Lucene search
K

509 matches found

Vulnrichment
Vulnrichment
added 2026/04/06 7:9 p.m.4 views

CVE-2026-35181 WWBN AVideo Affected by CSRF on Player Skin Configuration via admin/playerUpdate.json.php

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the player skin configuration endpoint at admin/playerUpdate.json.php does not validate CSRF tokens. The plugins table is explicitly excluded from the ORM's domain-based security check via ignoreTableSecurityCheck, removing...

4.3CVSS5.9AI score0.00134EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/04/06 7:9 p.m.17 views

CVE-2026-35181 WWBN AVideo Affected by CSRF on Player Skin Configuration via admin/playerUpdate.json.php

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the player skin configuration endpoint at admin/playerUpdate.json.php does not validate CSRF tokens. The plugins table is explicitly excluded from the ORM's domain-based security check via ignoreTableSecurityCheck, removing...

4.3CVSS0.00134EPSS
Exploits1References1
CVE
CVE
added 2026/04/06 7:9 p.m.13 views

CVE-2026-35181

CVE-2026-35181 affects WWBN AVideo prior to 29.x. The endpoint admin/playerUpdate.json.php does not validate CSRF tokens, and the ORM security check excludes the plugins table via ignoreTableSecurityCheck(), removing the remaining defense. Coupled with SameSite=None cookies, an authenticated admi...

4.3CVSS5.9AI score0.00134EPSS
Exploits1References1Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 11:43 p.m.5 views

AVideo: CSRF on Player Skin Configuration via admin/playerUpdate.json.php

Severity: Medium CWE: CWE-352 Cross-Site Request Forgery Summary The player skin configuration endpoint at admin/playerUpdate.json.php does not validate CSRF tokens. The plugins table is explicitly excluded from the ORM's domain-based security check via ignoreTableSecurityCheck, removing the only...

4.3CVSS6AI score0.00134EPSS
Exploits1References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/03 8:18 p.m.3 views

CVE-2026-28767 Gardyn Cloud API Missing Authentication for Critical Function

A specific administrative endpoint notifications is accessible without proper authentication...

6.9CVSS5.9AI score0.00377EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/04/03 8:15 p.m.21 views

CVE-2026-32646 Gardyn Cloud API Missing Authentication for Critical Function

A specific administrative endpoint is accessible without proper authentication, exposing device management functions...

8.7CVSS0.00486EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2026/04/03 8:15 p.m.4 views

CVE-2026-32646

A specific administrative endpoint is accessible without proper authentication, exposing device management functions...

8.7CVSS5.9AI score0.00486EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/04/03 12:0 a.m.4 views

PT-2026-30285

Severity: Medium CWE: CWE-352 Cross-Site Request Forgery Summary The player skin configuration endpoint at admin/playerUpdate.json.php does not validate CSRF tokens. The plugins table is explicitly excluded from the ORM's domain-based security check via ignoreTableSecurityCheck, removing the only...

4.3CVSS6AI score0.00134EPSS
Exploits1References4
Snyk
Snyk
added 2026/04/02 8:44 p.m.7 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization due to missing restoreTenant from the adminMutationMWConfig. An attacker can overwrite the entire database, read arbitrary server-side files, and perform server-side request forgery by sending crafted requests to t...

10CVSS5.9AI score0.00452EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/02 8:44 p.m.10 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization due to missing restoreTenant from the adminMutationMWConfig. An attacker can overwrite the entire database, read arbitrary server-side files, and perform server-side request forgery by sending crafted requests to t...

10CVSS5.9AI score0.00452EPSS
Exploits1References2
RedHat Linux
RedHat Linux
added 2026/04/02 1:54 p.m.6 views

org.keycloak.services.resources.admin.UserResource: Keycloak: Information disclosure of disabled user attributes via administrative endpoint

A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This unauthorized...

2.7CVSS5.8AI score0.00332EPSS
Exploits0References4
EUVD
EUVD
added 2026/03/31 8:39 p.m.9 views

EUVD-2026-17630

WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's admin plugin configuration endpoint admin/save.json.php lacks any CSRF token validation. There is no call to isGlobalTokenValid or verifyToken before processing the request. Combined with the application's explicit...

8.1CVSS6AI score0.00233EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/03/31 4:59 a.m.7 views

CVE-2026-29909

MRCMS V3.1.2 contains an unauthenticated directory enumeration vulnerability in the file management module. The /admin/file/list.do endpoint lacks authentication controls and proper input validation, allowing remote attackers to enumerate directory contents on the server without any credentials...

5.3CVSS5.9AI score0.0041EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/03/31 12:0 a.m.5 views

PT-2026-29352

Name of the Vulnerable Software and Affected Versions AVideo versions 26.0 and prior Description AVideo’s admin plugin configuration endpoint admin/save.json.php is susceptible to cross-site request forgery CSRF attacks due to the absence of CSRF token validation. The application's configuration...

8.1CVSS5.9AI score0.00233EPSS
Exploits1References5
Vulnrichment
Vulnrichment
added 2026/03/30 12:0 a.m.2 views

CVE-2026-29909

MRCMS V3.1.2 contains an unauthenticated directory enumeration vulnerability in the file management module. The /admin/file/list.do endpoint lacks authentication controls and proper input validation, allowing remote attackers to enumerate directory contents on the server without any credentials...

5.9AI score0.0041EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/03/26 12:0 a.m.4 views

PT-2026-28657

Name of the Vulnerable Software and Affected Versions itsourcecode Free Hotel Reservation System version 1.0 Description A manipulation of the image argument in the file '/admin/mod amenities/index.php?view=add' causes unrestricted upload. The attack can be carried out remotely. The exploit has...

5.8CVSS5.7AI score0.00223EPSS
Exploits0References8
NVD
NVD
added 2026/03/23 5:16 p.m.2 views

CVE-2026-33501

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the endpoint plugin/Permissions/View/Usersgroupspermissions/list.json.php lacks any authentication or authorization check, allowing unauthenticated users to retrieve the complete permission matrix mapping user...

5.3CVSS0.0043EPSS
Exploits1References3
Snyk
Snyk
added 2026/03/20 2:41 a.m.3 views

Incorrect Privilege Assignment

Overview Affected versions of this package are vulnerable to Incorrect Privilege Assignment in the signupHandler function. An attacker can gain full administrative privileges by registering a new account when self-registration is enabled and the default permissions include administrative rights...

10CVSS5.9AI score0.00677EPSS
Exploits1References2
OSV
OSV
added 2026/03/11 6:31 a.m.12 views

GHSA-XH32-C9WX-PHRP Keycloak: Information disclosure of disabled user attributes via administrative endpoint

A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This unauthorized...

2.7CVSS5.8AI score0.00332EPSS
Exploits0References9
EUVD
EUVD
added 2026/03/11 6:31 a.m.4 views

EUVD-2026-11107

A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This unauthorized...

2.7CVSS5.7AI score0.00332EPSS
Exploits0References3
Rows per page
Query Builder