Lucene search
K

260 matches found

Github Security Blog
Github Security Blog
added 2026/03/30 5:49 p.m.10 views

AVideo has User Group-Based Category Access Control Bypass via Missing and Broken Group Filtering in categories.json.php

Summary The categories.json.php endpoint, which serves the category listing API, fails to enforce user group-based access controls on categories. In the default request path no ?user= parameter, user group filtering is entirely skipped, exposing all non-private categories including those restrict...

5.3CVSS5.8AI score0.00319EPSS
Exploits1References4Affected Software1
RedhatCVE
RedhatCVE
added 2026/03/28 11:10 p.m.2 views

CVE-2026-34364

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the categories.json.php endpoint, which serves the category listing API, fails to enforce user group-based access controls on categories. In the default request path no ?user= parameter, user group filtering is...

5.3CVSS5.8AI score0.00319EPSS
Exploits1References1
NVD
NVD
added 2026/03/27 6:16 p.m.13 views

CVE-2026-34364

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the categories.json.php endpoint, which serves the category listing API, fails to enforce user group-based access controls on categories. In the default request path no ?user= parameter, user group filtering is...

5.3CVSS0.00319EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/03/27 6:11 p.m.3 views

CVE-2026-34364 AVideo has User Group-Based Category Access Control Bypass via Missing and Broken Group Filtering in categories.json.php

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the categories.json.php endpoint, which serves the category listing API, fails to enforce user group-based access controls on categories. In the default request path no ?user= parameter, user group filtering is...

5.3CVSS5.8AI score0.00319EPSS
Exploits1References2
CVE
CVE
added 2026/03/27 6:11 p.m.10 views

CVE-2026-34364

CVE-2026-34364 (WWBN AVideo) affects the category listing API implemented in the categories.json.php endpoint. In versions up to and including 26.0, category access control is not enforced when no ?user= parameter is provided, causing all non-private categories (including those restricted to spec...

5.3CVSS5.8AI score0.00319EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2026/03/27 6:11 p.m.23 views

CVE-2026-34364 AVideo has User Group-Based Category Access Control Bypass via Missing and Broken Group Filtering in categories.json.php

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the categories.json.php endpoint, which serves the category listing API, fails to enforce user group-based access controls on categories. In the default request path no ?user= parameter, user group filtering is...

5.3CVSS0.00319EPSS
Exploits1References2
RedhatCVE
RedhatCVE
added 2026/03/27 2:23 p.m.12 views

CVE-2021-27948

SQL Injection vulnerability in MyBB before 1.8.26 via User Groups. issue 3 of 3...

7.2CVSS8.2AI score0.009EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/03/26 3:8 p.m.2 views

CVE-2026-33501

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the endpoint plugin/Permissions/View/Usersgroupspermissions/list.json.php lacks any authentication or authorization check, allowing unauthenticated users to retrieve the complete permission matrix mapping user...

5.3CVSS5.7AI score0.0043EPSS
Exploits1References1
NVD
NVD
added 2026/03/23 5:16 p.m.2 views

CVE-2026-33501

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the endpoint plugin/Permissions/View/Usersgroupspermissions/list.json.php lacks any authentication or authorization check, allowing unauthenticated users to retrieve the complete permission matrix mapping user...

5.3CVSS0.0043EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2026/03/23 4:28 p.m.2 views

CVE-2026-33501 AVideo has Unauthenticated Information Disclosure of User Group Permission Mappings via Permissions Plugin

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the endpoint plugin/Permissions/View/Usersgroupspermissions/list.json.php lacks any authentication or authorization check, allowing unauthenticated users to retrieve the complete permission matrix mapping user...

5.3CVSS5.7AI score0.0043EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/03/23 4:28 p.m.25 views

CVE-2026-33501 AVideo has Unauthenticated Information Disclosure of User Group Permission Mappings via Permissions Plugin

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the endpoint plugin/Permissions/View/Usersgroupspermissions/list.json.php lacks any authentication or authorization check, allowing unauthenticated users to retrieve the complete permission matrix mapping user...

