CVE-2026-41057 AVideo has CORS Origin Reflection Bypass via plugin/API/router.php and allowOrigin(true) that Exposes Authenticated API Responses

WWBN AVideo is an open source video platform. In versions 29.0 and below, the CORS origin validation fix in commit 986e64aad is incomplete. Two separate code paths still reflect arbitrary Origin headers with credentials allowed for all /api/ endpoints: 1 plugin/API/router.php lines 4-8...

PT-2024-40377 · Butterfly · Butterfly

Name of the Vulnerable Software and Affected Versions: Butterfly affected versions not specified Description: The issue allows an attacker to execute arbitrary JavaScript code on the server by using the Butterfly.prototype.parseJSON or getJSON functions on an attacker-controlled crafted input...

PT-2024-20319 · Cellinx · Cellinx Nvt Web Server

Name of the Vulnerable Software and Affected Versions: Cellinx NVT Web Server version 5.0.0.014 Description: An issue in the component /cgi-bin/GetJsonValue.cgi allows attackers to leak configuration information via a crafted POST request to the "GetJsonValue.cgi" endpoint. Recommendations: For...

Cellinx NVT Web Server Security Vulnerability

Cellinx NVT Web Server is a web platform for virtual terminal management NVT from Cellinx, Korea. The platform is mainly used for managing video surveillance devices, and is divided into a monitoring page and a setting page to control the terminal. A security vulnerability exists in Cellinx NVT W...