CVE-2026-34395 AVideo: Mass User PII Disclosure via Missing Authorization in YPTWallet users.json.php

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/YPTWallet/view/users.json.php endpoint returns all platform users with their personal information and wallet balances to any authenticated user. The endpoint checks User::isLogged but does not check User::isAdmin...

CVE-2026-34395

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/YPTWallet/view/users.json.php endpoint returns all platform users with their personal information and wallet balances to any authenticated user. The endpoint checks User::isLogged but does not check User::isAdmin...

EUVD-2026-17632

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/YPTWallet/view/users.json.php endpoint returns all platform users with their personal information and wallet balances to any authenticated user. The endpoint checks User::isLogged but does not check User::isAdmin...

CVE-2026-34395 AVideo: Mass User PII Disclosure via Missing Authorization in YPTWallet users.json.php

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/YPTWallet/view/users.json.php endpoint returns all platform users with their personal information and wallet balances to any authenticated user. The endpoint checks User::isLogged but does not check User::isAdmin...

CVE-2026-34395

WWBN AVideo

CVE-2026-32714

SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.6, the KeyCache class in scitokens was vulnerable to SQL Injection because it used Python's str.format to construct SQL queries with user-supplied data such as issuer and keyid. This allowed an attacker to...

WWBN AVideo 安全漏洞

WWBN AVideo is a video platform building system developed by the WWBN team using PHP. Versions of WWBN AVideo prior to 26.0 contained security vulnerabilities. These vulnerabilities stemmed from a lack of administrator permission checks at the plugin/YPTWallet/view/users.json.php endpoint, which...

Unspecified Vulnerability in Apple macOS (CNVD-2026-19034)

Apple macOS is a specialized operating system developed by Apple for Mac computers. Apple macOS has a security vulnerability that stems from a logging issue that can be exploited by an attacker to cause an application to access sensitive user data...

Unspecified Vulnerability in Apple macOS Tahoe (CNVD-2026-19035)

Apple macOS Tahoe is an operating system from the American company Apple. A security vulnerability exists in Apple macOS Tahoe, which stems from a directory path resolution issue that can be exploited by attackers to cause an application to access sensitive user data...

Unspecified vulnerability in Apple macOS Tahoe (CNVD-2026-19040)

Apple macOS Tahoe is an operating system from the American company Apple. Apple macOS Tahoe contains a security vulnerability that can be exploited by attackers to cause an application to access sensitive user data...

Unspecified vulnerability in Apple macOS Tahoe (CNVD-2026-19042)

Apple macOS Tahoe is an operating system from the American company Apple. Apple macOS Tahoe contains a security vulnerability that can be exploited by attackers to cause an application to access protected user data...

PT-2026-29353

Name of the Vulnerable Software and Affected Versions AVideo versions 26.0 and prior Description The plugin/YPTWallet/view/users.json.php endpoint in AVideo allows any authenticated user to access personal information and wallet balances of all platform users. The endpoint incorrectly checks...

CVE-2026-25704 Incomplete privilege drop for com.system76.CosmicGreeter.GetUserData

A Privilege Dropping / Lowering Errors/Time-of-check Time-of-use TOCTOU Race Condition vulnerability in cosmic-greeter can allow an attacker to regain privileges that should have been dropped and abuse them in the racy checking logic. This issue affects cosmic-greeter before...

CVE-2026-33882

Statamic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.16 and 6.7.2, the markdown preview endpoint could be manipulated to return augmented data from arbitrary fieldtypes. With the users fieldtype specifically, an authenticated control panel user could retriev...

ShinyHunters Walk Away from BreachForums, Leak 300,000-User Database

ShinyHunters leaves BreachForums, leaks data of 300,000 users, warns all active domains are fake, and threatens more leaks from forum backups...

CVE-2026-33882 Statamic's Markdown preview endpoint exposes sensitive user data

Statamic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.16 and 6.7.2, the markdown preview endpoint could be manipulated to return augmented data from arbitrary fieldtypes. With the users fieldtype specifically, an authenticated control panel user could retriev...

CVE-2026-33882 Statamic's Markdown preview endpoint exposes sensitive user data

Statamic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.16 and 6.7.2, the markdown preview endpoint could be manipulated to return augmented data from arbitrary fieldtypes. With the users fieldtype specifically, an authenticated control panel user could retriev...

CVE-2026-33882 Statamic's Markdown preview endpoint exposes sensitive user data

Statamic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.16 and 6.7.2, the markdown preview endpoint could be manipulated to return augmented data from arbitrary fieldtypes. With the users fieldtype specifically, an authenticated control panel user could retriev...

CVE-2026-33872 elixir-nodejs has Cross-User Data Leakage or Information Disclosure due to Worker Protocol Race Condition

elixir-nodejs provides an Elixir API for calling Node.js functions. A vulnerability in versions prior to 3.1.4 results in Cross-User Data Leakage or Information Disclosure due to a race condition in the worker protocol. The lack of request-response correlation creates a "stale response"...

CVE-2026-33872

CVE-2026-33872 affects elixir-nodejs prior to 3.1.4. A race condition in the worker protocol enables Cross-User Data Leakage due to lack of request–response correlation, potentially returning data intended for a different user in high‑throughput/ concurrent scenarios. The vulnerability can disclo...