PT-2026-26928

ownDMS 4.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the IMG parameter. Attackers can send GET requests to pdfstream.php, imagestream.php, or anyfilestream.php with crafted SQL payloads in the...

CVE-2026-33238 AVideo has a Path Traversal in listFiles.json.php that Enables Server Filesystem Enumeration

WWBN AVideo is an open source video platform. Prior to version 26.0, the listFiles.json.php endpoint accepts a path POST parameter and passes it directly to glob without restricting the path to an allowed base directory. An authenticated uploader can traverse the entire server filesystem by...

EUVD-2026-13871

SimpleJWT is a simple JSON web token library written in PHP. Prior to version 1.1.1, an unauthenticated attacker can perform a Denial of Service via JWE header tampering when PBES2 algorithms are used. Applications that call JWE::decrypt on attacker-controlled JWEs using PBES2 algorithms are...

AVideo has an Unauthenticated Local File Inclusion in API locale (RCE possible with writable PHP)

Summary An unauthenticated API endpoint APIName=locale concatenates user input into an include path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files under the web root can be included. In our test this yielded confirmed file disclosure and code execution o...

Server-side Request Forgery (SSRF)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the test.php endpoint. An attacker can access internal network resources, probe open or closed ports, and retrieve content fro...

AVideo has a Path Traversal in import.json.php Allows Private Video Theft and Arbitrary File Read/Deletion via fileURI Parameter

Summary The objects/import.json.php endpoint accepts a user-controlled fileURI POST parameter with only a regex check that the value ends in .mp4. Unlike objects/listFiles.json.php, which was hardened with a realpath + directory prefix check to restrict paths to the videos/ directory,...

GHSA-83XQ-8JXJ-4RXM AVideo has a Path Traversal in import.json.php Allows Private Video Theft and Arbitrary File Read/Deletion via fileURI Parameter

Summary The objects/import.json.php endpoint accepts a user-controlled fileURI POST parameter with only a regex check that the value ends in .mp4. Unlike objects/listFiles.json.php, which was hardened with a realpath + directory prefix check to restrict paths to the videos/ directory,...

GHSA-VV7W-QF5C-734W AVideo Affected by Unauthenticated Disk Space Exhaustion via Unlimited Temp File Creation in aVideoEncoderChunk.json.php

Summary The aVideoEncoderChunk.json.php endpoint is a completely standalone PHP script with no authentication, no framework includes, and no resource limits. An unauthenticated remote attacker can send arbitrary POST data which is written to persistent temp files in /tmp/ with no size cap, no rat...

AVideo has PHP Code Injection via eval() in Gallery saveSort.json.php Exploitable Through CSRF Against Admin

Summary The Gallery plugin's saveSort.json.php endpoint passes unsanitized user input from $REQUEST'sections' array values directly into PHP's eval function. While the endpoint is gated behind User::isAdmin, it has no CSRF token validation. Combined with AVideo's explicit SameSite=None session...

GHSA-XGGW-G9PM-9QHH AVideo has PHP Code Injection via eval() in Gallery saveSort.json.php Exploitable Through CSRF Against Admin

Summary The Gallery plugin's saveSort.json.php endpoint passes unsanitized user input from $REQUEST'sections' array values directly into PHP's eval function. While the endpoint is gated behind User::isAdmin, it has no CSRF token validation. Combined with AVideo's explicit SameSite=None session...

Access Control Bypass

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Access Control Bypass through the exposure of secret keys in the clones.json.php endpoint, which allows an attacker to trigger a database dump and obtain admin...

EUVD-2026-13752

XinLiangCoder phpapidoc through commit 1ce5bbf contains a reflected cross-site scripting vulnerability in listmethod.php that allows remote attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious code through the f parameter. Attackers can craft a malicious URL with...

CVE-2026-32844

XinLiangCoder phpapidoc through commit 1ce5bbf contains a reflected cross-site scripting vulnerability in listmethod.php that allows remote attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious code through the f parameter. Attackers can craft a malicious URL with...

WordPress Pendulum theme < 3.1.5 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Pendulum versions 3.1.5...

WordPress Vex theme < 1.2.9 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Vex versions 1.2.9...

CVE-2026-32844

XinLiangCoder php_api_doc contains a reflected XSS via list_method.php (GET parameter f) after commit 1ce5bbf. Unsanitized input is echoed to the page, enabling execution of arbitrary JavaScript in victims’ browsers. Impact cited includes session hijacking, credential theft, or malware distributi...

CVE-2026-32844 XinLiangCoder / php_api_doc Reflected XSS via list_method.php

XinLiangCoder phpapidoc through commit 1ce5bbf contains a reflected cross-site scripting vulnerability in listmethod.php that allows remote attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious code through the f parameter. Attackers can craft a malicious URL with...

WordPress JS Archive List plugin <= 6.1.7 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by daroo in WordPress Plugin JS Archive List versions = 6.1.7...

CVE-2026-4485

A vulnerability has been found in itsourcecode College Management System 1.0. The impacted element is an unknown function of the file /admin/searchstudent.php. The manipulation of the argument Search leads to sql injection. The attack is possible to be carried out remotely. The exploit has been...

EUVD-2026-13678

WeGIA is a web manager for charitable institutions. Versions 3.6.5 and below contain an authenticated SQL Injection vulnerability in the html/matPat/restaurarproduto.php endpoint. The vulnerability allows an authenticated attacker to inject arbitrary SQL commands via the idproduto GET parameter,...