75 matches found
CVE-2026-29058
AVideo before 7.0 is vulnerable to unauthenticated OS command injection via the base64Url parameter in objects/getImage.php. The base64-decoded value is interpolated into an ffmpeg shell command without proper escaping, allowing arbitrary command execution and potential full server compromise. AM...
GHSA-9J26-99JH-V26Q WWBN AVideo is vulnerable to unauthenticated OS Command Injection via base64Url in objects/getImage.php
Impact An unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the base64Url GET parameter. This can lead to full server compromise, data exfiltration e.g., configuration secrets, internal keys, credentials, and service disruption...
PT-2026-23005
Name of the Vulnerable Software and Affected Versions AVideo versions prior to 7.0 Description AVideo is a video-sharing Platform software susceptible to unauthenticated Remote Code Execution RCE. An attacker can inject shell command substitution into the base64Url GET parameter, potentially...
CVE-2026-21899
CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures SDLS-EP to secure communications between a spacecraft running the core Flight System cFS and a ground station. Prior to version 1.4.3, in base64urlDecode, padding-stripping...
CVE-2026-21899
CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures SDLS-EP to secure communications between a spacecraft running the core Flight System cFS and a ground station. Prior to version 1.4.3, in base64urlDecode, padding-stripping...
CVE-2026-21899
CVE-2026-21899 affects CryptoLib (SDLS-EP) used with cFS ground stations. Prior to v1.4.3, base64urlDecode dereferences input[inputLen-1] before validating inputLen or NULL input, causing an out-of-bounds read at input[-1] when inputLen==0 and potentially a NULL dereference if input==NULL and inp...
CVE-2026-21899 CryptoLib has an out-of-bounds read and crash vulnerability when decoding an empty Base64url string
CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures SDLS-EP to secure communications between a spacecraft running the core Flight System cFS and a ground station. Prior to version 1.4.3, in base64urlDecode, padding-stripping...
CVE-2026-21899 CryptoLib has an out-of-bounds read and crash vulnerability when decoding an empty Base64url string
CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures SDLS-EP to secure communications between a spacecraft running the core Flight System cFS and a ground station. Prior to version 1.4.3, in base64urlDecode, padding-stripping...
CVE-2026-21899 CryptoLib has an out-of-bounds read and crash vulnerability when decoding an empty Base64url string
CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures SDLS-EP to secure communications between a spacecraft running the core Flight System cFS and a ground station. Prior to version 1.4.3, in base64urlDecode, padding-stripping...
Google ads funnel Mac users to poisoned AI chats that spread the AMOS infostealer
Researchers have found evidence that AI conversations were inserted in Google search results to mislead macOS users into installing the Atomic macOS Stealer AMOS. Both Grok and ChatGPT were found to have been abused in these attacks. Forensic investigation of an AMOS alert showed the infection...
EUVD-2022-5902
Malicious code in bioql PyPI...
CVE-2019-5127
A command injection have been found in YouPHPTube Encoder. A successful attack could allow an attacker to compromise the server. Exploitable unauthenticated command injections exist in YouPHPTube Encoder 2.3 a plugin for providing encoder functionality in YouPHPTube. The parameter base64Url in...
Node.js: fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect
The vulnerability in the undici library in Node.js was that the parseHashWithOptions function did not properly handle base64url encoded hashes and invalid hashes. This allowed resources to be loaded without the expected Subresource Integrity SRI checks being performed...
VulnCheck KEV: CVE-2019-5128
A command injection have been found in YouPHPTube Encoder. A successful attack could allow an attacker to compromise the server. Exploitable unauthenticated command injections exist in YouPHPTube Encoder 2.3 a plugin for providing encoder functionality in YouPHPTube. The parameter base64Url in...
VulnCheck KEV: CVE-2019-5127
A command injection have been found in YouPHPTube Encoder. A successful attack could allow an attacker to compromise the server. Exploitable unauthenticated command injections exist in YouPHPTube Encoder 2.3 a plugin for providing encoder functionality in YouPHPTube. The parameter base64Url in...
Design/Logic Flaw
The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT signature with non Base64URL encoding special characters or number escaped characters may be validated as valid by mistake. Workaround: Validate JWS or JWT signature if it has...
CVE-2022-25898 Improper Verification of Cryptographic Signature
The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT signature with non Base64URL encoding special characters or number escaped characters may be validated as valid by mistake. Workaround: Validate JWS or JWT signature if it has...
CVE-2022-25898
The CVE-2022-25898 entry concerns the jsrsasign library (pre-10.5.25) where JWS/JWT signatures with non Base64URL-encoded or escaped characters may be validated as valid. Affected component: jsrsasign; root cause: improper verification of cryptographic signatures. Impact (per sources): potential ...
CVE-2022-25898
The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT signature with non Base64URL encoding special characters or number escaped characters may be validated as valid by mistake. Workaround: Validate JWS or JWT signature if it has...
jsrsasign 数据伪造问题漏洞
The jsrsasign package is an open source cryptographic library from the individual developer Kenji Urashima in Japan. A security vulnerability exists in jsrsasign versions prior to 10.5.25, which stems from a vulnerability to incorrect validation of cryptographic signatures when JWS or JWT...