Astra Linux - уязвимость в netty

The Bzip2 decompression decoder function does not allow setting size restrictions on the decompressed output data which affects the allocation size used during decompression. This affects all users of Bzip2Decoder. Malicious inputs can trigger an OOME, thereby causing a DoS attack...

EUVD-2026-29887

The installation of Fuji Tellus adds a driver to the kernel which grants all users read and write permissions...

CVE-2026-8108

The installation of Fuji Tellus adds a driver to the kernel which grants all users read and write permissions...

CVE-2026-43881 WWBN AVideo: Unauthenticated User Enumeration in `objects/users.json.php` via `isCompany` Parameter Flips `$ignoreAdmin = true` and Defeats Admin-Only Listing Guard

WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/users.json.php exposes two unauthenticated paths that disclose the full set of registered user accounts. The isCompany request parameter causes the handler to set $ignoreAdmin = true for any non-admin call...

GHSA-6RVW-7P8V-MJFQ AVideo: Unauthenticated User Enumeration in objects/users.json.php via isCompany Parameter Allows Bypass of the Admin-Only Listing Restriction

Summary objects/users.json.php exposes two unauthenticated paths that disclose the full set of registered user accounts. The isCompany request parameter causes the handler to set $ignoreAdmin = true for any non-admin caller including unauthenticated visitors, which defeats the admin-only guard...

Powershell Profile Persistence

This module establishes persistence by modifying a PowerShell profile script, which is automatically executed when PowerShell starts. The module supports multiple profile scopes current user or all users and safely backs up any existing profile prior to modification, enabling clean removal by...

Powershell Profile Persistence

This Metasploit module establishes persistence by modifying a PowerShell profile script, which is automatically executed when PowerShell starts. The module supports multiple profile scopes current user or all users and safely backs up any existing profile prior to modification, enabling clean...

Cross-site Request Forgery (CSRF)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the AVideo endpoint objects/emailAllUsers.json.php allows administrators to send HTML emails to every registered user on the...

AVideo: CSRF on emailAllUsers.json.php Enables Mass Phishing Email to All Users

Summary The AVideo endpoint objects/emailAllUsers.json.php allows administrators to send HTML emails to every registered user on the platform. While the endpoint verifies admin session status, it does not validate a CSRF token. Because AVideo sets SameSite=None on session cookies, a cross-origin...

GHSA-C4XJ-X7P8-3X7Q AVideo: CSRF on emailAllUsers.json.php Enables Mass Phishing Email to All Users

Summary The AVideo endpoint objects/emailAllUsers.json.php allows administrators to send HTML emails to every registered user on the platform. While the endpoint verifies admin session status, it does not validate a CSRF token. Because AVideo sets SameSite=None on session cookies, a cross-origin...

CVE-2026-34611

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/emailAllUsers.json.php allows administrators to send HTML emails to every registered user on the platform. While the endpoint verifies admin session status, it does not validate a CSRF token...

CVE-2026-34611 AVideo: CSRF on emailAllUsers.json.php Enables Mass Phishing Email to All Users

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/emailAllUsers.json.php allows administrators to send HTML emails to every registered user on the platform. While the endpoint verifies admin session status, it does not validate a CSRF token...

CVE-2026-34611 AVideo: CSRF on emailAllUsers.json.php Enables Mass Phishing Email to All Users

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/emailAllUsers.json.php allows administrators to send HTML emails to every registered user on the platform. While the endpoint verifies admin session status, it does not validate a CSRF token...

CVE-2026-34611 AVideo: CSRF on emailAllUsers.json.php Enables Mass Phishing Email to All Users

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/emailAllUsers.json.php allows administrators to send HTML emails to every registered user on the platform. While the endpoint verifies admin session status, it does not validate a CSRF token...

CVE-2026-34611

WWBN AVideo prior to version 26.0 allows CSRF on the endpoint objects/emailAllUsers.json.php, enabling a mass HTML email sent to all users without a CSRF token. The issue arises because admin sessions are valid cross-origin, given SameSite=None on cookies, allowing an attacker to lure an admin to...

CVE-2026-34611

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/emailAllUsers.json.php allows administrators to send HTML emails to every registered user on the platform. While the endpoint verifies admin session status, it does not validate a CSRF token...

WWBN AVideo 跨站请求伪造漏洞

WWBN AVideo is a video platform building system developed by the WWBN team using PHP. Versions of WWBN AVideo prior to 26.0 contained a cross-site request forgeing vulnerability. This vulnerability stemmed from the lack of CSRF token validation on the objects/emailAllUsers.json.php endpoint, whic...

CVE-2026-33430 Briefcase: Windows MSI Installer Privilege Escalation via Insecure Directory Permissions

Briefcase is a tool for converting a Python project into a standalone native application. Starting in version 0.3.0 and prior to version 0.3.26, if a developer uses Briefcase to produce an Windows MSI installer for a project, and that project is installed for All Users i.e., per-machine scope, th...

Ech0 authenticated user-list exposed data via public `/api/allusers` endpoint

Summary A public access-control flaw allows unauthenticated users to retrieve the full user list from GET /api/allusers. This exposes user profile metadata to anyone who can reach the application and enables remote user enumeration. Details The vulnerable route is registered as a public endpoint:...

PT-2026-27633

Name of the Vulnerable Software and Affected Versions Ech0 versions prior to 4.2.0 Description The GET /api/allusers API endpoint is publicly accessible, allowing remote unauthenticated user enumeration and exposure of user profile metadata. The route is registered under public routes in...