Lucene search
+L

262 matches found

Cvelist
Cvelist
added 4 days ago32 views

CVE-2026-33684 AVideo's Privilege AVideo: Escalation via Unguarded Permission Parameters in signUp API Allows Self-Granting Upload/Stream/Meet Permissions

WWBN AVideo is an open source video platform. Prior to version 29.0, Privilege Escalation is possible through unguarded permission parameters in signUp API, which allows any user who can solve a CAPTCHA to self-grant elevated permissions during account registration. The setapisignUp method in the...

5.3CVSS0.00329EPSS
Exploits0References1
OSV
OSV
added 4 days ago4 views

CVE-2026-33684 AVideo's Privilege AVideo: Escalation via Unguarded Permission Parameters in signUp API Allows Self-Granting Upload/Stream/Meet Permissions

WWBN AVideo is an open source video platform. Prior to version 29.0, Privilege Escalation is possible through unguarded permission parameters in signUp API, which allows any user who can solve a CAPTCHA to self-grant elevated permissions during account registration. The setapisignUp method in the...

5.3CVSS6.1AI score0.00329EPSS
Exploits0References3
CVE
CVE
added 4 days ago14 views

CVE-2026-33684

Summary: CVE-2026-33684 affects WWBN AVideo prior to 29.0. The set_api_signUp API path accepts and applies user-supplied emailVerified, canUpload, canStream, and canCreateMeet values to new accounts without confirming a valid APISecret, enabling CAPTCHA-solved (anonymous) or APISecret-authenticat...

5.3CVSS6.1AI score0.00329EPSS
Exploits0References1
Nuclei
Nuclei
added 2026/07/11 12:22 a.m.87 views

Moodle Jitsi Meet 2.7-2.8.3 - Cross-Site Scripting

Moodle Jitsi Meet 2.7 through 2.8.3 plugin contains a cross-site scripting vulnerability via the "sessionpriv.php" module. This allows attackers to craft a malicious URL, which when clicked on by users, can inject JavaScript code to be run by the application. id: CVE-2021-26812 info: name: Moodle...

6.1CVSS6.4AI score0.97461EPSS
Exploits1References4
EUVD
EUVD
added 2026/07/10 7:48 a.m.10 views

EUVD-2026-42848

The GoodMeet – Google Meet Integration for Webinar, Meeting & Video Conference plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.1.8. This is due to a missing nonce verification in the resetcredential function, which handles the...

4.3CVSS6AI score0.00168EPSS
Exploits0References8
Cvelist
Cvelist
added 2026/07/10 7:48 a.m.32 views

CVE-2026-6440 GoodMeet <= 1.1.8 - Cross-Site Request Forgery to Google Meet Credential Reset via 'goodmeet_reset_google_meet_credential'

The GoodMeet – Google Meet Integration for Webinar, Meeting & Video Conference plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.1.8. This is due to a missing nonce verification in the resetcredential function, which handles the...

4.3CVSS0.00168EPSS
Exploits0References8
CVE
CVE
added 2026/07/10 7:48 a.m.9 views

CVE-2026-6440

The CVE concerns the WordPress plugin GoodMeet – Google Meet Integration for Webinar, Meeting & Video Conference. A CSRF vulnerability exists in versions up to 1.1.8 due to missing nonce verification in reset_credential() for the wp_ajax_goodmeet_reset_google_meet_credential action. Although user...

4.3CVSS6AI score0.00168EPSS
Exploits0References8
Patchstack
Patchstack
added 2026/07/09 7:32 p.m.5 views

WordPress GoodMeet – Google Meet Integration for Webinar, Meeting & Video Conference plugin <= 1.1.8 - Cross-Site Request Forgery to Google Meet Credential Reset vulnerability

Cross-Site Request Forgery to Google Meet Credential Reset vulnerability discovered by Legion Hunter in WordPress Plugin GoodMeet – Google Meet Integration for Webinar, Meeting & Video Conference versions = 1.1.8...

4.3CVSS6.1AI score0.00168EPSS
Exploits0References1Affected Software1
NVD
NVD
added 2026/07/08 2:17 p.m.8 views

CVE-2026-60092

AVideo Meet plugin through commit e8d6119f3cb1b849149906efeb0a41fc024f59f8 contains a stored cross-site scripting vulnerability in the Meet plugin's getMeetInfo.json.php endpoint. When a participant joins a public meeting, the raw HTTP User-Agent header is stored meetjoinlog.useragent without...

6.1CVSS0.002EPSS
Exploits0References3
EUVD
EUVD
added 2026/07/08 1:51 p.m.5 views

EUVD-2026-42270

AVideo Meet plugin through commit e8d6119f3cb1b849149906efeb0a41fc024f59f8 contains a stored cross-site scripting vulnerability in the Meet plugin's getMeetInfo.json.php endpoint. When a participant joins a public meeting, the raw HTTP User-Agent header is stored meetjoinlog.useragent without...

