Lucene search
K

371 matches found

Schneier on Security
Schneier on Security
added 2026/05/22 9:4 p.m.10 views

Friday Squid Blogging: Regulating Squid Fishing in the South Pacific

The South Pacific Regional Fisheries Management Organization SPRFMO needs to regulate squid fishing in the South Pacific. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Blog moderation policy...

5.8AI score
Exploits0
Schneier on Security
Schneier on Security
added 2026/05/16 1:3 a.m.19 views

Friday Squid Blogging: Bigfin Squid

Article about the bigfin squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Blog moderation policy...

5.8AI score
Exploits0
NVD
NVD
added 2026/05/14 5:16 a.m.27 views

CVE-2026-7525

The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.7.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers,...

4.3CVSS0.00341EPSS
Exploits0References12
Positive Technologies
Positive Technologies
added 2026/05/14 12:0 a.m.14 views

PT-2026-40850

The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.7.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers,...

4.3CVSS5.8AI score0.00341EPSS
Exploits0References13
CVE
CVE
added 2026/04/23 12:9 a.m.18 views

CVE-2026-41243

OpenLearn's OpenLearn project has a vulnerability CVE-2026-41243 where, prior to commit 844b2a40a69d0c4911580fe501923f0b391313ab, enabling safeMode does not prevent public access to unapproved posts via direct post UUID. The post-read path still returns full content to anyone who has the UUID, ev...

6.9CVSS5.7AI score0.00177EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2026/04/23 12:9 a.m.32 views

CVE-2026-41243 OpenLearn's pending forum posts remain publicly readable by direct ID when moderation mode is enabled

OpenLearn is open-source educational forum software. Prior to commit 844b2a40a69d0c4911580fe501923f0b391313ab, when safeMode is enabled, unapproved forum posts are hidden from the public list, but the direct post-read procedure still returns the full post to anyone with the post UUID. Commit...

6.9CVSS0.00177EPSS
Exploits1References2
Packet Storm News
Packet Storm News
added 2026/04/23 12:0 a.m.7 views

Transient Turn Injection: Exposing Stateless Multi-Turn Vulnerabilities in Large Language Models

Large language models LLMs are increasingly integrated into sensitive workflows, raising the stakes for adversarial robustness and safety. This paper introduces Transient Turn InjectionTTI, a new multi-turn attack technique that systematically exploits stateless moderation by distributing...

5.2AI score
Exploits0
OSV
OSV
added 2026/04/20 6:31 a.m.6 views

GHSA-F3Q6-69F3-VWCH FastChat has a Content Moderation Bypass via Arena Side-by-Side Views

A vulnerability was detected in lm-sys fastchat up to 0.2.36. Impacted is the function addtext of the component Arena Side-by-Side View Handler. The manipulation results in incorrect control flow. The attack can be launched remotely. The exploit is now public and may be used. The root cause was...

6.9CVSS5.7AI score0.00308EPSS
Exploits0References7
Github Security Blog
Github Security Blog
added 2026/04/20 6:31 a.m.13 views

FastChat has a Content Moderation Bypass via Arena Side-by-Side Views

A vulnerability was detected in lm-sys fastchat up to 0.2.36. Impacted is the function addtext of the component Arena Side-by-Side View Handler. The manipulation results in incorrect control flow. The attack can be launched remotely. The exploit is now public and may be used. The root cause was...

6.9CVSS5.7AI score0.00308EPSS
Exploits0References8Affected Software1
OSV
OSV
added 2026/04/10 7:49 p.m.12 views

GHSA-FWG7-53P4-G33C Ech0 Comment Panel Endpoints Missing RequireScopes Middleware — Scoped Access Token Bypass

Summary All 9 comment panel admin endpoints /api/panel/comments/ are missing RequireScopes middleware, while every other admin endpoint in the application enforces scope-based authorization on access tokens. An admin-issued access token scoped to minimal permissions e.g., echo:read only can perfo...

5.5CVSS5.8AI score
Exploits0References3
Snyk
Snyk
added 2026/04/10 7:49 p.m.5 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization due to the lack of a RequireScopes call in internal/router/comment.go comment panel admin endpoint. An attacker can gain unauthorized access to comment moderation operations, including listing, approving, rejecting...

6.9CVSS5.8AI score
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/04/10 7:49 p.m.6 views

Ech0 Comment Panel Endpoints Missing RequireScopes Middleware — Scoped Access Token Bypass

Summary All 9 comment panel admin endpoints /api/panel/comments/ are missing RequireScopes middleware, while every other admin endpoint in the application enforces scope-based authorization on access tokens. An admin-issued access token scoped to minimal permissions e.g., echo:read only can perfo...

5.8AI score
Exploits0References3Affected Software1
RedhatCVE
RedhatCVE
added 2026/04/01 11:1 p.m.3 views

CVE-2026-34738

WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's video processing pipeline accepts an overrideStatus request parameter that allows any uploader to set a video's status to any valid state, including "active" a. This bypasses the admin-controlled moderation and dra...

4.3CVSS6AI score0.00238EPSS
Exploits1References1
OSV
OSV
added 2026/04/01 9:7 p.m.6 views

GHSA-M577-W9J8-CH7J AVideo: Video Publishing Workflow Bypass via Unauthorized overrideStatus Request Parameter

Summary AVideo's video processing pipeline accepts an overrideStatus request parameter that allows any uploader to set a video's status to any valid state, including "active" a. This bypasses the admin-controlled moderation and draft workflows. The setStatus method validates the status code again...

4.3CVSS6.1AI score0.00238EPSS
Exploits1References4
EUVD
EUVD
added 2026/04/01 9:7 p.m.8 views

EUVD-2026-17656

AVideo: Video Publishing Workflow Bypass via Unauthorized overrideStatus Request Parameter...

4.3CVSS5.8AI score0.00238EPSS
Exploits1References3
Snyk
Snyk
added 2026/04/01 9:7 p.m.4 views

Improper Authorization

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Improper Authorization in the overrideStatus request parameter, which is processed by the setStatus function. An attacker can bypass administrative moderation and...

5.3CVSS5.8AI score0.00238EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/04/01 9:7 p.m.7 views

AVideo: Video Publishing Workflow Bypass via Unauthorized overrideStatus Request Parameter

Summary AVideo's video processing pipeline accepts an overrideStatus request parameter that allows any uploader to set a video's status to any valid state, including "active" a. This bypasses the admin-controlled moderation and draft workflows. The setStatus method validates the status code again...

4.3CVSS6.1AI score0.00238EPSS
Exploits1References4Affected Software1
NVD
NVD
added 2026/03/31 9:16 p.m.4 views

CVE-2026-34738

WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's video processing pipeline accepts an overrideStatus request parameter that allows any uploader to set a video's status to any valid state, including "active" a. This bypasses the admin-controlled moderation and dra...

4.3CVSS0.00238EPSS
Exploits1References1
OSV
OSV
added 2026/03/31 8:55 p.m.5 views

CVE-2026-34738 AVideo: Video Publishing Workflow Bypass via Unauthorized overrideStatus Request Parameter

WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's video processing pipeline accepts an overrideStatus request parameter that allows any uploader to set a video's status to any valid state, including "active" a. This bypasses the admin-controlled moderation and dra...

4.3CVSS6AI score0.00238EPSS
Exploits1References3
CVE
CVE
added 2026/03/31 8:55 p.m.10 views

CVE-2026-34738

CVE-2026-34738 affects WWBN AVideo (

4.3CVSS5.9AI score0.00238EPSS
Exploits1References1Affected Software1
Rows per page
Query Builder