Lucene search
K

1598 matches found

Nuclei
Nuclei
added 15 hours ago14 views

WordPress AudioIgniter <= 2.0.2 - Unauthenticated IDOR

The AudioIgniter plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. The handleplaylistendpoint function accepted a user-controlled playlist ID and returned track data without authentication. id: CVE-2026-8679 info: name: WordPress...

7.5CVSS6.1AI score0.01508EPSS
Exploits0References3
EUVD
EUVD
added 2026/07/01 12:34 a.m.9 views

EUVD-2026-40415

Invidious through 2.20260626.0, fixed in commit 77ad416, contains a broken object level authorization vulnerability that allows authenticated attackers to delete videos from other users' playlists by supplying an arbitrary global video index in the removevideo action of the playlist endpoint...

7.1CVSS5.9AI score0.00225EPSS
Exploits0References5
NVD
NVD
added 2026/06/30 10:16 p.m.9 views

CVE-2026-58447

Invidious through 2.20260626.0, fixed in commit 77ad416, contains a broken object level authorization vulnerability that allows authenticated attackers to delete videos from other users' playlists by supplying an arbitrary global video index in the removevideo action of the playlist endpoint...

7.1CVSS0.00225EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/06/30 9:5 p.m.5 views

CVE-2026-58447 Invidious - Cross-User Playlist Video Deletion via Missing Ownership Check

Invidious through 2.20260626.0, fixed in commit 77ad416, contains a broken object level authorization vulnerability that allows authenticated attackers to delete videos from other users' playlists by supplying an arbitrary global video index in the removevideo action of the playlist endpoint...

7.1CVSS5.9AI score0.00225EPSS
Exploits0References4
CVE
CVE
added 2026/06/30 9:5 p.m.13 views

CVE-2026-58447

CVE-2026-58447 (Invidious) : A broken object-level authorization vulnerability affects Invidious up to version 2.20260626.0. An authenticated attacker can delete videos from other users’ playlists by supplying an arbitrary global video index to the remove_video endpoint, using per-video indices e...

7.1CVSS5.9AI score0.00225EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/30 9:5 p.m.35 views

CVE-2026-58447 Invidious - Cross-User Playlist Video Deletion via Missing Ownership Check

Invidious through 2.20260626.0, fixed in commit 77ad416, contains a broken object level authorization vulnerability that allows authenticated attackers to delete videos from other users' playlists by supplying an arbitrary global video index in the removevideo action of the playlist endpoint...

7.1CVSS0.00225EPSS
Exploits0References4
OSV
OSV
added 2026/06/30 9:5 p.m.4 views

CVE-2026-58447 Invidious - Cross-User Playlist Video Deletion via Missing Ownership Check

Invidious through 2.20260626.0, fixed in commit 77ad416, contains a broken object level authorization vulnerability that allows authenticated attackers to delete videos from other users' playlists by supplying an arbitrary global video index in the removevideo action of the playlist endpoint...

7.1CVSS6AI score0.00225EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.10 views

PT-2026-53996

Name of the Vulnerable Software and Affected Versions Invidious versions prior to 2.20260626.0 Description An issue exists where authenticated attackers can delete videos from playlists belonging to other users. This occurs because the system fails to validate ownership when a request is made to...

7.1CVSS6AI score0.00225EPSS
Exploits0References11
CVE
CVE
added 2026/06/29 5:18 p.m.21 views

CVE-2026-57946

CVE-2026-57946 affects Invidious prior to version 2.20260626.0. A broken access control allows unauthenticated attackers to fetch private playlist contents by requesting the RSS feed playlist endpoint with a playlist ID, exposing the full playlist, owner email address, and associated video entrie...

6.3CVSS5.8AI score0.00272EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/06/29 5:18 p.m.35 views

CVE-2026-57946 Invidious - Private Playlist Disclosure via Unauthenticated RSS Feed Endpoint

Invidious before version 2.20260626.0 contains a broken access control vulnerability that allows unauthenticated attackers to retrieve private playlist contents by accessing the RSS feed playlist endpoint without authentication. Attackers can supply a playlist ID to the feed endpoint to obtain th...

