wowza CVE Vulnerabilities & Metrics

Focus on wowza vulnerabilities and metrics.

Last updated: 08 Mar 2025, 23:25 UTC

About wowza Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with wowza. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total wowza CVEs: 17
Earliest CVE date: 01 Mar 2018, 21:29 UTC
Latest CVE date: 05 Oct 2021, 16:15 UTC

Latest CVE reference: CVE-2021-35492

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 0

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical wowza CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 5.16

Max CVSS: 9.0

Critical CVEs (≥9): 1

CVSS Range vs. Count

Range	Count
0.0-3.9	4
4.0-6.9	9
7.0-8.9	3
9.0-10.0	1

CVSS Distribution Chart

Top 5 Highest CVSS wowza CVEs

These are the five CVEs with the highest CVSS scores for wowza, sorted by severity first and recency.

CVE-2020-9004 wowza Published on 14 Apr 2020, 15:15 UTC (CVSS: 9.0)
A remote authenticated authorization-bypass vulnerability in Wowza Streaming Engine 4.8.0 and earlier allows any read-only user to issue requests to the administration panel in order to change functionality. For example, a read-only user may activate the Java JMX port in unauthenticated mode and execute OS commands under root privileges. This issue was resolved in Wowza Streaming Engine 4.8.5.
CVE-2018-7047 wowza Published on 01 Mar 2018, 21:29 UTC (CVSS: 7.5)
An issue was discovered in the MBeans Server in Wowza Streaming Engine before 4.7.1. The file system may be read and written to via JMX using the default JMX credentials (remote code execution may be possible as well).
CVE-2019-19455 wowza Published on 03 Aug 2020, 14:15 UTC (CVSS: 7.2)
Wowza Streaming Engine before 4.8.5 has Insecure Permissions which may allow a local attacker to escalate privileges in / usr / local / WowzaStreamingEngine / manager / bin / in the Linux version of the server by writing arbitrary commands in any file and execute them as root. This issue was resolved in Wowza Streaming Engine 4.8.5.
CVE-2019-7656 wowza Published on 29 Jan 2020, 16:15 UTC (CVSS: 7.2)
A privilege escalation vulnerability in Wowza Streaming Engine 4.8.0 and earlier allows any unprivileged Linux user to escalate privileges to root. The installer sets too relaxed permissions on /usr/local/WowzaStreamingEngine/bin/* core program files. By injecting a payload into one of those files, it will run with the same privileges as the Wowza server, root. For example, /usr/local/WowzaStre...
CVE-2018-19365 wowza Published on 21 Mar 2019, 16:00 UTC (CVSS: 6.4)
The REST API in Wowza Streaming Engine 4.7.4.01 allows traversal of the directory structure and retrieval of a file via a remote, specifically crafted HTTP request.

All CVEs for wowza

CVE-2021-35492 wowza vulnerability CVSS: 4.0 05 Oct 2021, 16:15 UTC

Wowza Streaming Engine through 4.8.11+5 could allow an authenticated, remote attacker to exhaust filesystem resources via the /enginemanager/server/vhost/historical.jsdata vhost parameter. This is due to the insufficient management of available filesystem resources. An attacker could exploit this vulnerability through the Virtual Host Monitoring section by requesting random virtual-host historical data and exhausting available filesystem resources. A successful exploit could allow the attacker to cause database errors and cause the device to become unresponsive to web-based management. (Manual intervention is required to free filesystem resources and return the application to an operational state.)

CVE-2021-35491 wowza vulnerability CVSS: 5.8 05 Oct 2021, 16:15 UTC

A Cross-Site Request Forgery (CSRF) vulnerability in Wowza Streaming Engine through 4.8.11+5 allows a remote attacker to delete a user account via the /enginemanager/server/user/delete.htm userName parameter. The application does not implement a CSRF token for the GET request. This issue was resolved in Wowza Streaming Engine release 4.8.14.

CVE-2021-31540 wowza vulnerability CVSS: 3.6 23 Apr 2021, 17:15 UTC

Wowza Streaming Engine through 4.8.5 (in a default installation) has incorrect file permissions of configuration files in the conf/ directory. A regular local user is able to read and write to all the configuration files, e.g., modify the application server configuration.

CVE-2021-31539 wowza vulnerability CVSS: 2.1 23 Apr 2021, 17:15 UTC

Wowza Streaming Engine before 4.8.8.01 (in a default installation) has cleartext passwords stored in the conf/admin.password file. A regular local user is able to read usernames and passwords.

CVE-2019-19455 wowza vulnerability CVSS: 7.2 03 Aug 2020, 14:15 UTC

Wowza Streaming Engine before 4.8.5 has Insecure Permissions which may allow a local attacker to escalate privileges in / usr / local / WowzaStreamingEngine / manager / bin / in the Linux version of the server by writing arbitrary commands in any file and execute them as root. This issue was resolved in Wowza Streaming Engine 4.8.5.

