Lucene search
K

121 matches found

OSV
OSV
added 2026/04/07 5:16 p.m.12 views

PYSEC-2026-123

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the ADMINONLYCOREOPTIONS authorization set in setconfigvalue uses incorrect option names sslcert and sslkey, while the actual configuration option names are sslcertfile and sslkeyfile. This name mismatch...

6.8CVSS5.8AI score0.00142EPSS
Exploits1References1
CVE
CVE
added 2026/04/07 4:56 p.m.11 views

CVE-2026-35610

CVE-2026-35610 affects PolarLearn; in 0-PRERELEASE-14 and earlier, the account-management module’s setCustomPassword(userId, password) and deleteUser(userId) used an inverted admin check, allowing authenticated non-admin users to perform these actions and effectively escalating privileges. This i...

8.8CVSS6AI score0.00298EPSS
Exploits1References1Affected Software1
EUVD
EUVD
added 2026/04/07 4:56 p.m.4 views

EUVD-2026-19786

PolarLearn is a free and open-source learning program. In 0-PRERELEASE-14 and earlier, setCustomPassworduserId, password and deleteUseruserId in the account-management module used an inverted admin check. Because of the inverted condition, authenticated non-admin users were allowed to execute bot...

8.8CVSS6AI score0.00298EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/04/07 4:56 p.m.2 views

CVE-2026-35610

PolarLearn is a free and open-source learning program. In 0-PRERELEASE-14 and earlier, setCustomPassworduserId, password and deleteUseruserId in the account-management module used an inverted admin check. Because of the inverted condition, authenticated non-admin users were allowed to execute bot...

8.8CVSS6AI score0.00298EPSS
Exploits1References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/07 12:0 a.m.4 views

PT-2026-30921

PolarLearn is a free and open-source learning program. In 0-PRERELEASE-14 and earlier, setCustomPassworduserId, password and deleteUseruserId in the account-management module used an inverted admin check. Because of the inverted condition, authenticated non-admin users were allowed to execute bot...

8.8CVSS6AI score0.00298EPSS
Exploits1References2
OSV
OSV
added 2026/04/04 6:17 a.m.5 views

GHSA-99J6-HJ87-6FCF AVideo: Unauthenticated Information Disclosure via Missing Auth on CloneSite client.log.php

Summary The plugin/CloneSite/client.log.php endpoint serves the clone operation log file without any authentication. Every other endpoint in the CloneSite plugin directory enforces User::isAdmin. The log contains internal filesystem paths, remote server URLs, and SSH connection metadata. Details...

5.3CVSS5.9AI score0.00367EPSS
Exploits1References3
Github Security Blog
Github Security Blog
added 2026/04/04 6:16 a.m.7 views

AVideo: Unauthenticated FFmpeg Remote Server Status Disclosure via check.ffmpeg.json.php

Summary The plugin/API/check.ffmpeg.json.php endpoint probes the FFmpeg remote server configuration and returns connectivity status without any authentication. All sibling FFmpeg management endpoints kill.ffmpeg.json.php, list.ffmpeg.json.php, ffmpeg.php require User::isAdmin. Details The entire...

5.3CVSS5.9AI score0.0037EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2026/04/04 6:16 a.m.4 views

GHSA-2VG4-RRX4-QCPQ AVideo: Unauthenticated FFmpeg Remote Server Status Disclosure via check.ffmpeg.json.php

Summary The plugin/API/check.ffmpeg.json.php endpoint probes the FFmpeg remote server configuration and returns connectivity status without any authentication. All sibling FFmpeg management endpoints kill.ffmpeg.json.php, list.ffmpeg.json.php, ffmpeg.php require User::isAdmin. Details The entire...

5.3CVSS5.9AI score0.0037EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/04/04 12:0 a.m.8 views

PT-2026-30335

Name of the Vulnerable Software and Affected Versions AVideo versions 26.0 and prior Description The plugin/API/check.ffmpeg.json.php endpoint allows probing the FFmpeg remote server configuration and retrieving connectivity status without authentication. The sibling endpoints kill.ffmpeg.json.ph...

5.3CVSS5.9AI score0.0037EPSS
Exploits1References5
RedhatCVE
RedhatCVE
added 2026/04/01 11:0 p.m.3 views

CVE-2026-34395

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/YPTWallet/view/users.json.php endpoint returns all platform users with their personal information and wallet balances to any authenticated user. The endpoint checks User::isLogged but does not check User::isAdmin...

