2 matches found
CVE-2026-57946 Invidious - Private Playlist Disclosure via Unauthenticated RSS Feed Endpoint
Invidious before version 2.20260626.0 contains a broken access control vulnerability that allows unauthenticated attackers to retrieve private playlist contents by accessing the RSS feed playlist endpoint without authentication. Attackers can supply a playlist ID to the feed endpoint to obtain th...
PT-2023-31801 · Unknown · Sandbox Accounts For Events
Name of the Vulnerable Software and Affected Versions: Sandbox Accounts for Events versions prior to 1.10.0 Description: The issue allows authenticated users to potentially read data from the events table by sending request payloads to the "events API", collecting information on planned events,...