Lucene search
K

19 matches found

Nuclei
Nuclei
added 9 hours ago13 views

WordPress AudioIgniter <= 2.0.2 - Unauthenticated IDOR

The AudioIgniter plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. The handleplaylistendpoint function accepted a user-controlled playlist ID and returned track data without authentication. id: CVE-2026-8679 info: name: WordPress...

7.5CVSS5.9AI score0.01508EPSS
Exploits0References3
CVE
CVE
added 5 days ago8 views

CVE-2026-58447

CVE-2026-58447 (Invidious) : A broken object-level authorization vulnerability affects Invidious up to version 2.20260626.0. An authenticated attacker can delete videos from other users’ playlists by supplying an arbitrary global video index to the remove_video endpoint, using per-video indices e...

7.1CVSS5.9AI score0.00225EPSS
Exploits0References4
EUVD
EUVD
added 6 days ago8 views

EUVD-2026-40163

Invidious before version 2.20260626.0 contains a broken access control vulnerability that allows unauthenticated attackers to retrieve private playlist contents by accessing the RSS feed playlist endpoint without authentication. Attackers can supply a playlist ID to the feed endpoint to obtain th...

6.3CVSS5.8AI score0.00272EPSS
Exploits0References5
NVD
NVD
added 2026/05/22 9:16 a.m.18 views

CVE-2026-8679

The AudioIgniter plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. This is due to the handleplaylistendpoint function hooked to templateredirect accepting a user-controlled playlist ID via the audioigniterplaylistid query var or the...

7.5CVSS0.01508EPSS
Exploits0References5
EUVD
EUVD
added 2026/05/22 7:50 a.m.11 views

EUVD-2026-31421

The AudioIgniter plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. This is due to the handleplaylistendpoint function hooked to templateredirect accepting a user-controlled playlist ID via the audioigniterplaylistid query var or the...

7.5CVSS5.8AI score0.01508EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/05/22 7:50 a.m.13 views

CVE-2026-8679

The AudioIgniter plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. This is due to the handleplaylistendpoint function hooked to templateredirect accepting a user-controlled playlist ID via the audioigniterplaylistid query var or the...

7.5CVSS5.8AI score0.01508EPSS
Exploits0References6
CVE
CVE
added 2026/05/22 7:50 a.m.18 views

CVE-2026-8679

The AudioIgniter WordPress plugin (up to v2.0.2) is affected by an Insecure Direct Object Reference. The handle_playlist_endpoint() function, mounted on template_redirect, accepts a user-controlled playlist ID via the audioigniter_playlist_id query var or the /audioigniter/playlist/{id}/ rewrite,...

7.5CVSS5.8AI score0.01508EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/05/22 12:0 a.m.14 views

PT-2026-42737

The AudioIgniter plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. This is due to the handle playlist endpoint function hooked to template redirect accepting a user-controlled playlist ID via the audioigniter playlist id query var or t...

7.5CVSS5.8AI score0.01508EPSS
Exploits0References6
RedhatCVE
RedhatCVE
added 2026/03/11 7:8 a.m.3 views

CVE-2026-30885

WWBN AVideo is an open source video platform. Prior to 25.0, the /objects/playlistsFromUser.json.php endpoint returns all playlists for any user without requiring authentication or authorization. An unauthenticated attacker can enumerate user IDs and retrieve playlist information including playli...

6.9CVSS5.8AI score0.00365EPSS
Exploits1References1
CVE
CVE
added 2026/03/09 10:35 p.m.13 views

CVE-2026-30885

WWBN AVideo prior to version 25.0 exposes an unauthenticated IDOR in the /objects/playlistsFromUser.json.php endpoint, allowing an attacker to enumerate user IDs and retrieve all playlists for any user, including playlist names, video IDs, and status. Root cause is lack of authentication/authoriz...