6.5CVSS5.9AI score0.00316EPSS
Exploits1References1
OSV
OSV
added 2026/04/01 9:5 p.m.4 views

GHSA-G2MG-CGR6-VMV7 AVideo: Missing Authentication in CreatePlugin list.json.php Template Affects 21 Endpoints

Summary The AVideo CreatePlugin template for list.json.php does not include any authentication or authorization check. While the companion templates add.json.php and delete.json.php both require admin privileges, the list.json.php template was shipped without this guard. Every plugin that uses th...

5.3CVSS6AI score0.00376EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/03/31 11:57 p.m.10 views

OpenClaw: Gateway `operator.write` can reach admin-only persisted `verboseLevel` via `chat.send` `/verbose`

Summary The chat.send path let authorized write-scoped callers persist /verbose session overrides even though the same stored session mutation is admin-only through sessions.patch. Impact A write-scoped gateway caller could persist verbose output for later runs and expose more reasoning or tool...

8.8CVSS5.9AI score0.00209EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/03/31 11:21 p.m.1 views

GHSA-77JP-MGCW-RFMR AVideo vulnerable to Mass User PII Disclosure via Missing Authorization in YPTWallet users.json.php

Severity: High CWE: CWE-862 Missing Authorization Summary The plugin/YPTWallet/view/users.json.php endpoint returns all platform users with their personal information and wallet balances to any authenticated user. The endpoint checks User::isLogged but does not check User::isAdmin, so any...

6.5CVSS5.9AI score0.00316EPSS
Exploits1References4
NVD
NVD
added 2026/03/31 9:16 p.m.10 views

CVE-2026-34395

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/YPTWallet/view/users.json.php endpoint returns all platform users with their personal information and wallet balances to any authenticated user. The endpoint checks User::isLogged but does not check User::isAdmin...

6.5CVSS0.00316EPSS
Exploits1References1
EUVD
EUVD
added 2026/03/31 8:38 p.m.9 views

EUVD-2026-17632

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/YPTWallet/view/users.json.php endpoint returns all platform users with their personal information and wallet balances to any authenticated user. The endpoint checks User::isLogged but does not check User::isAdmin...

6.5CVSS5.9AI score0.00316EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/03/31 8:38 p.m.5 views

CVE-2026-34395

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/YPTWallet/view/users.json.php endpoint returns all platform users with their personal information and wallet balances to any authenticated user. The endpoint checks User::isLogged but does not check User::isAdmin...

6.5CVSS5.9AI score0.00316EPSS
Exploits1References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/31 12:0 a.m.5 views

PT-2026-29353

Name of the Vulnerable Software and Affected Versions AVideo versions 26.0 and prior Description The plugin/YPTWallet/view/users.json.php endpoint in AVideo allows any authenticated user to access personal information and wallet balances of all platform users. The endpoint incorrectly checks...

6.5CVSS5.9AI score0.00316EPSS
Exploits1References6
Github Security Blog
Github Security Blog
added 2026/03/29 3:40 p.m.5 views

AVideo: Unauthenticated Access to Payment Log DataTables Endpoints Exposes Transaction Data, PayPal Tokens, and User Financial Records

Summary Multiple payment plugin list.json.php endpoints lack authentication and authorization checks, allowing unauthenticated attackers to retrieve all payment transaction records including PayPal billing agreement IDs, Express Checkout tokens, Authorize.Net webhook payloads with transaction...

5.9AI score
Exploits0References4Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/03/27 2:24 p.m.1 views

CVE-2026-33761

WWBN AVideo is an open source video platform. In versions up to and including 26.0, three list.json.php endpoints in the Scheduler plugin lack any authentication check, while every other endpoint in the same plugin directories add.json.php, delete.json.php, index.php requires User::isAdmin. An...

5.3CVSS5.8AI score0.00382EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2026/03/26 8:32 p.m.5 views

GO-2026-4700 SiYuan's renderSprig has a missing admin check that allows any user to read full workspace DB in github.com/siyuan-note/siyuan/kernel

SiYuan's renderSprig has a missing admin check that allows any user to read full workspace DB in github.com/siyuan-note/siyuan/kernel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing...

6.5CVSS5.9AI score0.00246EPSS
Exploits1References3
Rows per page
Query Builder