6.3CVSS0.00272EPSS
Exploits0References5
EUVD
EUVD
added 2026/06/29 5:18 p.m.8 views

EUVD-2026-40163

Invidious before version 2.20260626.0 contains a broken access control vulnerability that allows unauthenticated attackers to retrieve private playlist contents by accessing the RSS feed playlist endpoint without authentication. Attackers can supply a playlist ID to the feed endpoint to obtain th...

6.3CVSS5.8AI score0.00272EPSS
Exploits0References5
EUVD
EUVD
added 2026/06/26 11:33 p.m.13 views

EUVD-2026-38067

Subsonic API: any authenticated user can delete or read any other user's playlist IDOR...

7.1CVSS5.8AI score0.00168EPSS
Exploits0References3
OSV
OSV
added 2026/06/26 11:33 p.m.3 views

GHSA-HMGP-W9JM-VP95 Subsonic API: any authenticated user can delete or read any other user's playlist (IDOR)

Summary In gonic, the Subsonic API endpoints /rest/deletePlaylist.view and /rest/getPlaylist.view perform no per-resource authorization. Once authenticated as any user admin or not, an attacker can: 1. Delete any playlist owned by any other user including admin by passing its id. 2. Read the full...

7.1CVSS5.8AI score0.00168EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/26 11:32 p.m.12 views

EUVD-2026-38062

gonic: Path Traversal in playlist id bypasses ownership check, enabling any user to read/delete other users' playlists...

7.1CVSS5.8AI score0.00262EPSS
Exploits0References4
OSV
OSV
added 2026/06/26 11:32 p.m.5 views

GHSA-2FP4-5V5C-4448 gonic: Path Traversal in playlist `id` bypasses ownership check, enabling any user to read/delete other users' playlists

Summary The maintainer's recent fix in 6dd71e6a3c966867ef8c900d359a7df75789f410 fixsubsonic: enforce playlist ownership on getPlaylist/deletePlaylist added an ownership check based on playlist.UserID. However, playlist.UserID is derived from the first path segment of the attacker-controlled...

7.1CVSS5.9AI score0.00262EPSS
Exploits0References5
Snyk
Snyk
added 2026/06/26 11:32 p.m.7 views

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the id parameter in playlist operations. An attacker can access or delete other users' playlists, and probe for the existence of arbitrary files by supplying a crafted base64-encoded...

7.1CVSS6.1AI score0.00262EPSS
Exploits0References3
Snyk
Snyk
added 2026/06/26 11:32 p.m.5 views

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the id parameter in playlist operations. An attacker can access or delete other users' playlists, and probe for the existence of arbitrary files by supplying a crafted base64-encoded...

7.1CVSS6.1AI score0.00262EPSS
Exploits0References3
OSV
OSV
added 2026/06/26 11:21 p.m.3 views

GHSA-4GXV-P5G5-J7W7 gonic has arbitrary file write in createPlaylist: any authenticated user can write playlist M3U content to attacker-controlled path on the host

Summary A logic error in ServeCreateOrUpdatePlaylist allows any authenticated Subsonic user including non-admin to write playlist M3U content to an attacker-controlled absolute filesystem path on the gonic host, and to create intermediate directories with 0o777 permissions. The bug is independent...

8.1CVSS5.8AI score0.00269EPSS
Exploits0References3
NVD
NVD
added 2026/06/19 7:16 p.m.12 views

CVE-2026-49340

gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, a logic error in ServeCreateOrUpdatePlaylist allows any authenticated Subsonic user including non-admin to write playlist M3U content to an attacker-controlled absolute filesystem path o...

8.1CVSS0.00269EPSS
Exploits0References1
NVD
NVD
added 2026/06/19 7:16 p.m.17 views

CVE-2026-49339

gonic is a music streaming server / free-software subsonic server API implementation. The maintainer's fix in commit 6dd71e6a3c966867ef8c900d359a7df75789f410 added an ownership check based on playlist.UserID. However, playlist.UserID is derived from the first path segment of the attacker-controll...

7.1CVSS0.00262EPSS
Exploits0References3
Rows per page
Query Builder