6.1CVSS5.7AI score0.002EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/07/08 1:51 p.m.33 views

CVE-2026-60092 AVideo - Stored Cross-Site Scripting via Unescaped User-Agent in Participants Panel

AVideo Meet plugin through commit e8d6119f3cb1b849149906efeb0a41fc024f59f8 contains a stored cross-site scripting vulnerability in the Meet plugin's getMeetInfo.json.php endpoint. When a participant joins a public meeting, the raw HTTP User-Agent header is stored meetjoinlog.useragent without...

6.1CVSS0.002EPSS
Exploits0References3
CVE
CVE
added 2026/07/08 1:51 p.m.12 views

CVE-2026-60092

The CVE-2026-60092 entry describes a stored cross-site scripting vulnerability in the AVideo Meet plugin. When a participant joins a public meeting, the raw HTTP User-Agent header is stored in meet_join_log.user_agent without sanitization and later echoed in the Participants management panel (vis...

6.1CVSS5.7AI score0.002EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/07/08 1:51 p.m.6 views

CVE-2026-60092

AVideo Meet plugin through commit e8d6119f3cb1b849149906efeb0a41fc024f59f8 contains a stored cross-site scripting vulnerability in the Meet plugin's getMeetInfo.json.php endpoint. When a participant joins a public meeting, the raw HTTP User-Agent header is stored meetjoinlog.useragent without...

6.1CVSS5.7AI score0.002EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/07/08 1:51 p.m.6 views

CVE-2026-60092 AVideo - Stored Cross-Site Scripting via Unescaped User-Agent in Participants Panel

AVideo Meet plugin through commit e8d6119f3cb1b849149906efeb0a41fc024f59f8 contains a stored cross-site scripting vulnerability in the Meet plugin's getMeetInfo.json.php endpoint. When a participant joins a public meeting, the raw HTTP User-Agent header is stored meetjoinlog.useragent without...

6.1CVSS5.7AI score0.002EPSS
Exploits0References3
OSV
OSV
added 2026/07/08 1:51 p.m.4 views

CVE-2026-60092 AVideo - Stored Cross-Site Scripting via Unescaped User-Agent in Participants Panel

AVideo Meet plugin through commit e8d6119f3cb1b849149906efeb0a41fc024f59f8 contains a stored cross-site scripting vulnerability in the Meet plugin's getMeetInfo.json.php endpoint. When a participant joins a public meeting, the raw HTTP User-Agent header is stored meetjoinlog.useragent without...

5.1CVSS6AI score0.002EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/06/23 7:11 p.m.11 views

AVideo Meet plugin: anonymous-to-admin stored XSS via unescaped participant User-Agent in getMeetInfo.json.php Participants panel

Summary The Meet plugin stores the raw HTTP User-Agent header of every meeting participant and later renders it without output encoding in the meeting-management "Participants" panel that the meeting host and site administrators open. An anonymous, unauthenticated attacker can join any public...

6.2AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/22 5:25 p.m.11 views

AVideo's Privilege Escalation via Unguarded Permission Parameters in signUp API Allows Self-Granting Upload/Stream/Meet Permissions

Summary The setapisignUp method in the API plugin accepts emailVerified, canUpload, canStream, and canCreateMeet parameters from user-supplied input and applies them to newly created accounts without verifying that the request was authenticated with a valid APISecret. Any anonymous user who can...

5.3CVSS6AI score0.00329EPSS
Exploits0References3Affected Software1
NVD
NVD
added 2026/06/20 7:16 p.m.13 views

CVE-2026-56345

AVideo through 29.0 contains an authorization bypass vulnerability in the Meet plugin's uploadRecordedVideo.json.php endpoint that derives the target usersid from the uploaded filename without verification. An attacker with knowledge of the Meet shared secret can craft a malicious file upload wit...

9.2CVSS0.00295EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/20 6:27 p.m.10 views

EUVD-2026-38132

AVideo through 29.0 contains an authorization bypass vulnerability in the Meet plugin's uploadRecordedVideo.json.php endpoint that derives the target usersid from the uploaded filename without verification. An attacker with knowledge of the Meet shared secret can craft a malicious file upload wit...

9.2CVSS6AI score0.00295EPSS
Exploits0References2
CVE
CVE
added 2026/06/20 6:27 p.m.36 views

CVE-2026-56345

AVideo 29.0 contains an authorization bypass via the Meet plugin's uploadRecordedVideo.json.php endpoint. The vulnerability derives the target users_id from the uploaded filename without verification, allowing a crafted file (e.g., filename like 1-anything.mp4) to trigger passwordless User-&gt;lo...

9.2CVSS6AI score0.00295EPSS
Exploits0References2
Rows per page
Query Builder