PT-2026-29821

Name of the Vulnerable Software and Affected Versions PraisonAI affected versions not specified Description A second-order SQL injection issue exists in the get all user threads function. The function constructs raw SQL queries using f-strings with unescaped thread IDs obtained from the database...

CVE-2026-33867

WWBN AVideo is an open source video platform. In versions up to and including 26.0, AVideo allows content owners to password-protect individual videos. The video password is stored in the database in plaintext — no hashing, salting, or encryption is applied. If an attacker gains read access to th...

Cleartext Storage Of Sensitive Information

wwbn/avideo is vulnerable to Cleartext Storage of Sensitive Information. The vulnerability is due to storing video passwords in plaintext without encryption or hashing, which allows an attacker with database access to retrieve all passwords in cleartext...

CVE-2026-34385 Fleet's Apple MDM profile delivery has second-order SQL injection that can compromise the database

Fleet is open source device management software. Prior to 4.81.0, a second-order SQL injection vulnerability in Fleet's Apple MDM profile delivery pipeline could allow an attacker with a valid MDM enrollment certificate to exfiltrate or modify the contents of the Fleet database, including user...

CVE-2026-33867

WWBN AVideo is an open source video platform. In versions up to and including 26.0, AVideo allows content owners to password-protect individual videos. The video password is stored in the database in plaintext — no hashing, salting, or encryption is applied. If an attacker gains read access to th...

CVE-2026-33867 AVideo has Plaintext Video Password Storage

WWBN AVideo is an open source video platform. In versions up to and including 26.0, AVideo allows content owners to password-protect individual videos. The video password is stored in the database in plaintext — no hashing, salting, or encryption is applied. If an attacker gains read access to th...

CVE-2026-33867

Summary of the CVE and details from connected sources : The vulnerability CVE-2026-33867 affects WWBN AVideo (and Red Hat, NVD, OSV, etc. references) in versions up to and including 26.0, where video passwords are stored in plaintext in the database without hashing or encryption. If an attacker c...

CVE-2026-33867 AVideo has Plaintext Video Password Storage

WWBN AVideo is an open source video platform. In versions up to and including 26.0, AVideo allows content owners to password-protect individual videos. The video password is stored in the database in plaintext — no hashing, salting, or encryption is applied. If an attacker gains read access to th...

CVE-2025-41008

SQL injection vulnerability in Sinturno. This vulnerability allows an attacker to retrieve, create, update, and delete databases through the 'client' parameter in the '/adm/scripts/modalReportdata.php' endpoint...

CVE-2026-29099

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Prior to versions 7.15.1 and 8.9.3, the retrieve function in include/OutboundEmail/OutboundEmail.php fails to properly neutralize the user controlled $id parameter. It is assumed that the...

CVE-2026-32306

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the telemetry aggregation API accepts user-controlled aggregationType, aggregateColumnName, and aggregationTimestampColumnName parameters and interpolates them directly into ClickHouse SQL queries via the .appe...

CVE-2026-4815

A SQL Injection vulnerability has been found in Support Board v3.7.7. This vulnerability allows an attacker to retrieve, create, update and delete database via 'calls0messageids' parameter in '/supportboard/include/ajax.php' endpoint...

PT-2026-28541

Name of the Vulnerable Software and Affected Versions AVideo versions up to and including 26.0 Description AVideo allows content owners to password-protect individual videos. The video password is stored in the database in plaintext, without hashing, salting, or encryption. An attacker gaining re...

PT-2026-28174

Name of the Vulnerable Software and Affected Versions PrestaShop versions prior to 8.2.5 PrestaShop versions prior to 9.1.0 Description PrestaShop is susceptible to stored Cross-Site Scripting stored XSS issues within the back-office BO. An attacker capable of injecting data into the database,...

PT-2026-27125

SQL injection vulnerability in Sinturno. This vulnerability allows an attacker to retrieve, create, update, and delete databases through the 'client' parameter in the '/ adm/scripts/modalReport data.php' endpoint...

CVE-2019-25578

phpTransformer 2016.9 contains an SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the idnews parameter. Attackers can send crafted GET requests to GeneratePDF.php with SQL payloads in the idnews parameter to extract...

GHSA-8P58-35C3-CCXX AVideo has an Unauthenticated Blind SQL Injection in RTMP on_publish Callback via Stream Name Parameter

Summary The RTMP onpublish callback at plugin/Live/onpublish.php is accessible without authentication. The $POST'name' parameter stream key is interpolated directly into SQL queries in two locations — LiveTransmitionHistory::getLatest and LiveTransmition::keyExists — without parameterized binding...

Unspecified Vulnerability in HCL AION (CNVD-2026-15147)

HCL AION is an AI lifecycle management platform from HCL India. HCL AION suffers from a security vulnerability that stems from a lack of validation or restriction on SQL query execution, which can be exploited by an attacker to cause unexpected database interactions or information leakage...

GHSA-3X67-4C2C-W45M Admidio has a Second-Order SQL Injection via List Configuration (lsc_special_field, lsc_sort, lsc_filter)

Summary The MyList configuration feature in Admidio allows authenticated users to define custom list column layouts. User-supplied column names, sort directions, and filter conditions are stored in the admlistcolumns table via prepared statements safe storage, but are later read back and...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization through the fullTextSearchBlock handler in kernel/api/search.go. An attacker can execute unauthorized SQL statements, including reading, modifying, or deleting database contents, by sending method=2 with a crafte...