CVE-2026-33402

Sakai is a Collaboration and Learning Environment CLE. In versions 23.0 through 23.4 and 25.0 through 25.1, group titles and description can contain cross-site scripting scripts. The patch is included in releases 25.2 and 23.5. As a workaround, one can check the SAKAISITEGROUP table for titles an...

CVE-2026-33402 SAK-52311: Sakai site-manage group titles can contain XSS content

Sakai is a Collaboration and Learning Environment CLE. In versions 23.0 through 23.4 and 25.0 through 25.1, group titles and description can contain cross-site scripting scripts. The patch is included in releases 25.2 and 23.5. As a workaround, one can check the SAKAISITEGROUP table for titles an...

CVE-2026-33402

Sakai is a Collaboration and Learning Environment CLE. In versions 23.0 through 23.4 and 25.0 through 25.1, group titles and description can contain cross-site scripting scripts. The patch is included in releases 25.2 and 23.5. As a workaround, one can check the SAKAISITEGROUP table for titles an...

CVE-2026-33037

WWBN AVideo is an open source video platform. In versions 25.0 and below, the official Docker deployment files docker-compose.yml, env.example ship with the admin password set to "password", which is automatically used to seed the admin account during installation, meaning any instance deployed...

CVE-2026-33041

CVE-2026-33041 affects WWBN AVideo. In versions 25.0 and earlier, the endpoint /objects/encryptPass.json.php exposes the site’s password hashing algorithm to unauthenticated users, allowing submission of a password to receive its hash and enabling offline cracking against leaked database hashes. ...

CVE-2026-33041 AVideo has an Unauthenticated Password Hash Oracle via encryptPass.json.php

WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/encryptPass.json.php exposes the application's password hashing algorithm to any unauthenticated user. An attacker can submit arbitrary passwords and receive their hashed equivalents, enabling offline password...

WWBN AVideo 安全漏洞

WWBN AVideo is a video platform building system written in PHP, developed by the WWBN team. Versions of WWBN AVideo 25.0 and earlier contained security vulnerabilities. These vulnerabilities stemmed from the default administrator password being a weak one, along with the use of MD5 hashing, which...

WWBN AVideo 信息泄露漏洞

WWBN AVideo is a video platform building system written in PHP, developed by the WWBN team. Versions of WWBN AVideo 25.0 and earlier contained a vulnerability related to information leakage. This vulnerability stemmed from the password hashing algorithm exposed in the /objects/encryptPass.json.ph...

WWBN AVideo 安全漏洞

WWBN AVideo is a video platform building system written in PHP, developed by the WWBN team. Versions of WWBN AVideo 25.0 and earlier contained security vulnerabilities. These vulnerabilities stemmed from the /objects/phpsessionid.json.php file exposing the PHP session ID, along with improper...

CVE-2026-30885

WWBN AVideo is an open source video platform. Prior to 25.0, the /objects/playlistsFromUser.json.php endpoint returns all playlists for any user without requiring authentication or authorization. An unauthenticated attacker can enumerate user IDs and retrieve playlist information including playli...

EUVD-2026-10418

WWBN AVideo is an open source video platform. Prior to 25.0, the /objects/playlistsFromUser.json.php endpoint returns all playlists for any user without requiring authentication or authorization. An unauthenticated attacker can enumerate user IDs and retrieve playlist information including playli...

PT-2026-24090

Name of the Vulnerable Software and Affected Versions AVideo versions prior to 25.0 Description The /objects/playlistsFromUser.json.php endpoint does not require authentication or authorization, allowing an unauthenticated attacker to enumerate user IDs and retrieve playlist information, includin...

CVE-2025-62710

Sakai is a Collaboration and Learning Environment. Prior to versions 23.5 and 25.0, EncryptionUtilityServiceImpl initialized an AES256TextEncryptor password serverSecretKey using RandomStringUtils with the default java.util.Random. java.util.Random is a non‑cryptographic PRNG and can be predicted...

CVE-2025-62710

Sakai is a Collaboration and Learning Environment. Prior to versions 23.5 and 25.0, EncryptionUtilityServiceImpl initialized an AES256TextEncryptor password serverSecretKey using RandomStringUtils with the default java.util.Random. java.util.Random is a non‑cryptographic PRNG and can be predicted...

Sakai kernel-impl: predictable PRNG used to generate server‑side encryption key in EncryptionUtilityServiceImpl

Impact EncryptionUtilityServiceImpl initialized an AES256TextEncryptor password serverSecretKey using RandomStringUtils with the default java.util.Random. java.util.Random is a non‑cryptographic PRNG and can be predicted from limited state/seed information e.g., start time window, substantially...

GHSA-GR7H-XW4F-WH86 Sakai kernel-impl: predictable PRNG used to generate server‑side encryption key in EncryptionUtilityServiceImpl

Impact EncryptionUtilityServiceImpl initialized an AES256TextEncryptor password serverSecretKey using RandomStringUtils with the default java.util.Random. java.util.Random is a non‑cryptographic PRNG and can be predicted from limited state/seed information e.g., start time window, substantially...

CVE-2025-30758

Vulnerability in the Siebel CRM End User product of Oracle Siebel CRM component: User Interface. Supported versions that are affected are 25.0-25.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel CRM End User. Successful attacks ...

Oracle Siebel CRM 信息泄露漏洞

Oracle Siebel CRM is a set of customer relationship management solutions from Oracle USA. The solution includes modules for sales management, marketing management, customer service system, and call center. A security vulnerability exists in Oracle Siebel CRM for Siebel CRM End User versions 25.0 ...

CVE-2024-52921

In Bitcoin Core before 25.0, a peer can affect the download state of other peers by sending a mutated block...

Arbitrary Code Execution

Overview Affected versions of this package are vulnerable to Arbitrary Code Execution by implanting a malicious wheel file in pip's installation directory, which will replace the module being installed and get executed during installation. Note: The specific vulnerable behavior arises because...