Lucene search
K

126688 matches found

ATTACKERKB
ATTACKERKB
added 2026/03/31 8:56 p.m.4 views

CVE-2026-34739

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the UserLocation plugin's testIP.php page reflects the ip request parameter directly into an HTML input element without applying htmlspecialchars or any other output encoding. This allows an attacker to inject arbitrary HTM...

6.1CVSS6AI score0.0022EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/31 8:56 p.m.4 views

CVE-2026-34739 AVideo: Reflected XSS via Unescaped ip Parameter in User_Location testIP.php

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the UserLocation plugin's testIP.php page reflects the ip request parameter directly into an HTML input element without applying htmlspecialchars or any other output encoding. This allows an attacker to inject arbitrary HTM...

6.1CVSS6AI score0.0022EPSS
Exploits1References1
CVE
CVE
added 2026/03/31 8:56 p.m.11 views

CVE-2026-34739

The CVE concerns WWBN AVideo (open source video platform). In AVideo versions up to 26.0, the User_Location plugin’s testIP.php reflects the ip parameter directly into an HTML input without HTML-encoding, enabling reflected XSS. Although the page is admin-restricted, SameSite=None cookies enable ...

6.1CVSS6AI score0.0022EPSS
Exploits1References1Affected Software1
Cvelist
Cvelist
added 2026/03/31 8:56 p.m.20 views

CVE-2026-34739 AVideo: Reflected XSS via Unescaped ip Parameter in User_Location testIP.php

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the UserLocation plugin's testIP.php page reflects the ip request parameter directly into an HTML input element without applying htmlspecialchars or any other output encoding. This allows an attacker to inject arbitrary HTM...

6.1CVSS0.0022EPSS
Exploits1References1
OSV
OSV
added 2026/03/31 8:56 p.m.6 views

CVE-2026-34739 AVideo: Reflected XSS via Unescaped ip Parameter in User_Location testIP.php

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the UserLocation plugin's testIP.php page reflects the ip request parameter directly into an HTML input element without applying htmlspecialchars or any other output encoding. This allows an attacker to inject arbitrary HTM...

6.1CVSS6AI score0.0022EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2026/03/31 8:45 p.m.2 views

CVE-2026-34613 AVideo: CSRF on Plugin Enable/Disable Endpoint Allows Disabling Security Plugins

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/pluginSwitch.json.php allows administrators to enable or disable any installed plugin. The endpoint checks for an active admin session but does not validate a CSRF token. Additionally, the plugin...

6.5CVSS5.9AI score0.00201EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/03/31 8:45 p.m.2 views

CVE-2026-34613

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/pluginSwitch.json.php allows administrators to enable or disable any installed plugin. The endpoint checks for an active admin session but does not validate a CSRF token. Additionally, the plugin...

6.5CVSS5.9AI score0.00201EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2026/03/31 8:45 p.m.24 views

CVE-2026-34613 AVideo: CSRF on Plugin Enable/Disable Endpoint Allows Disabling Security Plugins

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/pluginSwitch.json.php allows administrators to enable or disable any installed plugin. The endpoint checks for an active admin session but does not validate a CSRF token. Additionally, the plugin...

6.5CVSS0.00201EPSS
Exploits1References1
OSV
OSV
added 2026/03/31 8:45 p.m.9 views

CVE-2026-34613 AVideo: CSRF on Plugin Enable/Disable Endpoint Allows Disabling Security Plugins

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/pluginSwitch.json.php allows administrators to enable or disable any installed plugin. The endpoint checks for an active admin session but does not validate a CSRF token. Additionally, the plugin...

6.5CVSS5.9AI score0.00201EPSS
Exploits1References3
CVE
CVE
added 2026/03/31 8:45 p.m.29 views

CVE-2026-34613

The CVE affects WWBN AVideo (versions 26.0 and earlier). The endpoint objects/pluginSwitch.json.php lets an admin enable/disable plugins without validating a CSRF token, and the plugin list is exempt from ORM-level Referer/Origin checks via ignoreTableSecurityCheck(), bypassing domain validation ...

