ASB-A-488938763

Bulletin has no description...

CVE-2026-45620

WWBN AVideo is an open source video platform. In 29.0 and earlier, objects/mention.json.php has no User::loginCheck or admin gate. It only has an entry guard: pregmatch'/^@/', $REQUEST'term' and hard-coded rowCount=10. This enables unauthenticated user enumeration...

CVE-2026-45620 AVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unauthenticated user enumeration

WWBN AVideo is an open source video platform. In 29.0 and earlier, objects/mention.json.php has no User::loginCheck or admin gate. It only has an entry guard: pregmatch'/^@/', $REQUEST'term' and hard-coded rowCount=10. This enables unauthenticated user enumeration...

EUVD-2026-33307

WWBN AVideo is an open source video platform. In 29.0 and earlier, objects/mention.json.php has no User::loginCheck or admin gate. It only has an entry guard: pregmatch'/^@/', $REQUEST'term' and hard-coded rowCount=10. This enables unauthenticated user enumeration...

CVE-2026-45620 AVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unauthenticated user enumeration

WWBN AVideo is an open source video platform. In 29.0 and earlier, objects/mention.json.php has no User::loginCheck or admin gate. It only has an entry guard: pregmatch'/^@/', $REQUEST'term' and hard-coded rowCount=10. This enables unauthenticated user enumeration...

WWBN AVideo 授权问题漏洞

WWBN AVideo is a video platform building system developed by the WWBN team using PHP. Versions of WWBN AVideo prior to 29.0 contained an authorization vulnerability. This vulnerability stemmed from the absence of user login checks and administrator gatekeeping in the objects/mention.json.php file...

AVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unauthenticated user enumeration sibling that survives `d9cdc7024`

CVE-2026-43881 fix d9cdc7024 patched users.json.php only. The same anti-pattern survives at master HEAD in: objects/mention.json.php:17 $ignoreAdmin = true; objects/mention.json.php:18 $users = User::getAllUsers$ignoreAdmin, 'name', 'email', 'user', 'channelName', 'a'; No User::loginCheck, no adm...

Improper Authorization

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Improper Authorization via the mention.json.php process. An attacker can enumerate user information by sending unauthenticated requests that match the required inp...

GHSA-VPFX-PXQW-2W79 AVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unauthenticated user enumeration sibling that survives `d9cdc7024`

CVE-2026-43881 fix d9cdc7024 patched users.json.php only. The same anti-pattern survives at master HEAD in: objects/mention.json.php:17 $ignoreAdmin = true; objects/mention.json.php:18 $users = User::getAllUsers$ignoreAdmin, 'name', 'email', 'user', 'channelName', 'a'; No User::loginCheck, no adm...

PT-2026-41716

Name of the Vulnerable Software and Affected Versions AVideo versions 29.0 and earlier Description An issue exists in the open source video platform where the endpoint "objects/mention.json.php" lacks a User::loginCheck or admin gate. The endpoint only implements an entry guard using preg...

MINI-MRC9-985M-4438

Bulletin has no description...

BELL-CVE-2025-71301 CVE-2025-71301 does not affect BellSoft software

Bulletin has no description...

CVE-2026-33657

CVE-2026-33657 affects EspoCRM up to version 9.3.3, where an stored HTML injection vulnerability allows an authenticated user with standard privileges to inject HTML into system-generated email notifications. Root cause: server-side Handlebars templates render the unescaped post field (triple-bra...

Exploit for CVE-2026-29000

No d...

EUVD-2026-21138

OpenClaw before 2026.3.25 contains an authorization bypass vulnerability where group reaction events bypass the requireMention access control mechanism. Attackers can trigger reactions in mention-gated groups to enqueue agent-visible system events that should remain restricted...

CVE-2026-35642

OpenClaw before 2026.3.25 contains an authorization bypass vulnerability where group reaction events bypass the requireMention access control mechanism. Attackers can trigger reactions in mention-gated groups to enqueue agent-visible system events that should remain restricted...

CVE-2026-35642

Technical details (affected components, root cause specifics, impacted versions, or exploits) are not publicly available in the supplied documents. Monitor for updates in connected advisories.

CVE-2026-35642 OpenClaw < 2026.3.25 - Authorization Bypass in Group Reactions via requireMention Bypass

OpenClaw before 2026.3.25 contains an authorization bypass vulnerability where group reaction events bypass the requireMention access control mechanism. Attackers can trigger reactions in mention-gated groups to enqueue agent-visible system events that should remain restricted...

PT-2026-31776

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.25 Description OpenClaw contains an authorization bypass issue where group reaction events circumvent the requireMention access control. This allows attackers to trigger reactions in groups that require a...

OpenClaw has an unspecified vulnerability (CNVD-2026-16695)

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from a security vulnerability that can be exploited by an attacker to bypass groupAllowFrom and requireMention protections in group chats...