CVE-2026-40926 WWBN AVideo Vulnerable to CSRF in Admin JSON Endpoints (Category CRUD, Plugin Update Script)

WWBN AVideo is an open source video platform. In versions 29.0 and prior, three admin-only JSON endpoints — objects/categoryAddNew.json.php, objects/categoryDelete.json.php, and objects/pluginRunUpdateScript.json.php — enforce only a role check Category::canCreateCategory / User::isAdmin and...

Cross-site Request Forgery (CSRF)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF in the handling of certain admin JSON endpoints, specifically categoryAddNew.json.php, categoryDelete.json.php, and...

CVE-2025-52470

Chamilo is a learning management system. Prior to version 1.11.30, a stored cross-site scripting XSS vulnerability exists in the sessioncategoryadd.php script. The vulnerability is caused by improper sanitization of the Category Name field, allowing privileged users to inject persistent JavaScrip...

CVE-2025-52470 Chamilo: Stored Cross-Site Scripting (XSS) via Session Category Name

Chamilo is a learning management system. Prior to version 1.11.30, a stored cross-site scripting XSS vulnerability exists in the sessioncategoryadd.php script. The vulnerability is caused by improper sanitization of the Category Name field, allowing privileged users to inject persistent JavaScrip...

CVE-2025-52470

Chamilo is a learning management system. Prior to version 1.11.30, a stored cross-site scripting XSS vulnerability exists in the sessioncategoryadd.php script. The vulnerability is caused by improper sanitization of the Category Name field, allowing privileged users to inject persistent JavaScrip...

PT-2026-22617

Chamilo is a learning management system. Prior to version 1.11.30, a stored cross-site scripting XSS vulnerability exists in the session category add.php script. The vulnerability is caused by improper sanitization of the Category Name field, allowing privileged users to inject persistent...

Chamilo 跨站脚本漏洞

Chamilo is an open-source learning management system developed by Chamilo. Versions of Chamilo prior to 1.11.30 had a cross-site scripting vulnerability. This vulnerability stemmed from improper cleaning of the category name field in the file sessioncategoryadd.php, which could allow privileged...

EUVD-2025-199651

An issue was discovered in jishenghua JSHERP 2.3.1. The /materialCategory/addMaterialCategory endpoint is vulnerable to fastjson deserialization attacks...

CVE-2025-13574

A weakness has been identified in code-projects Online Bidding System 1.0. This issue affects the function categoryadd of the file /administrator/addcategory.php. This manipulation of the argument catimage causes unrestricted upload. The attack is possible to be carried out remotely. The exploit...

CVE-2025-13574

A weakness has been identified in code-projects Online Bidding System 1.0. This issue affects the function categoryadd of the file /administrator/addcategory.php. This manipulation of the argument catimage causes unrestricted upload. The attack is possible to be carried out remotely. The exploit...

CVE-2025-13574 code-projects Online Bidding System addcategory.php categoryadd unrestricted upload

A weakness has been identified in code-projects Online Bidding System 1.0. This issue affects the function categoryadd of the file /administrator/addcategory.php. This manipulation of the argument catimage causes unrestricted upload. The attack is possible to be carried out remotely. The exploit...

Code-Projects Online Bidding System 代码问题漏洞

Code-Projects Online Bidding System is a Code-Projects open source online bidding system. Code-Projects Online Bidding System version 1.0 has a code issue vulnerability, the vulnerability stems from the file /administrator/addcategory.php function categoryadd to the parameter catimage incorrect...

PT-2025-47868

A weakness has been identified in code-projects Online Bidding System 1.0. This issue affects the function categoryadd of the file /administrator/addcategory.php. This manipulation of the argument catimage causes unrestricted upload. The attack is possible to be carried out remotely. The exploit...

MRCMS 代码注入漏洞

MRCMS is a content management system by the individual developer of marker. A code injection vulnerability exists in MRCMS version 3.1.2, which stems from the improper handling of the parameter Name in the file /admin/category/add.do in the component Category Management Page, which could lead to ...

CVE-2023-45901

Dreamer CMS v4.1.3 was discovered to contain a Cross-Site Request Forgery CSRF via the component /admin/category/add...

CVE-2023-45901

Dreamer CMS v4.1.3 was discovered to contain a Cross-Site Request Forgery CSRF via the component /admin/category/add...

CVE-2023-45901

Dreamer CMS v4.1.3 was discovered to contain a Cross-Site Request Forgery CSRF via the component /admin/category/add...

Cross site request forgery (csrf)

Dreamer CMS v4.1.3 was discovered to contain a Cross-Site Request Forgery CSRF via the component /admin/category/add...

PT-2023-29755 · Unknown · Dreamer Cms

Name of the Vulnerable Software and Affected Versions: Dreamer CMS version 4.1.3 Description: A Cross-Site Request Forgery CSRF issue was discovered in the /admin/category/add component. This allows for unauthorized actions to be performed on behalf of a user. Recommendations: For Dreamer CMS...

Dreamer CMS Cross-Site Request Forgery Vulnerability

Dreamer CMS is a dreamer content management system by Junnan Wang, an individual developer in China. A security vulnerability exists in Dreamer CMS version v4.1.3. An attacker can exploit this vulnerability to conduct cross-site request forgery CSRF attacks via the component /admin/category/add...