Lucene search
K

811 matches found

CVE
CVE
added 2026/04/21 10:37 p.m.22 views

CVE-2026-41057

CVE-2026-41057 affects WWBN AVideo (versions 29.0 and below). The issue arises from two incomplete CORS mitigations: (1) in plugin/API/router.php (lines 4–8) the server unconditionally reflects arbitrary Origin before application code runs, and (2) get.json.php and set.json.php call allowOrigin(t...

7.1CVSS5.9AI score0.00132EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2026/04/21 10:35 p.m.46 views

CVE-2026-41056 AVideos has CORS Origin Reflection with Credentials on Sensitive API Endpoints that Enables Cross-Origin Account Takeover

WWBN AVideo is an open source video platform. In versions 29.0 and below, the allowOrigin$allowAll=true function in objects/functions.php reflects any arbitrary Origin header back in Access-Control-Allow-Origin along with Access-Control-Allow-Credentials: true. This function is called by both...

8.1CVSS0.00335EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/04/21 10:28 a.m.2 views

CVE-2026-41039 Information Disclosure Vulnerability in Quantum Networks Router QN-I-470

This vulnerability exists in Quantum Networks router due to improper access control and insecure default configuration in the web-based management interface. An unauthenticated attacker could exploit this vulnerability by accessing exposed API endpoints on the targeted device. Successful...

8.7CVSS5.8AI score0.00261EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/04/21 12:0 a.m.8 views

Hermes Web UI 路径遍历漏洞

Hermes Web UI is a lightweight, dark-themed web interface developed by Nathan Esquenazi. Hermes Web UI has a path traversal vulnerability, which stems from a failure in trust boundaries. This vulnerability allows authenticated attackers to manipulate the workspace path parameters in endpoints suc...

6.3CVSS5.8AI score0.0026EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/04/21 12:0 a.m.20 views

PT-2026-34193

nesquena hermes-webui contains a trust-boundary failure vulnerability that allows authenticated attackers to set or change a session workspace to an arbitrary existing directory on disk by manipulating workspace path parameters in endpoints such as /api/session/new, /api/session/update,...

6.3CVSS5.9AI score0.0026EPSS
Exploits0References6
CNNVD
CNNVD
added 2026/04/21 12:0 a.m.9 views

Frappe HR 访问控制错误漏洞

Frappe HR is an open-source human resources management system developed by Frappe. Versions of Frappe HR prior to 15.58.1 and 16.4.1 contained a security vulnerability related to access control. This vulnerability allowed authenticated users with the default role to access certain API endpoints,...

6.5CVSS6.6AI score0.00232EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/04/21 12:0 a.m.11 views

PT-2026-34203

WWBN AVideo is an open source video platform. In versions 29.0 and below, the CORS origin validation fix in commit 986e64aad is incomplete. Two separate code paths still reflect arbitrary Origin headers with credentials allowed for all /api/ endpoints: 1 plugin/API/router.php lines 4-8...

7.1CVSS5.9AI score0.00132EPSS
Exploits1References4
CNNVD
CNNVD
added 2026/04/20 12:0 a.m.11 views

Fudo Enterprise 安全漏洞

Fudo Enterprise is a security control platform for privileged access management and session auditing developed by the Polish company Fudo. Versions of Fudo Enterprise 5.6.2 and earlier contained security vulnerabilities. These vulnerabilities were due to inadequate protection of API endpoints,...

6.5CVSS5.8AI score0.00257EPSS
Exploits0References1
NVD
NVD
added 2026/04/15 9:16 a.m.5 views

CVE-2026-3643

The Accessibly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in all versions up to, and including, 3.0.3. The plugin registers REST API endpoints at /otm-ac/v1/update-widget-options and /otm-ac/v1/update-app-config with the permissioncallback set to returntrue...

7.2CVSS0.00411EPSS
Exploits0References9
Github Security Blog
Github Security Blog
added 2026/04/14 11:18 p.m.6 views

WWBN AVideo has a CORS Origin Reflection Bypass via plugin/API/router.php and allowOrigin(true) Exposes Authenticated API Responses

Summary The CORS origin validation fix in commit 986e64aad is incomplete. Two separate code paths still reflect arbitrary Origin headers with credentials allowed for all /api/ endpoints: 1 plugin/API/router.php lines 4-8 unconditionally reflect any origin before application code runs, and 2...

