21329 matches found
Missing Authorization
Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Missing Authorization in the list.json.php endpoints of multiple plugins, which lack authentication and authorization checks. An attacker can retrieve sensitive...
CVE-2026-4309
Missing Authorization vulnerability in NEC Platforms, Ltd. Aterm Series allows a attacker to get a specific device information and change the settings via network...
Missing Authorization
Overview github.com/minio/minio is a high performance object storage server compatible with Amazon S3 APIs. Affected versions of this package are vulnerable to Missing Authorization via the extractMetadataFromMime function. An attacker can make objects permanently unreadable by injecting crafted...
CVE-2026-33887 Statamic allows unauthorized content access through missing authorization in its revision controllers
Statamic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.16 and 6.7.2, authenticated Control Panel users could view entry revisions for any collection with revisions enabled, regardless of whether they had the required collection permissions. This bypasses the...
CVE-2026-33887 Statamic allows unauthorized content access through missing authorization in its revision controllers
Statamic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.16 and 6.7.2, authenticated Control Panel users could view entry revisions for any collection with revisions enabled, regardless of whether they had the required collection permissions. This bypasses the...
CVE-2026-33887 Statamic allows unauthorized content access through missing authorization in its revision controllers
Statamic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.16 and 6.7.2, authenticated Control Panel users could view entry revisions for any collection with revisions enabled, regardless of whether they had the required collection permissions. This bypasses the...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization in the host transfer API due to missing authorization checks on the source team. An attacker can gain unauthorized control over hosts belonging to other teams by initiating a transfer, resulting in the ability to...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization in the host transfer API due to missing authorization checks on the source team. An attacker can gain unauthorized control over hosts belonging to other teams by initiating a transfer, resulting in the ability to...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization via the readflow helper in src/backend/base/langflow/api/v1/flows.py. An attacker can read, modify, or delete another user's flow by supplying that flow's UUID to the GET, PATCH, or DELETE /api/v1/flow/flowid...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization via the actions/cache server process. An attacker can inject malicious cache entries and retrieve all existing caches by connecting to the server and predicting cache keys, potentially leading to execution of...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization via the downloadimage endpoint. An attacker can access and download image files belonging to any flow by knowing or guessing the flow ID and file name. Remediation There is no fixed version for langflow-base...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization via the logs and logs-stream endpoints. An attacker can access sensitive application log data by authenticating with basic user privileges, as these endpoints do not enforce privilege checks. Remediation There is n...
CVE-2026-34245 AVideo's Missing Authorization in Playlist Schedule Creation Allows Cross-User Broadcast Hijacking
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the plugin/PlayLists/View/Playlistsschedules/add.json.php endpoint allows any authenticated user with streaming permission to create or modify broadcast schedules targeting any playlist on the platform, regardless...
CVE-2026-34245
WWBN AVideo is affected by CVE-2026-34245: in versions up to 26.0, the endpoint plugin/PlayLists/View/Playlists_schedules/add.json.php allows any authenticated user with streaming permission to create/modify broadcast schedules for any playlist, regardless of ownership. When a scheduled rebroadca...
CVE-2026-34245 AVideo's Missing Authorization in Playlist Schedule Creation Allows Cross-User Broadcast Hijacking
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the plugin/PlayLists/View/Playlistsschedules/add.json.php endpoint allows any authenticated user with streaming permission to create or modify broadcast schedules targeting any playlist on the platform, regardless...
Missing Authorization
Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Missing Authorization due to missing validation in the removefilefromknowledgebyid function. An attacker can delete arbitrary files from other users' knowledge bases by providing the file ID, even if the file...
CVE-2026-5022 Langflow - Missing Authorization on download_image Endpoint
The '/api/v1/files/images/flowid/filename' endpoint does not enforce any authentication or authorization checks, allowing any unauthenticated user to download images belonging to any flow by knowing or guessing the flow ID and file name...
CVE-2026-5022
CVE-2026-5022 (Langflow) : The endpoint "/api/v1/files/images/{flow_id}/{file_name}" lacks authentication/authorization, enabling any unauthenticated user to download images from any flow by guessing the flow_id and file_name. This is documented in both the CVE list and the CVE entry as a missing...
EUVD-2026-16583
Missing Authorization vulnerability in NEC Platforms, Ltd. Aterm Series allows a attacker to get a specific device information and change the settings via network...
CVE-2026-4309
Missing Authorization vulnerability in NEC Platforms, Ltd. Aterm Series allows a attacker to get a specific device information and change the settings via network...