CVE-2026-40909

WWBN AVideo is an open source video platform. In versions 29.0 and prior, the locale save endpoint locale/save.php constructs a file path by directly concatenating $POST'flag' into the path at line 30 without any sanitization. The $POST'code' parameter is then written verbatim to that path via...

CVE-2026-33513

WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated API endpoint APIName=locale concatenates user input into an include path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files under the web root can be...

CVE-2026-33513 AVideo has an Unauthenticated Local File Inclusion in API locale (RCE possible with writable PHP)

WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated API endpoint APIName=locale concatenates user input into an include path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files under the web root can be...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the block/locale endpoint due to improper sanitization of the locale parameter. PoC html https://redacted.de/cookiebar/block/dens82w%22%3E%3Cimg%20src%3da%20onerror%3dalert1%3Ew9qt...

PT-2024-32386 · Contao +1 · Contao Open Source Cms +1

Name of the Vulnerable Software and Affected Versions: Oveleon Cookie Bar versions prior to 1.16.3 and 2.1.3 Description: The block/locale endpoint does not properly sanitize the user-controlled locale input before including it in the backend's HTTP response, thereby causing reflected cross-site...

CVE-2023-29562

TP-Link TL-WPA7510 EUV2190125 was discovered to contain a stack overflow via the operation parameter at /admin/locale...