Lucene search
K

292 matches found

Snyk
Snyk
added 2026/05/19 4:25 p.m.10 views

Missing Authorization

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Missing Authorization via image404Raw.php. An attacker can access arbitrary image files, including those protected by access controls, by supplying crafted path...

6.9CVSS5.9AI score0.00455EPSS
Exploits1References3
Github Security Blog
Github Security Blog
added 2026/05/19 4:25 p.m.13 views

AVideo: Unauthenticated Arbitrary Image Read via Path Traversal in `view/img/image404Raw.php`

Summary The endpoint requires no authentication. An unauthenticated remote attacker can read arbitrary image files anywhere on disk that the PHP user can open — including private user-profile photos that the application's normal serving wrappers gate behind ACLs, admin-uploaded thumbnails,...

6.9CVSS6AI score0.00455EPSS
Exploits1References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/19 12:0 a.m.16 views

PT-2026-41994

Name of the Vulnerable Software and Affected Versions AVideo versions 29.0 and earlier Description An unauthenticated remote attacker can read arbitrary image files from the disk that the PHP user has permission to open. This includes private user-profile photos protected by Access Control Lists...

6.9CVSS6AI score0.00455EPSS
Exploits1References5
RedhatCVE
RedhatCVE
added 2026/05/11 8:25 p.m.10 views

CVE-2022-50944

Aero CMS 0.0.1 contains a PHP code injection vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious files through the image parameter. Attackers can upload PHP files with embedded code to the admin posts.php endpoint with source=addpost parameter, a...

8.8CVSS6.1AI score0.00347EPSS
Exploits0References1
NVD
NVD
added 2026/05/10 1:16 p.m.12 views

CVE-2022-50944

Aero CMS 0.0.1 contains a PHP code injection vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious files through the image parameter. Attackers can upload PHP files with embedded code to the admin posts.php endpoint with source=addpost parameter, a...

8.8CVSS0.00347EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/05/10 12:12 p.m.6 views

CVE-2022-50944

Aero CMS 0.0.1 contains a PHP code injection vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious files through the image parameter. Attackers can upload PHP files with embedded code to the admin posts.php endpoint with source=addpost parameter, a...

8.8CVSS6.1AI score0.00347EPSS
Exploits0References3Affected Software1
CNNVD
CNNVD
added 2026/05/10 12:0 a.m.11 views

Aero CMS 代码注入漏洞

Aero CMS is a content management system developed by the American company Aero CMS. Version 0.0.1 of Aero CMS has a code injection vulnerability. This vulnerability stems from PHP code injection in the image parameter, which may allow authenticated attackers to execute arbitrary PHP code by...

8.8CVSS6.1AI score0.00347EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/10 12:0 a.m.12 views

PT-2026-39473

Aero CMS 0.0.1 contains a PHP code injection vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious files through the image parameter. Attackers can upload PHP files with embedded code to the admin posts.php endpoint with source=add post parameter,...

8.8CVSS6.1AI score0.00347EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/04/27 12:0 a.m.6 views

PT-2026-35447

A vulnerability was identified in code-projects Online Lot Reservation System 1.0. Affected is an unknown function of the file /edithousepic.php. Such manipulation of the argument image leads to unrestricted upload. The attack can be launched remotely. The exploit is publicly available and might ...

5.8CVSS5.2AI score0.00218EPSS
Exploits0References6
CVE
CVE
added 2026/04/22 7:45 a.m.14 views

CVE-2026-4131

The CVE-2026-4131 entry concerns the WP Responsive Popup + Optin WordPress plugin (versions up to 1.4). Root cause: the admin settings form (wpo_admin_page.php) does not generate or verify a nonce (wp_nonce_field/wp_verify_nonce/check_admin_referer), enabling CSRF that can update plugin settings,...

6.1CVSS5.7AI score0.00181EPSS
Exploits0References11
EUVD
EUVD
added 2026/04/17 3:31 p.m.5 views

EUVD-2026-23426

A security flaw has been discovered in QueryMine sms up to 7ab5a9ea196209611134525ffc18de25c57d9593. This issue affects some unknown processing of the file admin/addteacher.php of the component Background Management Page. The manipulation of the argument image results in unrestricted upload. The...