6.9CVSS5.8AI score0.00365EPSS
Exploits1References2Affected Software1
OSV
OSV
added 2026/03/07 2:25 a.m.4 views

GHSA-6W2R-CFPC-23R5 AVideo has Unauthenticated IDOR - Playlist Information Disclosure

Product: AVideo https://github.com/WWBN/AVideo Version: Latest tested March 2026 Type: Insecure Direct Object Reference IDOR Auth Required: No User Interaction: None Summary The /objects/playlistsFromUser.json.php endpoint returns all playlists for any user without requiring authentication or...

6.9CVSS5.8AI score0.00365EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/03/07 2:25 a.m.6 views

AVideo has Unauthenticated IDOR - Playlist Information Disclosure

Product: AVideo https://github.com/WWBN/AVideo Version: Latest tested March 2026 Type: Insecure Direct Object Reference IDOR Auth Required: No User Interaction: None Summary The /objects/playlistsFromUser.json.php endpoint returns all playlists for any user without requiring authentication or...

6.9CVSS5.8AI score0.00365EPSS
Exploits1References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/07 12:0 a.m.5 views

PT-2026-24090

Name of the Vulnerable Software and Affected Versions AVideo versions prior to 25.0 Description The /objects/playlistsFromUser.json.php endpoint does not require authentication or authorization, allowing an unauthenticated attacker to enumerate user IDs and retrieve playlist information, includin...

6.9CVSS5.8AI score0.00365EPSS
Exploits1References10
Github Security Blog
Github Security Blog
added 2025/12/11 5:1 p.m.8 views

AzuraCast Vulnerable to Pre-Auth File Deletion & Admin RCE

An API endpoint that is intended for internal use by the SFTP software sftpgo was mistakenly exposed to the public-facing HTTP API for AzuraCast installations. This would allow a user with specific internal knowledge of a station's operations to craft a custom HTTP request that would affect the...

3.7CVSS6.6AI score0.00205EPSS
Exploits1References4Affected Software1
RedhatCVE
RedhatCVE
added 2025/04/25 8:57 p.m.8 views

CVE-2025-1050

Sonos Era 300 Out-of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected Sonos Era 300 speakers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of...

8.8CVSS7.9AI score0.00352EPSS
Exploits0References3
Cvelist
Cvelist
added 2025/04/23 4:44 p.m.14 views

CVE-2025-1050 Sonos Era 300 Out-of-Bounds Write Remote Code Execution Vulnerability

Sonos Era 300 Out-of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected Sonos Era 300 speakers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of...

8.8CVSS0.00352EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2025/04/09 12:0 a.m.5 views

PT-2025-15879 · Sonos · Sonos Era 300

Name of the Vulnerable Software and Affected Versions: Sonos Era 300 affected versions not specified Description: This issue allows network-adjacent attackers to execute arbitrary code on affected Sonos Era 300 speakers. The specific flaw exists within the processing of HLS playlist data, resulti...

8.8CVSS8.8AI score0.00352EPSS
Exploits0References9
OSV
OSV
added 2017/06/28 6:29 a.m.2 views

DEBIAN-CVE-2017-9993

FFmpeg before 2.8.12, 3.0.x and 3.1.x before 3.1.9, 3.2.x before 3.2.6, and 3.3.x before 3.3.2 does not properly restrict HTTP Live Streaming filename extensions and demuxer names, which allows attackers to read arbitrary files via crafted playlist data...

7.5CVSS6.9AI score0.16437EPSS
Exploits5References1
Debian CVE
Debian CVE
added 2017/06/28 6:0 a.m.22 views

CVE-2017-9993

FFmpeg before 2.8.12, 3.0.x and 3.1.x before 3.1.9, 3.2.x before 3.2.6, and 3.3.x before 3.3.2 does not properly restrict HTTP Live Streaming filename extensions and demuxer names, which allows attackers to read arbitrary files via crafted playlist data...

7.5CVSS7.6AI score0.16437EPSS
Exploits5
Rows per page
Query Builder