Lucene search
K

9 matches found

Cvelist
Cvelist
added 2026/06/20 8:29 a.m.32 views

CVE-2026-11911 Simple File List <= 6.3.7 - Unauthenticated Arbitrary File Deletion via Path Traversal in 'eeSubFolder' Parameter

The Simple File List plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the eeSFLDeleteFile function in all versions up to, and including, 6.3.7. This makes it possible for unauthenticated attackers to delete arbitrary files on the server,...

7.5CVSS0.0078EPSS
Exploits0References6
RedhatCVE
RedhatCVE
added 2026/06/05 7:40 p.m.9 views

CVE-2026-43881

WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/users.json.php exposes two unauthenticated paths that disclose the full set of registered user accounts. The isCompany request parameter causes the handler to set $ignoreAdmin = true for any non-admin call...

5.3CVSS5.4AI score0.0027EPSS
Exploits0References1
NVD
NVD
added 2026/05/11 10:22 p.m.10 views

CVE-2026-43881

WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/users.json.php exposes two unauthenticated paths that disclose the full set of registered user accounts. The isCompany request parameter causes the handler to set $ignoreAdmin = true for any non-admin call...

5.3CVSS0.0027EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/11 8:38 p.m.37 views

CVE-2026-43881 WWBN AVideo: Unauthenticated User Enumeration in `objects/users.json.php` via `isCompany` Parameter Flips `$ignoreAdmin = true` and Defeats Admin-Only Listing Guard

WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/users.json.php exposes two unauthenticated paths that disclose the full set of registered user accounts. The isCompany request parameter causes the handler to set $ignoreAdmin = true for any non-admin call...

5.3CVSS0.0027EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/05/11 8:38 p.m.6 views

CVE-2026-43881 WWBN AVideo: Unauthenticated User Enumeration in `objects/users.json.php` via `isCompany` Parameter Flips `$ignoreAdmin = true` and Defeats Admin-Only Listing Guard

WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/users.json.php exposes two unauthenticated paths that disclose the full set of registered user accounts. The isCompany request parameter causes the handler to set $ignoreAdmin = true for any non-admin call...

5.3CVSS5.7AI score0.0027EPSS
Exploits0References2
CVE
CVE
added 2026/05/11 8:38 p.m.10 views

CVE-2026-43881

Technical details about CVE-2026-43881 are not provided in the connected documents. The Initial Description summarizes the vulnerability, but no vendor/product/version specifics or remediation are included here. Monitor for updated advisories and fixes.

5.3CVSS5.7AI score0.0027EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/05 10:2 p.m.9 views

AVideo: Unauthenticated User Enumeration in objects/users.json.php via isCompany Parameter Allows Bypass of the Admin-Only Listing Restriction

Summary objects/users.json.php exposes two unauthenticated paths that disclose the full set of registered user accounts. The isCompany request parameter causes the handler to set $ignoreAdmin = true for any non-admin caller including unauthenticated visitors, which defeats the admin-only guard...

5.3CVSS5.8AI score0.0027EPSS
Exploits0References4Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/03/31 8:51 p.m.2 views

CVE-2026-34732

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo CreatePlugin template for list.json.php does not include any authentication or authorization check. While the companion templates add.json.php and delete.json.php both require admin privileges, the list.json.php...

5.3CVSS5.9AI score0.00376EPSS
Exploits1References2Affected Software1
OSV
OSV
added 2026/03/26 7:0 p.m.3 views

GHSA-WQ58-2PVG-5H4F OpenClaw: Gateway agent /reset exposes admin session reset to operator.write callers

Summary Before v2026.3.23, the Gateway agent RPC accepted /reset and /new for callers with only operator.write, even though the direct sessions.reset RPC correctly requires operator.admin. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.3.23 - Latest released tag checked:...

7.1CVSS5.8AI score0.00272EPSS
Exploits0References3
Rows per page
Query Builder