AVideo Affected by Stored XSS via Unescaped Video Title in CDN downloadButtons.php

Summary WWBN/AVideo contains a stored cross-site scripting vulnerability in the CDN plugin's download buttons component. The cleantitle field of a video record is interpolated directly into a JavaScript string literal without any escaping, allowing an attacker who can create or modify a video to...

EUVD-2026-13113

Location Aware Sensor System by Linkit ONE, up to commit f06bd20 2023-04-26, contains a reflected cross-site scripting vulnerability in the PM25.php file that allows remote attackers to execute arbitrary JavaScript by injecting malicious code into GET parameters. Attackers can craft a malicious U...

CVE-2026-32843

Location Aware Sensor System by Linkit ONE, up to commit f06bd20 2023-04-26, contains a reflected cross-site scripting vulnerability in the PM25.php file that allows remote attackers to execute arbitrary JavaScript by injecting malicious code into GET parameters. Attackers can craft a malicious U...

CVE-2026-32843

Location Aware Sensor System by Linkit ONE, up to commit f06bd20 2023-04-26, contains a reflected cross-site scripting vulnerability in the PM25.php file that allows remote attackers to execute arbitrary JavaScript by injecting malicious code into GET parameters. Attackers can craft a malicious U...

CVE-2026-32843 Linkit ONE Location Aware Sensor System (LASS) Reflected XSS via PM25.php

Location Aware Sensor System by Linkit ONE, up to commit f06bd20 2023-04-26, contains a reflected cross-site scripting vulnerability in the PM25.php file that allows remote attackers to execute arbitrary JavaScript by injecting malicious code into GET parameters. Attackers can craft a malicious U...

CVE-2026-32843

A reflected cross-site scripting (XSS) vulnerability affects Location Aware Sensor System by LinkIt ONE up to commit f06bd20 (2023-04-26) in PM25.php. The issue arises from allowing unencoded payloads via GET parameters (site, city, district, channel, or apikey), enabling remote attackers to exec...

Directory Traversal

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Directory Traversal via the listFiles.json.php file. An attacker can enumerate and disclose the absolute paths of .mp4 files located anywhere on the server...

EUVD-2026-13085

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in ThimPress BuilderPress allows PHP Local File Inclusion.This issue affects BuilderPress: from n/a through 2.0.1...

EUVD-2026-13068

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Ovatheme Tripgo allows PHP Local File Inclusion.This issue affects Tripgo: from n/a before 1.5.6...

CVE-2026-25445 WordPress WishList Member X plugin <= 3.29.0 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in Membership Software WishList Member X allows Object Injection.This issue affects WishList Member X: from n/a through 3.29.0...

CVE-2026-25445 WordPress WishList Member X plugin <= 3.29.0 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in Membership Software WishList Member X allows Object Injection.This issue affects WishList Member X: from n/a through 3.29.0...

PT-2026-26296

Location Aware Sensor System by Linkit ONE, up to commit f06bd20 2023-04-26, contains a reflected cross-site scripting vulnerability in the PM25.php file that allows remote attackers to execute arbitrary JavaScript by injecting malicious code into GET parameters. Attackers can craft a malicious U...

PT-2026-26268

🚨 CVE-2025-60233: WordPress Zuut theme = 1.4.2 - ... PHP object injection in WordPress themes = instant RCE playground for attackers who can craft malicious serialized payl... https://t.co/IgpaLoPW1V netsec vulnerability CVE sysadmin zeroday...

PT-2026-26441

Name of the Vulnerable Software and Affected Versions SuiteCRM versions 7.15.0 and 8.9.2 Description SuiteCRM is an open-source Customer Relationship Management CRM software application. A critical Remote Code Execution RCE issue exists, allowing authenticated administrators to execute arbitrary...

CVE-2026-32321

ClipBucket v5 is an open source video sharing platform. An authenticated time-based blind SQL injection vulnerability exists in ClipBucket prior to 5.5.3 80 within the actions/ajax.php endpoint. Due to insufficient input sanitization of the userid parameter, an authenticated attacker can execute...

CVE-2026-32321

ClipBucket v5.x prior to 5.5.3 #80 contains an authenticated time-based blind SQL injection in the actions/ajax.php endpoint. The vulnerability arises from insufficient input sanitization of the userid parameter, enabling an authenticated attacker to execute arbitrary SQL queries, leading to full...

CVE-2026-1463

CVE-2026-1463 affects the WordPress plugin “NextGEN Gallery” (Photo Gallery, Sliders, Proofing and Themes). Description: Local File Inclusion via the template parameter in gallery shortcodes is possible in all versions up to 4.0.3. Exploitation requires authenticated access at Author level or hig...

CVE-2026-1463

The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.0.3 via the 'template' parameter in gallery shortcodes. This makes it possible for authenticated attackers, with Author-level access...

CVE-2026-25449

CVE-2026-25449 : The WordPress Traveler theme (Shinetheme Traveler) is affected prior to version 3.2.8.1 by a PHP object injection vulnerability caused by deserialization of untrusted data. The issue affects Traveler components (described as before 3.2.8.1) and is rated critical (CVSS 3.1 base sc...

CVE-2026-25449 WordPress Traveler theme < 3.2.8.1 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in Shinetheme Traveler allows Object Injection.This issue affects Traveler: from n/a before 3.2.8.1...