6.5CVSS6.1AI score0.00257EPSS
Exploits0References5
NVD
NVD
added 2026/04/17 1:16 p.m.3 views

CVE-2026-6489

A security flaw has been discovered in QueryMine sms up to 7ab5a9ea196209611134525ffc18de25c57d9593. This issue affects some unknown processing of the file admin/addteacher.php of the component Background Management Page. The manipulation of the argument image results in unrestricted upload. The...

6.5CVSS0.00257EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/04/17 1:0 p.m.3 views

CVE-2026-6489 QueryMine sms Background Management addteacher.php unrestricted upload

A security flaw has been discovered in QueryMine sms up to 7ab5a9ea196209611134525ffc18de25c57d9593. This issue affects some unknown processing of the file admin/addteacher.php of the component Background Management Page. The manipulation of the argument image results in unrestricted upload. The...

6.5CVSS6.1AI score0.00257EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/04/17 12:0 a.m.11 views

sms 安全漏洞

SMS is a student performance management system developed by QUERYMINE. SMS has a security vulnerability, which stems from the handling of the image parameter in the admin/addteacher.php file. This vulnerability may lead to arbitrary file uploads...

6.5CVSS6.7AI score0.00257EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/04/06 9:0 a.m.31 views

CVE-2026-5640 PHPGurukul Online Shopping Portal Project Parameter update-image2.php sql injection

A vulnerability has been found in PHPGurukul Online Shopping Portal Project 2.1. The affected element is an unknown function of the file /admin/update-image2.php of the component Parameter Handler. The manipulation of the argument filename leads to sql injection. The attack is possible to be...

6.5CVSS0.00192EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/03/31 4:45 a.m.6 views

CVE-2026-5181

A vulnerability has been found in SourceCodester Simple Doctors Appointment System up to 1.0. This issue affects some unknown processing of the file /doctorsappointment/admin/ajax.php?action=savecategory. Such manipulation of the argument img leads to unrestricted upload. The attack may be...

6.5CVSS5.4AI score0.00206EPSS
Exploits0References5Affected Software1
RedhatCVE
RedhatCVE
added 2026/03/27 5:9 p.m.3 views

CVE-2026-4875

A vulnerability was determined in itsourcecode Free Hotel Reservation System 1.0. The affected element is an unknown function of the file /admin/modamenities/index.php?view=add. This manipulation of the argument image causes unrestricted upload. The attack is possible to be carried out remotely...

5.8CVSS5.6AI score0.00223EPSS
Exploits0References1
EUVD
EUVD
added 2026/03/26 3:30 p.m.4 views

EUVD-2026-16169

A vulnerability was determined in itsourcecode Free Hotel Reservation System 1.0. The affected element is an unknown function of the file /admin/modamenities/index.php?view=add. This manipulation of the argument image causes unrestricted upload. The attack is possible to be carried out remotely...

5.8CVSS5.5AI score0.00223EPSS
Exploits0References6
CNNVD
CNNVD
added 2026/03/21 12:0 a.m.8 views

ownDMS 代码问题漏洞

ownDMS is a document management system developed by ownDMS Inc. Version 4.7 of ownDMS has code vulnerabilities; these vulnerabilities stem from SQL injection attacks involving the IMG parameter, which could allow unauthenticated attackers to execute arbitrary SQL queries...

8.8CVSS6.2AI score0.00324EPSS
Exploits1References4
NVD
NVD
added 2026/03/11 10:16 p.m.7 views

CVE-2026-32133

2FAuth is a web app to manage Two-Factor Authentication 2FA accounts and generate their security codes. Prior to 6.1.0, a blind SSRF vulnerability exists in 2FAuth that allows authenticated users to make arbitrary HTTP requests from the server to internal networks and cloud metadata endpoints. Th...

9.1CVSS0.00505EPSS
Exploits1References1
Rows per page
Query Builder