Missing Authentication for Critical Function

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Missing Authentication for Critical Function due to the absence of authentication checks in the list.json.php template used by multiple plugin endpoints. An attack...

GHSA-G2MG-CGR6-VMV7 AVideo: Missing Authentication in CreatePlugin list.json.php Template Affects 21 Endpoints

Summary The AVideo CreatePlugin template for list.json.php does not include any authentication or authorization check. While the companion templates add.json.php and delete.json.php both require admin privileges, the list.json.php template was shipped without this guard. Every plugin that uses th...

Auth0 PHP SDK has Insufficient Entropy in Cookie Encryption

Impact In applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies. Am I Affected? Consumers are affected if their application meets the following preconditions: - The...

Insufficient Entropy

Overview Affected versions of this package are vulnerable to Insufficient Entropy in the cookie encryption. An attacker can gain unauthorized access to user sessions by brute-forcing the encryption key and forging valid session cookies. Remediation Upgrade auth0/auth0-php to version 8.19.0 or...

CVE-2026-34236

Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. From version 8.0.0 to before version 8.19.0, in applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session...

CVE-2026-34236

Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. From version 8.0.0 to before version 8.19.0, in applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session...

CVE-2026-34236

Auth0-PHP SDK versions 8.0.0–8.18.x encrypt cookies with insufficient entropy, enabling potential brute-forcing of the encryption key and forging session cookies. Impact is session integrity/confidentiality, with high severity (CVSS 3.1: HIGH). The issue is fixed in version 8.19.0. Affected devel...

CVE-2026-34236 Auth0 PHP SDK Insufficient Entropy in Cookie Encryption

Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. From version 8.0.0 to before version 8.19.0, in applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session...

EUVD-2026-17875

MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code. Attackers can exploit insufficient input neutralization in the execution path to achieve...

CVE-2025-41355

Reflected Cross-Site Scripting XSS vulnerability in Anon Proxy Server v0.104. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending him/her a malicious URL. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or ...

CVE-2026-5197

A vulnerability was found in code-projects Student Membership System 1.0. The affected element is an unknown function of the file /deleteuser.php. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit has been made public and could be used...

CVE-2026-5256 code-projects Simple Laundry System Parameter modify.php sql injection

A flaw has been found in code-projects Simple Laundry System 1.0. This vulnerability affects unknown code of the file /modify.php of the component Parameter Handler. This manipulation of the argument firstName causes sql injection. Remote exploitation of the attack is possible. The exploit has be...

CVE-2026-5256

A flaw has been found in code-projects Simple Laundry System 1.0. This vulnerability affects unknown code of the file /modify.php of the component Parameter Handler. This manipulation of the argument firstName causes sql injection. Remote exploitation of the attack is possible. The exploit has be...

CVE-2026-5255 code-projects Simple Laundry System Parameter delstaffinfo.php cross site scripting

A vulnerability was detected in code-projects Simple Laundry System 1.0. This affects an unknown part of the file /delstaffinfo.php of the component Parameter Handler. The manipulation of the argument userid results in cross site scripting. The attack may be launched remotely. The exploit is now...

CVE-2026-3300

The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is due to the Calculation Addon's processfilter function concatenating user-submitted form field values into a PHP code string without proper...

CVE-2026-34036

Dolibarr is an enterprise resource planning ERP and customer relationship management CRM software package. In versions 22.0.4 and prior, there is a Local File Inclusion LFI vulnerability in the core AJAX endpoint /core/ajax/selectobject.php. By manipulating the objectdesc parameter and exploiting...

PT-2026-29658

Description The oauth2.php file in OpenSTAManager is an unauthenticated endpoint $skip permissions = true. It loads a record from the zz oauth2 table using the attacker-controlled GET parameter state, and during the OAuth2 configuration flow calls unserialize on the access token field without any...

Missing Authorization

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Missing Authorization in the users.json.php process. An attacker can access sensitive personal and financial information of all users by sending authenticated...

GHSA-C5C6-37VQ-PJCQ baserCMS Path Traversal Leads to Arbitrary File Write and RCE via Theme File API

Summary A path traversal vulnerability exists in the baserCMS 5.x theme file management API /baser/api/admin/bc-theme-file/themefiles/add.json that allows arbitrary file write. An authenticated administrator can include ../ sequences in the path parameter to create a PHP file in an arbitrary...

baserCMS has Unsafe File Upload Leading to Remote Code Execution (RCE)

Details The application's restore function allows users to upload a .zip file, which is then automatically extracted. A PHP file inside the archive is included using requireonce without validating or restricting the filename. An attacker can craft a malicious PHP file within the zip and achieve...