UBUNTU-CVE-2026-42850

Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, it is possible to inject commands within the subshell through kitty error. A special escape code will make kitty return an error, this error is not escaped and will be correctly echoed back to the terminal with CRLF, as su...

CVE-2026-43873

The CVE describes an Information Exposure in WWBN AVideo’s CloneSite feature. In versions up to 29.0, cloneClient.json.php echoes the local CloneSite secret (myKey) on unauthenticated requests, exposing a static per-installation key derived from systemRootPath and salt. When a victim site has a r...

GHSA-QM9P-P5PW-JRX2 AVideo: Unauthenticated Disclosure of CloneSite `myKey` via Error Echo in `cloneClient.json.php` Enables Cross-Site DB Dump of the Configured Clone Server

Summary plugin/CloneSite/cloneClient.json.php echoes the local CloneSite shared secret $objClone-myKey, a constant md5$global'systemRootPath' . $global'salt' into the HTTP response body on every unauthenticated request. The unauthenticated error branch was intended to reject non-admin callers...

AVideo: Unauthenticated Disclosure of CloneSite `myKey` via Error Echo in `cloneClient.json.php` Enables Cross-Site DB Dump of the Configured Clone Server

Summary plugin/CloneSite/cloneClient.json.php echoes the local CloneSite shared secret $objClone-myKey, a constant md5$global'systemRootPath' . $global'salt' into the HTTP response body on every unauthenticated request. The unauthenticated error branch was intended to reject non-admin callers...