (`plugin/AuthorizeNet/processPayment.json.php`) contains a critical logic flaw: it **hardcodes `$paymentSuccess = true`** and credits the logged-in user's wallet based solely on an attacker-controlled `amount` P [truncated]
A stored cross-site scripting (XSS) vulnerability exists in WWBN AVideo versions 29.0 and earlier. The application stores category descriptions from user input and renders them as raw HTML in the Gallery view without proper sanitization. An authenticated user with permissions to create or edit categories can inject JavaScript payloads into category descriptions. When other users view the affected Gallery [truncated]
WWBN AVideo 29.0 and earlier contains an unauthenticated arbitrary file read vulnerability. An unauthenticated remote attacker can read arbitrary image files anywhere on disk accessible to the PHP user, including private user-profile photos protected by ACLs, admin-uploaded thumbnails, encrypted-video poster frames, and image content in sibling application directories reachable via directory traversal. Th [truncated]
WWBN AVideo is an open source video platform. In 29.0 and earlier, view/update.php reads $_POST['updateFile'] as a relative path under updatedb/ and passes it to PHP's file() for line-by-line execution as part of a database migration. An authenticated administrator can abuse this to read arbitrary text files reachable from the web-server process.
WWBN AVideo versions 29.0 and earlier contain an unauthenticated user enumeration vulnerability in the objects/mention.json.php endpoint. The endpoint lacks authentication checks (no User::loginCheck() or admin gate) and only validates that the 'term' parameter begins with '@' via preg_match. With a hard-coded rowCount of 10, attackers can enumerate valid usernames without credentials. The vulnerability w [truncated]
WWBN AVideo versions 29.0 and earlier contain a Time-of-Check to Time-of-Use (TOCTOU) vulnerability in SSRF protection mechanisms. The `isSSRFSafeURL()` function in `EpgParser.php`, `plugin/AI/receiveAsync.json.php`, and other locations returns a `$resolvedIP` out-parameter containing the DNS-resolved IP address, but this value is not subsequently used with `CURLOPT_RESOLVE` to pin the connection to that [truncated]
A cross-site request forgery (CSRF) vulnerability exists in WWBN AVideo versions 29.0 and earlier. The endpoint plugin/LoginControl/set.json.php accepts POST requests to disable two-factor authentication (2FA) for the currently authenticated user without requiring CSRF tokens, SameSite cookie enforcement, or re-authentication. An attacker can craft a malicious web page that, when visited by a logged-in vi [truncated]
A stored cross-site scripting (XSS) vulnerability exists in WWBN AVideo versions 29.0 and earlier. The Live plugin's 'YouTube-style' view renders the live transmission's stream key into an HTML class attribute via raw echo without proper output encoding. A user with canStream privileges can persist a malicious stream key containing double-quote characters and event handlers through plugin/Live/saveLive.ph [truncated]
WWBN AVideo versions 29.0 and earlier contain a shell command injection vulnerability in the live streaming notification subsystem. The plugin/Live/on_publish.php file constructs an asynchronous shell command via execAsync() by concatenating user-controlled values into a single-quoted string without applying escapeshellarg() sanitization. An attacker who can influence the $users_id, $m3u8, or $obj->liveTr [truncated]