CVE-2026-43877

WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/userSavePhoto.php is a legacy profile-photo endpoint that accepts a base64 POST parameter and writes the decoded bytes to videos/userPhoto/photo.png. Its only access control is User::isLogged. It does not...

CVE-2026-43877

CVE-2026-43877 (WWBN/AVideo) : CSRF in objects/userSavePhoto.php allows a logged‑in user’s profile photo to be overwritten with arbitrary bytes via a crafted cross‑origin POST, due to missing CSRF protection (the endpoint does not use the .json.php suffix and is excluded from autoCSRFGuard), no t...

CVE-2025-25613

FS Inc S3150-8T2F 8-Port Gigabit Ethernet L2+ Switch, 8 x Gigabit RJ45, with 2 x 1Gb SFP, Fanless. All versions before 2.2.0D Build 135103 were discovered to transmit cookies for their web based administrative application containing usernames and passwords. These were transmitted in cleartext usi...

The vulnerability in the /cgi-bin/wlogin.cgi web interface for managing DrayTek Vigor router software allows a hacker to execute arbitrary code.

The vulnerability in the CGI-BIN/WLOGIN.CGI web interface script of the DrayTek Vigor router software relates to the execution of operations beyond the buffer limits in memory. Exploiting this vulnerability allows an attacker to execute arbitrary code by sending a specially crafted HTTP POST...