7.1CVSS6.1AI score0.00132EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/14 11:18 p.m.8 views

WWBN AVideo has CORS Origin Reflection with Credentials on Sensitive API Endpoints Enables Cross-Origin Account Takeover

Summary The allowOrigin$allowAll=true function in objects/functions.php reflects any arbitrary Origin header back in Access-Control-Allow-Origin along with Access-Control-Allow-Credentials: true. This function is called by both plugin/API/get.json.php and plugin/API/set.json.php — the primary API...

8.1CVSS5.9AI score0.00335EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/04/14 11:18 p.m.10 views

GHSA-CCQ9-R5CW-5HWQ WWBN AVideo has CORS Origin Reflection with Credentials on Sensitive API Endpoints Enables Cross-Origin Account Takeover

Summary The allowOrigin$allowAll=true function in objects/functions.php reflects any arbitrary Origin header back in Access-Control-Allow-Origin along with Access-Control-Allow-Credentials: true. This function is called by both plugin/API/get.json.php and plugin/API/set.json.php — the primary API...

8.1CVSS5.9AI score0.00335EPSS
Exploits1References4
Vulnrichment
Vulnrichment
added 2026/04/07 8:9 p.m.3 views

CVE-2026-39397 @delmaredigital/payload-puc is missing authorization on /api/puck/* CRUD endpoints allows unauthenticated access to Puck-registered collections

@delmaredigital/payload-puck is a PayloadCMS plugin for integrating Puck visual page builder. Prior to 0.6.23, all /api/puck/ CRUD endpoint handlers registered by createPuckPlugin called Payload's local API with the default overrideAccess: true, bypassing all collection-level access control. The...

9.4CVSS5.9AI score0.00376EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2026/04/07 8:9 p.m.2 views

CVE-2026-39397

@delmaredigital/payload-puck is a PayloadCMS plugin for integrating Puck visual page builder. Prior to 0.6.23, all /api/puck/ CRUD endpoint handlers registered by createPuckPlugin called Payload's local API with the default overrideAccess: true, bypassing all collection-level access control. The...

9.4CVSS5.9AI score0.00376EPSS
Exploits1References4Affected Software1
Snyk
Snyk
added 2026/04/07 6:31 p.m.4 views

Missing Authorization

Overview openviking is an An Agent-native context database Affected versions of this package are vulnerable to Missing Authorization via the task polling. An attacker can access sensitive metadata belonging to other users by sending unauthenticated requests to the /api/v1/tasks and...

6.9CVSS5.8AI score0.00384EPSS
Exploits1References2
GithubExploit
GithubExploit
added 2026/04/06 3:24 p.m.180 views

Exploit for CVE-2026-35616

markdown CVE-2026-35616 - FortiClient EMS API Authentication B...

9.8CVSS6AI score0.88505EPSS
Exploits8
Snyk
Snyk
added 2026/03/27 7:36 p.m.3 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the readflow helper in src/backend/base/langflow/api/v1/flows.py. An attacker can read, modify, or delete another user's flow by supplying that flow's UUID to the GET, PATCH, or DELETE /api/v1/flow/flowid...

8.8CVSS5.9AI score0.00406EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/03/27 6:13 p.m.4 views

CVE-2026-34369

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the getapivideofile and getapivideo API endpoints in AVideo return full video playback sources direct MP4 URLs, HLS manifests for password-protected videos without verifying the video password. While the normal we...

5.3CVSS5.9AI score0.00376EPSS
Exploits1References3Affected Software1
CVE
CVE
added 2026/03/27 6:13 p.m.14 views

CVE-2026-34369

CVE-2026-34369 affects WWBN AVideo prior to patch be344206f2f461c034ad2f1c5d8212dd8a52b8c7. In versions up to 26.0, the get_api_video_file and get_api_video API endpoints return full video playback sources (direct MP4 URLs, HLS manifests) for password-protected videos without verifying the video ...

5.3CVSS5.9AI score0.00376EPSS
Exploits1References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/03/26 7:34 p.m.2 views

CVE-2026-33530

InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, certain API endpoints associated with bulk data operations can be hijacked to exfiltrate sensitive information from the database. The bulk operation API endpoints e.g. /api/part/, /api/stock/,...

7.7CVSS5.8AI score0.00204EPSS
Exploits0References3Affected Software1
Rows per page
Query Builder