3087 matches found
USN-8118-1 rust-sized-chunks vulnerabilities
Yechan Bae discovered that sized-chunks did not properly validate array size when constructing Chunk. An attacker could possibly use these issues to cause out-of-bounds access, leading to memory corruption or undefined behavior. CVE-2020-25791, CVE-2020-25792, CVE-2020-25793 Yechan Bae discovered...
CVE-2026-33478
WWBN AVideo is an open source video platform. In versions up to and including 26.0, multiple vulnerabilities in AVideo's CloneSite plugin chain together to allow a completely unauthenticated attacker to achieve remote code execution. The clones.json.php endpoint exposes clone secret keys without...
CVE-2026-33478 AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection
WWBN AVideo is an open source video platform. In versions up to and including 26.0, multiple vulnerabilities in AVideo's CloneSite plugin chain together to allow a completely unauthenticated attacker to achieve remote code execution. The clones.json.php endpoint exposes clone secret keys without...
CVE-2026-33478 AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection
WWBN AVideo is an open source video platform. In versions up to and including 26.0, multiple vulnerabilities in AVideo's CloneSite plugin chain together to allow a completely unauthenticated attacker to achieve remote code execution. The clones.json.php endpoint exposes clone secret keys without...
CVE-2026-33478
The connected GHSA advises multiple vulnerabilities in AVideo’s CloneSite plugin chain, allowing an unauthenticated attacker to achieve remote code execution and full database disclosure. Key vectors include: (1) clones.json.php exposing clone keys without authentication, (2) cloneServer.json.php...
CVE-2026-33478
WWBN AVideo is an open source video platform. In versions up to and including 26.0, multiple vulnerabilities in AVideo's CloneSite plugin chain together to allow a completely unauthenticated attacker to achieve remote code execution. The clones.json.php endpoint exposes clone secret keys without...
CVE-2026-33478 AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection
WWBN AVideo is an open source video platform. In versions up to and including 26.0, multiple vulnerabilities in AVideo's CloneSite plugin chain together to allow a completely unauthenticated attacker to achieve remote code execution. The clones.json.php endpoint exposes clone secret keys without...
Malicious code in license-utils-kit (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 eb0116c55754c947c819c966f213a99864511536a414619cf3154b89be59f9e8 Malicious clone of legitimate "license" package. When using the findbykey function, the malicious code from strongly obfuscated files is loaded. It then at lea...
MAL-2026-2084 Malicious code in license-utils-kit (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 eb0116c55754c947c819c966f213a99864511536a414619cf3154b89be59f9e8 Malicious clone of legitimate "license" package. When using the findbykey function, the malicious code from strongly obfuscated files is loaded. It then at lea...
Command Injection
MCP Watch is vulnerable to Command Injection. The vulnerability is due to unsanitized user input being passed to execSync in the cloneRepo method, which allows an attacker to append shell metacharacters to the URL and execute arbitrary commands on the host system...
CVE-2026-33293
WWBN AVideo is an open source video platform. Prior to version 26.0, the deleteDump parameter in plugin/CloneSite/cloneServer.json.php is passed directly to unlink without any path sanitization. An attacker with valid clone credentials can use path traversal sequences e.g., ../../ to delete...
CVE-2026-33293 AVideo Affected by Arbitrary File Deletion via Path Traversal in CloneSite deleteDump Parameter
WWBN AVideo is an open source video platform. Prior to version 26.0, the deleteDump parameter in plugin/CloneSite/cloneServer.json.php is passed directly to unlink without any path sanitization. An attacker with valid clone credentials can use path traversal sequences e.g., ../../ to delete...
CVE-2026-33293
CVE-2026-33293 affects WWBN AVideo. The CloneSite cloneServer.json.php path-traversal flaw allows an attacker with valid clone credentials to pass unsanitized deleteDump values to unlink(), enabling deletion of arbitrary server files (e.g., configuration.php) via sequences like ../../. This can l...
AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection
Summary Multiple vulnerabilities in AVideo's CloneSite plugin chain together to allow a completely unauthenticated attacker to achieve remote code execution. The clones.json.php endpoint exposes clone secret keys without authentication, which can be used to trigger a full database dump via...
GHSA-687Q-32C6-8X68 AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection
Summary Multiple vulnerabilities in AVideo's CloneSite plugin chain together to allow a completely unauthenticated attacker to achieve remote code execution. The clones.json.php endpoint exposes clone secret keys without authentication, which can be used to trigger a full database dump via...
OESA-2026-1660 git security update
Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency. Git is easy to learn and has a tiny footprint with lightning fast performance. It outclasses SCM tools like Subversion, CVS, Perforce, and...
BIT-PARSE-2026-32878 Parse Server vulnerable to schema poisoning via prototype pollution in deep copy
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0 and 8.6.44, an attacker can bypass the default request keyword denylist protection and the class-level permission for adding fields by sending a crafted request that exploits...
PT-2026-26765
Name of the Vulnerable Software and Affected Versions AVideo versions up to and including 26.0 Description AVideo, an open source video platform, has multiple security issues within its CloneSite plugin that, when combined, allow a completely unauthenticated attacker to execute code remotely. The...
GHSA-XMJM-86QV-G226 AVideo Affected by Arbitrary File Deletion via Path Traversal in CloneSite deleteDump Parameter
Summary The deleteDump parameter in plugin/CloneSite/cloneServer.json.php is passed directly to unlink without any path sanitization. An attacker with valid clone credentials can use path traversal sequences e.g., ../../ to delete arbitrary files on the server, including critical application file...
AVideo Affected by Arbitrary File Deletion via Path Traversal in CloneSite deleteDump Parameter
Summary The deleteDump parameter in plugin/CloneSite/cloneServer.json.php is passed directly to unlink without any path sanitization. An attacker with valid clone credentials can use path traversal sequences e.g., ../../ to delete arbitrary files on the server, including critical application file...