Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

3860 matches found

Positive Technologies
Positive Technologiesadded 2026/04/22 12:0 a.m.10 views

PT-2026-34614

Name of the Vulnerable Software and Affected Versions fast-xml-parser versions prior to 5.7.0 Description XMLBuilder fails to escape the "--" sequence in comment content and the "" sequence in CDATA sections when generating XML from JavaScript objects. This flaw enables XML injection if...

8.2CVSS5.7AI score0.01855EPSS
Exploits6References85
Positive Technologies
Positive Technologiesadded 2026/04/22 12:0 a.m.8 views

PT-2026-34615

Name of the Vulnerable Software and Affected Versions @xmldom/xmldom versions prior to 0.8.13 @xmldom/xmldom versions prior to 0.9.10 xmldom versions prior to 0.6.0 Description The software allows attacker-controlled comment content to be serialized into XML without validating or neutralizing...

8.7CVSS5.9AI score0.0034EPSS
Exploits0References17
NVD
NVDadded 2026/04/21 11:16 p.m.4 views

CVE-2026-40929

WWBN AVideo is an open source video platform. In versions 29.0 and prior, objects/commentDelete.json.php is a state-mutating JSON endpoint that deletes comments but performs no CSRF validation. It does not call forbidIfIsUntrustedRequest, does not verify a CSRF/global token, and does not check...

5.4CVSS0.00113EPSS
Exploits1References2
CVE
CVEadded 2026/04/21 10:16 p.m.16 views

CVE-2026-40929

WWBN AVideo 29.0 and earlier: the endpoint objects/commentDelete.json.php mutates state to delete comments without CSRF validation, lacking forbidIfIsUntrustedRequest(), CSRF/global token, or Origin/Referer checks. Because session.cookie_samesite=None, cross-site requests from attacker pages carr...

5.4CVSS5.6AI score0.00113EPSS
Exploits1References2Affected Software1
Cvelist
Cvelistadded 2026/04/21 10:16 p.m.33 views

CVE-2026-40929 WWBN AVideo's missing CSRF protection in objects/commentDelete.json.php enables mass comment deletion against moderators and content creators

WWBN AVideo is an open source video platform. In versions 29.0 and prior, objects/commentDelete.json.php is a state-mutating JSON endpoint that deletes comments but performs no CSRF validation. It does not call forbidIfIsUntrustedRequest, does not verify a CSRF/global token, and does not check...

5.4CVSS0.00113EPSS
Exploits1References2
Vulnrichment
Vulnrichmentadded 2026/04/21 10:16 p.m.2 views

CVE-2026-40929 WWBN AVideo's missing CSRF protection in objects/commentDelete.json.php enables mass comment deletion against moderators and content creators

WWBN AVideo is an open source video platform. In versions 29.0 and prior, objects/commentDelete.json.php is a state-mutating JSON endpoint that deletes comments but performs no CSRF validation. It does not call forbidIfIsUntrustedRequest, does not verify a CSRF/global token, and does not check...

5.4CVSS5.6AI score0.00113EPSS
Exploits1References2
ATTACKERKB
ATTACKERKBadded 2026/04/21 10:16 p.m.4 views

CVE-2026-40929

WWBN AVideo is an open source video platform. In versions 29.0 and prior, objects/commentDelete.json.php is a state-mutating JSON endpoint that deletes comments but performs no CSRF validation. It does not call forbidIfIsUntrustedRequest, does not verify a CSRF/global token, and does not check...

5.4CVSS5.6AI score0.00113EPSS
Exploits1References3Affected Software1
EUVD
EUVDadded 2026/04/21 10:16 p.m.6 views

EUVD-2026-24525

WWBN AVideo is an open source video platform. In versions 29.0 and prior, objects/commentDelete.json.php is a state-mutating JSON endpoint that deletes comments but performs no CSRF validation. It does not call forbidIfIsUntrustedRequest, does not verify a CSRF/global token, and does not check...

5.4CVSS5.6AI score0.00113EPSS
Exploits1References2
CVE
CVEadded 2026/04/21 10:14 p.m.14 views

CVE-2026-40928

WWBN AVideo (versions ≤ 29.0) exposes state-changing JSON endpoints under objects/ without CSRF protection or origin/referer checks. A logged-in user can be coerced to perform actions via attacker-controlled HTML: like/dislike comments (objects/comments_like.json.php), post comments with attacker...

5.4CVSS5.7AI score0.00115EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichmentadded 2026/04/21 10:14 p.m.2 views

CVE-2026-40928 AVideo: Missing CSRF Protection on State-Changing JSON Endpoints Enables Forced Comment Creation, Vote Manipulation, and Category Asset Deletion

WWBN AVideo is an open source video platform. In versions 29.0 and prior, multiple AVideo JSON endpoints under objects/ accept state-changing requests via $REQUEST/$GET and persist changes tied to the caller's session user, without any anti-CSRF token, origin check, or referer check. A malicious...

