GHSA-V6WH-96G9-6WX3 launch-editor: NTLMv2 hash disclosure via UNC path handling on Windows

Summary The launch-editor NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, causing the user’s NTLMv2 password hash to be leaked to an attacker-controlled SMB server. This can result ...

CVE-2026-33041

WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/encryptPass.json.php exposes the application's password hashing algorithm to any unauthenticated user. An attacker can submit arbitrary passwords and receive their hashed equivalents, enabling offline password...

CVE-2026-33041

CVE-2026-33041 affects WWBN AVideo. In versions 25.0 and earlier, the endpoint /objects/encryptPass.json.php exposes the site’s password hashing algorithm to unauthenticated users, allowing submission of a password to receive its hash and enabling offline cracking against leaked database hashes. ...

CVE-2025-35114

Agiloft Release 28 contains several accounts with default credentials that could allow local privilege escalation. The password hash is known for at least one of the accounts and the credentials could be cracked offline. Users should upgrade to Agiloft Release 30...

CVE-2025-35114

CVE-2025-35114 affects Agiloft Release 28, where several accounts use default credentials enabling local privilege escalation. The vulnerability arises from accounts with known password hashes that could be cracked offline. Mitigation suggested in multiple sources is upgrading to Agiloft Release ...