CVE-2026-34362 AVideo's WebSocket Token Never Expires Due to Commented-Out Timeout Validation in verifyTokenSocket()

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the verifyTokenSocket function in plugin/YPTSocket/functions.php has its token timeout validation commented out, causing WebSocket tokens to never expire despite being generated with a 12-hour timeout. This allows...

Incorrect Authorization

Overview grumpydictator/firefly-iii is a personal finances manager. Affected versions of this package are vulnerable to Incorrect Authorization via the index and show functions in the user management API endpoints, which lack proper role verification. An attacker can access sensitive information...

CVE-2025-41338

A lack of authorisation vulnerability has been detected in CanalDenuncia.app. This vulnerability allows an attacker to access other users' information by sending a POST through the parameters 'iddenuncia' and 'iduser' in '/backend/api/buscarTestigoByIdDenunciaUsuario.php'...

CVE-2025-41343

A lack of authorisation vulnerability has been detected in CanalDenuncia.app. This vulnerability allows an attacker to access other users' information by sending a POST through the parameter 'email' in '/backend/api/users/searchUserByEmail.php'...

EC-Orange vulnerable to authorization bypass

Overview EC-Orange provided by S-cubism Inc. is an e-commerce website building system package based on an open source software EC-CUBE. EC-Orange contains an authorization bypass vulnerability CWE-639. This is the same issue as JVN51770585 EC-CUBE vulnerable to authorization bypass. This...

GHSA-JHPR-J7CQ-3JP3 Flask-AppBuilder vulnerable to possible disclosure of sensitive information on user error

Impact An authenticated malicious actor with Admin privileges, could by adding a special character on the add, edit User forms trigger a database error, this error is surfaced back to this actor on the UI. On certain database engines this error can include the entire user row including the...

CVE-2022-22296

Sourcecodester Hospital's Patient Records Management System 1.0 is vulnerable to Insecure Permissions via the id parameter in manageuser endpoint. Simply change the value and data of other users can be displayed...

Online Enrollment Management System SQL注入漏洞

Online Enrollment Management System is an open source online enrollment management system. Online Enrollment Management System version 1.0 contains a SQL injection vulnerability that stems from the lack of effective filtering and escaping of the id parameter, which could be exploited to retrieve...

primion Technology AG Secure 8 SQL注入漏洞

primion Technology AG Secure 8 is an access control solution from the Spanish company primion Technology AG. It is designed to control the access of people and vehicles to various locations. Secure 8 suffers from an SQL injection vulnerability that stems from Secure 8 Evalos not properly validati...

CVE-2020-36007

AppCMS 2.0.101 in /admin/template/tplapp.php has a cross site scripting attack vulnerability which allows the attacker to obtain sensitive information of other users...