CVE-2019-19453 wowza vulnerability CVSS: 3.5 03 Aug 2020, 14:15 UTC

Wowza Streaming Engine before 4.8.5 allows XSS (issue 1 of 2). An authenticated user, with access to the proxy license editing is able to insert a malicious payload that will be triggered in the main page of server settings. This issue was resolved in Wowza Streaming Engine 4.8.5.

CVE-2019-19456 wowza vulnerability CVSS: 4.3 18 May 2020, 17:15 UTC

A Reflected XSS was found in the server selection box inside the login page at: enginemanager/loginfailed.html in Wowza Streaming Engine <= 4.x.x. This issue was resolved in Wowza Streaming Engine 4.8.0.

CVE-2019-19454 wowza vulnerability CVSS: 5.0 18 May 2020, 17:15 UTC

An arbitrary file download was found in the "Download Log" functionality of Wowza Streaming Engine <= 4.x.x. This issue was resolved in Wowza Streaming Engine 4.8.0.

CVE-2020-9004 wowza vulnerability CVSS: 9.0 14 Apr 2020, 15:15 UTC

A remote authenticated authorization-bypass vulnerability in Wowza Streaming Engine 4.8.0 and earlier allows any read-only user to issue requests to the administration panel in order to change functionality. For example, a read-only user may activate the Java JMX port in unauthenticated mode and execute OS commands under root privileges. This issue was resolved in Wowza Streaming Engine 4.8.5.

CVE-2019-7656 wowza vulnerability CVSS: 7.2 29 Jan 2020, 16:15 UTC

A privilege escalation vulnerability in Wowza Streaming Engine 4.8.0 and earlier allows any unprivileged Linux user to escalate privileges to root. The installer sets too relaxed permissions on /usr/local/WowzaStreamingEngine/bin/* core program files. By injecting a payload into one of those files, it will run with the same privileges as the Wowza server, root. For example, /usr/local/WowzaStreamingEngine/bin/tune.sh could be replaced with a Trojan horse. This issue was resolved in Wowza Streaming Engine 4.8.5.

CVE-2019-7655 wowza vulnerability CVSS: 3.5 29 Jan 2020, 16:15 UTC

Wowza Streaming Engine 4.8.0 and earlier from multiple authenticated XSS vulnerabilities via the (1) customList%5B0%5D.value field in enginemanager/server/serversetup/edit_adv.htm of the Server Setup configuration or the (2) host field in enginemanager/j_spring_security_check of the login form. This issue was resolved in Wowza Streaming Engine 4.8.5.

CVE-2019-7654 wowza vulnerability CVSS: 4.3 29 Jan 2020, 16:15 UTC

Wowza Streaming Engine 4.8.0 and earlier suffers from multiple CSRF vulnerabilities. For example, an administrator, by following a link, can be tricked into making unwanted changes such as adding another admin user via enginemanager/server/user/edit.htm in the Server->Users component. This issue was resolved in Wowza Streaming Engine 4.8.5.

CVE-2018-19365 wowza vulnerability CVSS: 6.4 21 Mar 2019, 16:00 UTC

The REST API in Wowza Streaming Engine 4.7.4.01 allows traversal of the directory structure and retrieval of a file via a remote, specifically crafted HTTP request.

CVE-2017-16922 wowza vulnerability CVSS: 5.0 05 Mar 2018, 18:29 UTC

In com.wowza.wms.timedtext.http.HTTPProviderCaptionFile in Wowza Streaming Engine before 4.7.1, traversal of the directory structure and retrieval of a file are possible via a remote, specifically crafted HTTP request.

CVE-2018-7049 wowza vulnerability CVSS: 4.3 01 Mar 2018, 21:29 UTC

An issue was discovered in Wowza Streaming Engine before 4.7.1. There is an XSS vulnerability in the HTTP providers (com.wowza.wms.http.HTTPProviderMediaList and com.wowza.wms.http.streammanager.HTTPStreamManager) causing script injection and/or reflection via a crafted HTTP request.

CVE-2018-7048 wowza vulnerability CVSS: 5.0 01 Mar 2018, 21:29 UTC

An issue was discovered in Wowza Streaming Engine before 4.7.1. There is a denial of service (memory consumption) via a crafted HTTP request.

CVE-2018-7047 wowza vulnerability CVSS: 7.5 01 Mar 2018, 21:29 UTC

An issue was discovered in the MBeans Server in Wowza Streaming Engine before 4.7.1. The file system may be read and written to via JMX using the default JMX credentials (remote code execution may be possible as well).