6.5CVSS5.9AI score0.00201EPSS
Exploits1References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/03/31 8:42 p.m.2 views

CVE-2026-34611

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/emailAllUsers.json.php allows administrators to send HTML emails to every registered user on the platform. While the endpoint verifies admin session status, it does not validate a CSRF token...

6.5CVSS6AI score0.00157EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2026/03/31 8:42 p.m.23 views

CVE-2026-34611 AVideo: CSRF on emailAllUsers.json.php Enables Mass Phishing Email to All Users

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/emailAllUsers.json.php allows administrators to send HTML emails to every registered user on the platform. While the endpoint verifies admin session status, it does not validate a CSRF token...

6.5CVSS0.00157EPSS
Exploits1References1
OSV
OSV
added 2026/03/31 8:42 p.m.8 views

CVE-2026-34611 AVideo: CSRF on emailAllUsers.json.php Enables Mass Phishing Email to All Users

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/emailAllUsers.json.php allows administrators to send HTML emails to every registered user on the platform. While the endpoint verifies admin session status, it does not validate a CSRF token...

6.5CVSS6AI score0.00157EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2026/03/31 8:42 p.m.1 views

CVE-2026-34611 AVideo: CSRF on emailAllUsers.json.php Enables Mass Phishing Email to All Users

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/emailAllUsers.json.php allows administrators to send HTML emails to every registered user on the platform. While the endpoint verifies admin session status, it does not validate a CSRF token...

6.5CVSS6AI score0.00157EPSS
Exploits1References1
CVE
CVE
added 2026/03/31 8:42 p.m.8 views

CVE-2026-34611

WWBN AVideo prior to version 26.0 allows CSRF on the endpoint objects/emailAllUsers.json.php, enabling a mass HTML email sent to all users without a CSRF token. The issue arises because admin sessions are valid cross-origin, given SameSite=None on cookies, allowing an attacker to lure an admin to...

6.5CVSS6AI score0.00157EPSS
Exploits1References1Affected Software1
Cvelist
Cvelist
added 2026/03/31 8:39 p.m.23 views

CVE-2026-34394 AVideo: CSRF on Admin Plugin Configuration Enables Payment Credential Hijacking

WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's admin plugin configuration endpoint admin/save.json.php lacks any CSRF token validation. There is no call to isGlobalTokenValid or verifyToken before processing the request. Combined with the application's explicit...

8.1CVSS0.00233EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/03/31 8:39 p.m.2 views

CVE-2026-34394

WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's admin plugin configuration endpoint admin/save.json.php lacks any CSRF token validation. There is no call to isGlobalTokenValid or verifyToken before processing the request. Combined with the application's explicit...

8.1CVSS6AI score0.00233EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/31 8:39 p.m.5 views

CVE-2026-34394 AVideo: CSRF on Admin Plugin Configuration Enables Payment Credential Hijacking

WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's admin plugin configuration endpoint admin/save.json.php lacks any CSRF token validation. There is no call to isGlobalTokenValid or verifyToken before processing the request. Combined with the application's explicit...

8.1CVSS6AI score0.00233EPSS
Exploits1References1
EUVD
EUVD
added 2026/03/31 8:39 p.m.9 views

EUVD-2026-17630

WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's admin plugin configuration endpoint admin/save.json.php lacks any CSRF token validation. There is no call to isGlobalTokenValid or verifyToken before processing the request. Combined with the application's explicit...

8.1CVSS6AI score0.00233EPSS
Exploits1References1
OSV
OSV
added 2026/03/31 8:39 p.m.6 views

CVE-2026-34394 AVideo: CSRF on Admin Plugin Configuration Enables Payment Credential Hijacking

WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's admin plugin configuration endpoint admin/save.json.php lacks any CSRF token validation. There is no call to isGlobalTokenValid or verifyToken before processing the request. Combined with the application's explicit...

8.1CVSS6AI score0.00233EPSS
Exploits1References3
Rows per page
Query Builder