100 matches found
CVE-2026-40928
WWBN AVideo is an open source video platform. In versions 29.0 and prior, multiple AVideo JSON endpoints under objects/ accept state-changing requests via $REQUEST/$GET and persist changes tied to the caller's session user, without any anti-CSRF token, origin check, or referer check. A malicious...
CVE-2026-40928
WWBN AVideo is an open source video platform. In versions 29.0 and prior, multiple AVideo JSON endpoints under objects/ accept state-changing requests via $REQUEST/$GET and persist changes tied to the caller's session user, without any anti-CSRF token, origin check, or referer check. A malicious...
CVE-2026-40928
WWBN AVideo (versions ≤ 29.0) exposes state-changing JSON endpoints under objects/ without CSRF protection or origin/referer checks. A logged-in user can be coerced to perform actions via attacker-controlled HTML: like/dislike comments (objects/comments_like.json.php), post comments with attacker...
EUVD-2026-24523
WWBN AVideo is an open source video platform. In versions 29.0 and prior, multiple AVideo JSON endpoints under objects/ accept state-changing requests via $REQUEST/$GET and persist changes tied to the caller's session user, without any anti-CSRF token, origin check, or referer check. A malicious...
CVE-2026-40926
WWBN AVideo
CVE-2026-40926
WWBN AVideo is an open source video platform. In versions 29.0 and prior, three admin-only JSON endpoints — objects/categoryAddNew.json.php, objects/categoryDelete.json.php, and objects/pluginRunUpdateScript.json.php — enforce only a role check Category::canCreateCategory / User::isAdmin and...
PT-2026-34197
Name of the Vulnerable Software and Affected Versions WWBN AVideo versions 29.0 and earlier Description Cross-Site Request Forgery occurs in three admin-only JSON endpoints: 'objects/categoryAddNew.json.php', 'objects/categoryDelete.json.php', and 'objects/pluginRunUpdateScript.json.php'. These...
WWBN AVideo 跨站请求伪造漏洞
WWBN AVideo is a video platform building system written in PHP, developed by the WWBN team. Versions of WWBN AVideo prior to 29.0 contained a cross-site request forgeing vulnerability. This vulnerability stemmed from multiple AVideo JSON endpoints under the objects/ directory accepting status...
GHSA-FFW8-FWXP-H64W WWBN AVideo has Multiple CSRF Vulnerabilities in Admin JSON Endpoints (Category CRUD, Plugin Update Script)
Summary Three admin-only JSON endpoints — objects/categoryAddNew.json.php, objects/categoryDelete.json.php, and objects/pluginRunUpdateScript.json.php — enforce only a role check Category::canCreateCategory / User::isAdmin and perform state-changing actions against the database without calling...
CVE-2026-30527
A Stored Cross-Site Scripting XSS vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Category management module within the admin panel. The application fails to properly sanitize user input supplied to the "Category Name" field when creating or updating a category. Whe...
EUVD-2026-16672
A Stored Cross-Site Scripting XSS vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Category management module within the admin panel. The application fails to properly sanitize user input supplied to the "Category Name" field when creating or updating a category. Whe...
CVE-2026-30527
A Stored Cross-Site Scripting XSS vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Category management module within the admin panel. The application fails to properly sanitize user input supplied to the "Category Name" field when creating or updating a category. Whe...
SourceCodester Online Food Ordering System 安全漏洞
The SourceCodester Online Food Ordering System is an open-source online ordering system developed by SourceCodester. Version 1.0 of the SourceCodester Online Food Ordering System has a security vulnerability. This vulnerability arises from the fact that the category management module on the...
CVE-2026-30527
A Stored Cross-Site Scripting XSS vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Category management module within the admin panel. The application fails to properly sanitize user input supplied to the "Category Name" field when creating or updating a category. Whe...
CVE-2026-30527
CVE-2026-30527 describes a Stored XSS in SourceCodester Online Food Ordering System v1.0, specifically in the admin Panel’s Category management module. The vulnerability stems from improper sanitization of the Category Name field during create/update, allowing injected JavaScript to execute when ...
PT-2026-28401
A Stored Cross-Site Scripting XSS vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Category management module within the admin panel. The application fails to properly sanitize user input supplied to the "Category Name" field when creating or updating a category. Whe...
CVE-2026-30527
A Stored Cross-Site Scripting XSS vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Category management module within the admin panel. The application fails to properly sanitize user input supplied to the "Category Name" field when creating or updating a category. Whe...
CVE-2026-30527
A Stored Cross-Site Scripting XSS vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Category management module within the admin panel. The application fails to properly sanitize user input supplied to the "Category Name" field when creating or updating a category. Whe...
PT-2026-22787
Sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manage category.php...
CVE-2024-2749
The VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.6.8's access control mechanism fails to properly restrict access to its settings, permitting any users that can access a menu to manipulate requests and perform unauthorized actions such as editing, renaming or deleting categorie...