5.3CVSS0.0043EPSS
Exploits1References3
Snyk
Snyk
added 2026/03/20 8:57 p.m.5 views

Missing Authorization

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Missing Authorization via the list.json.php endpoint in the Permissions plugin. An attacker can retrieve the complete mapping of user groups to plugin permissions,...

5.4CVSS5.8AI score0.0043EPSS
Exploits1References2
OSV
OSV
added 2026/03/20 8:57 p.m.5 views

GHSA-96QP-8CMQ-JVQ8 AVideo has Unauthenticated Information Disclosure of User Group Permission Mappings via Permissions Plugin

Summary The endpoint plugin/Permissions/View/Usersgroupspermissions/list.json.php lacks any authentication or authorization check, allowing unauthenticated users to retrieve the complete permission matrix mapping user groups to plugins. All sibling endpoints in the same directory add.json.php,...

5.3CVSS5.9AI score0.0043EPSS
Exploits1References5
Positive Technologies
Positive Technologies
added 2026/03/20 12:0 a.m.10 views

PT-2026-26785

Name of the Vulnerable Software and Affected Versions AVideo versions up to and including 26.0 Description The plugin/Permissions/View/Users groups permissions/list.json.php endpoint in AVideo lacks authentication or authorization checks, allowing unauthenticated users to retrieve the complete...

5.3CVSS5.8AI score0.0043EPSS
Exploits1References9
Github Security Blog
Github Security Blog
added 2026/03/11 2:56 p.m.5 views

Craft CMS Vulnerable to Stored XSS via User Group Name in User Permissions Page

Summary A stored XSS vulnerability exists in the User Permissions page. The User Group name is rendered without proper HTML escaping in the permissions section, allowing an attacker to execute arbitrary JavaScript when another user views or edits a user's permissions. !NOTE This is a separate...

6AI score
Exploits0References3Affected Software1
OSV
OSV
added 2026/03/11 2:56 p.m.2 views

GHSA-G3HP-VVQF-8VW6 Craft CMS Vulnerable to Stored XSS via User Group Name in User Permissions Page

Summary A stored XSS vulnerability exists in the User Permissions page. The User Group name is rendered without proper HTML escaping in the permissions section, allowing an attacker to execute arbitrary JavaScript when another user views or edits a user's permissions. !NOTE This is a separate...

4.6CVSS6.1AI score
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/03/11 2:54 p.m.8 views

Umbraco Affected by Vertical Privilege Escalation via Missing Authorization Checks

Description A privilege escalation vulnerability has been identified in Umbraco CMS. Under certain conditions, authenticated backoffice users with permission to manage users, may be able to elevate their privileges due to insufficient authorization enforcement when modifying user group membership...

7.2CVSS5.7AI score0.00257EPSS
Exploits0References3Affected Software1
Snyk
Snyk
added 2026/03/11 12:37 a.m.8 views

Improper Privilege Management

Overview Affected versions of this package are vulnerable to Improper Privilege Management due to insufficient authorization enforcement when modifying user group memberships. An attacker can gain higher-level privileges by assigning highly privileged roles without proper validation of their own...

8.6CVSS5.8AI score0.00257EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/03/10 9:53 p.m.3 views

CVE-2026-31834 Umbraco Affected by Vertical Privilege Escalation via Missing Authorization Checks

Umbraco is an ASP.NET CMS. From 15.3.1 to before 16.5.1 and 17.2.2, A privilege escalation vulnerability has been identified in Umbraco CMS. Under certain conditions, authenticated backoffice users with permission to manage users, may be able to elevate their privileges due to insufficient...

7.2CVSS5.7AI score0.00257EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/03/10 9:53 p.m.29 views

CVE-2026-31834 Umbraco Affected by Vertical Privilege Escalation via Missing Authorization Checks

Umbraco is an ASP.NET CMS. From 15.3.1 to before 16.5.1 and 17.2.2, A privilege escalation vulnerability has been identified in Umbraco CMS. Under certain conditions, authenticated backoffice users with permission to manage users, may be able to elevate their privileges due to insufficient...

7.2CVSS0.00257EPSS
Exploits0References1
Rows per page
Query Builder