CVE-2026-44511 Katalyst Koi: Session cookies can be replayed after user logout

Katalyst Koi is a framework for building Rails admin functionality. Prior to 4.20.0 and 5.6.0, admin session cookies were not invalidated when an admin user logged out. An attacker with access to a valid admin session cookie could continue to access admin functionality after logout, until the...

CVE-2026-44511

Katalyst Koi (Rails admin framework) had a session-cookie handling flaw: before versions 4.20.0 and 5.6.0, admin session cookies were not invalidated at logout, allowing an attacker with a valid cookie to access admin functionality after logout until expiration or rotation. Affected versions incl...

Session cookies can be replayed after user logout

Impact Admin session cookies were not invalidated when an admin user logged out. An attacker with access to a valid admin session cookie could continue to access admin functionality after logout, until the cookie expired or session secrets were rotated. This affects applications using Koi admin...

EUVD-2026-17638

AVideo: CSRF on emailAllUsers.json.php Enables Mass Phishing Email to All Users...

CVE-2026-34611 AVideo: CSRF on emailAllUsers.json.php Enables Mass Phishing Email to All Users

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/emailAllUsers.json.php allows administrators to send HTML emails to every registered user on the platform. While the endpoint verifies admin session status, it does not validate a CSRF token...

Revive Adserver: Stored XSS in Conversion Statistics via Tracker Name

I found stored XSS on the conversion statistics page. Advertisers can inject malicious JavaScript through tracker names, which executes when admins view conversion reports www/admin/stats-conversions.php:356. I was able to steal admin session cookies using this vulnerability. This is a privilege...

Cross-site Scripting (XSS)

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Cross-site Scripting XSS. An attacker with a user-level account can manipulate session cookies to hijack administrator sessions, leading to unauthorized actions and potential system compromise by embedding a...

Cross site scripting

AVideo/YouPHPTube 10.0 and prior has multiple reflected Cross Script Scripting vulnerabilities via the u parameter which allows a remote attacker to steal administrators' session cookies or perform actions as an administrator...

PT-2021-16826 · Unknown · Avideo/Youphptube

Name of the Vulnerable Software and Affected Versions: AVideo/YouPHPTube versions 10.0 and prior Description: The issue affects AVideo/YouPHPTube, allowing a remote attacker to steal administrators' session cookies or perform actions as an administrator due to multiple reflected Cross Scripting...

PT-2021-16823 · Unknown · Avideo/Youphptube

Name of the Vulnerable Software and Affected Versions: AVideo/YouPHPTube versions 10.0 and prior Description: The issue allows a remote attacker to steal administrators' session cookies or perform actions as an administrator due to multiple reflected Cross Scripting vulnerabilities. This is...

U.S. Dept Of Defense: Blind stored XSS due to insecure contact form at https://█████.mil leads to leakage of session token and

Summary: I have discovered a blind stored cross site scripting vulnerability due to an insecure Contact form available here https://███████.mil/ This form does not properly sanitize user input allowing for the insertion and submission of dangerous characters such as angle brackets. I was able to...

Aruba ClearPass Cross-Site Scripting Vulnerability

Aruba ClearPass is an access management system from Aruba Networks that integrates network control, application and device management capabilities. The system manages everything related to BYOD Bring Your Own Device from a single location. A cross-site scripting vulnerability exists in Aruba...