5.4CVSS5.7AI score0.00115EPSS
Exploits1References2
Cvelist
Cvelistadded 2026/04/21 10:14 p.m.31 views

CVE-2026-40928 AVideo: Missing CSRF Protection on State-Changing JSON Endpoints Enables Forced Comment Creation, Vote Manipulation, and Category Asset Deletion

WWBN AVideo is an open source video platform. In versions 29.0 and prior, multiple AVideo JSON endpoints under objects/ accept state-changing requests via $REQUEST/$GET and persist changes tied to the caller's session user, without any anti-CSRF token, origin check, or referer check. A malicious...

5.4CVSS0.00115EPSS
Exploits1References2
EUVD
EUVDadded 2026/04/21 10:14 p.m.4 views

EUVD-2026-24523

WWBN AVideo is an open source video platform. In versions 29.0 and prior, multiple AVideo JSON endpoints under objects/ accept state-changing requests via $REQUEST/$GET and persist changes tied to the caller's session user, without any anti-CSRF token, origin check, or referer check. A malicious...

5.4CVSS5.7AI score0.00115EPSS
Exploits1References2
Vulnrichment
Vulnrichmentadded 2026/04/21 8:52 p.m.5 views

CVE-2026-40927 Docmost: XSS in Comments with JavaScript URI

Docmost is open-source collaborative wiki and documentation software. Prior to 0.80.0, when leaving a comment on a page, it is possible to include a JavaScript URI as the link. When a user clicks on the link the JavaScript executes. This vulnerability is fixed in 0.80.0...

5.4CVSS5.8AI score0.00139EPSS
Exploits0References1
CVE
CVEadded 2026/04/21 8:52 p.m.12 views

CVE-2026-40927

CVE-2026-40927 — Docmost XSS in Comments : Docmost (open-source wiki) is affected prior to version 0.80.0. When leaving a page comment, a link can contain a JavaScript URI, and clicking it executes JS. The issue is fixed in 0.80.0. Impact and exploit specifics are documented as a cross-site scrip...

5.4CVSS5.8AI score0.00139EPSS
Exploits0References1Affected Software1
ATTACKERKB
ATTACKERKBadded 2026/04/21 8:52 p.m.6 views

CVE-2026-40927

Docmost is open-source collaborative wiki and documentation software. Prior to 0.80.0, when leaving a comment on a page, it is possible to include a JavaScript URI as the link. When a user clicks on the link the JavaScript executes. This vulnerability is fixed in 0.80.0...

5.4CVSS5.8AI score0.00139EPSS
Exploits0References2Affected Software1
EUVD
EUVDadded 2026/04/21 8:52 p.m.7 views

EUVD-2026-24487

Docmost is open-source collaborative wiki and documentation software. Prior to 0.80.0, when leaving a comment on a page, it is possible to include a JavaScript URI as the link. When a user clicks on the link the JavaScript executes. This vulnerability is fixed in 0.80.0...

5.4CVSS5.8AI score0.00139EPSS
Exploits0References1
Patchstack
Patchstackadded 2026/04/21 7:16 p.m.6 views

WordPress Short Comment Filter plugin <= 2.2 - Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin Short Comment Filter versions = 2.2...

4.4CVSS5.8AI score0.00373EPSS
Exploits0References1Affected Software1
Positive Technologies
Positive Technologiesadded 2026/04/21 12:0 a.m.5 views

PT-2026-34199

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions prior to 29.1 Description A state-mutating JSON endpoint 'objects/commentDelete.json.php' fails to perform Cross-Site Request Forgery CSRF validation. The endpoint does not utilize the forbidIfIsUntrustedRequest function,...

5.4CVSS5.7AI score0.00113EPSS
Exploits1References5
CNNVD
CNNVDadded 2026/04/21 12:0 a.m.10 views

WWBN AVideo 跨站请求伪造漏洞

WWBN AVideo is a video platform building system written in PHP, developed by the WWBN team. Versions of WWBN AVideo prior to 29.0 contained a cross-site request forgeing vulnerability. This vulnerability stemmed from the objects/commentDelete.json.php file, which deleted comments without performi...

5.4CVSS5.7AI score0.00113EPSS
Exploits1References1
Positive Technologies
Positive Technologiesadded 2026/04/21 12:0 a.m.7 views

PT-2026-34179

Docmost is open-source collaborative wiki and documentation software. Prior to 0.80.0, when leaving a comment on a page, it is possible to include a JavaScript URI as the link. When a user clicks on the link the JavaScript executes. This vulnerability is fixed in 0.80.0...

5.4CVSS5.8AI score0.00139EPSS
Exploits0References3
Rows per page
Query Builder