3 matches found
CVE-2026-46404
BigBlueButton: Before 3.0.23, presentation URL validation did not properly restrict site-local/link-local access. The fix pins resolved IPs in redirect logic and is addressed in 3.0.23. No exploitation details provided.
CVE-2026-8327 Concrete CMS below 9.5.0 and below is vulnerable to password change without reauthorization and session-hardening bypass.
Concrete CMS below 9.5.0 and below is vulnerable to password change without reauthorization and session-hardening bypass. The user-profile edit controller passes the entire raw POST array to UserInfo::update without field whitelisting resulting in password change without requiring the current...
CVE-2026-33619
PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab v0.8.3 contains a server-side request forgery issue in the optional scheduler's webhook delivery path. When a task is submitted to POST /tasks with a user-controlled callbackUrl, the v0.8.3...