Lucene search
K

193 matches found

NVD
NVD
added 2026/06/30 10:16 p.m.8 views

CVE-2026-58447

Invidious through 2.20260626.0, fixed in commit 77ad416, contains a broken object level authorization vulnerability that allows authenticated attackers to delete videos from other users' playlists by supplying an arbitrary global video index in the removevideo action of the playlist endpoint...

7.1CVSS0.00225EPSS
Exploits0References4
CVE
CVE
added 2026/06/30 9:5 p.m.12 views

CVE-2026-58447

CVE-2026-58447 (Invidious) : A broken object-level authorization vulnerability affects Invidious up to version 2.20260626.0. An authenticated attacker can delete videos from other users’ playlists by supplying an arbitrary global video index to the remove_video endpoint, using per-video indices e...

7.1CVSS5.9AI score0.00225EPSS
Exploits0References4
NVD
NVD
added 2026/06/29 6:16 p.m.8 views

CVE-2026-57946

Invidious before version 2.20260626.0 contains a broken access control vulnerability that allows unauthenticated attackers to retrieve private playlist contents by accessing the RSS feed playlist endpoint without authentication. Attackers can supply a playlist ID to the feed endpoint to obtain th...

6.3CVSS0.00272EPSS
Exploits0References5
EUVD
EUVD
added 2026/06/26 11:33 p.m.13 views

EUVD-2026-38067

Subsonic API: any authenticated user can delete or read any other user's playlist IDOR...

7.1CVSS5.8AI score0.00168EPSS
Exploits0References3
OSV
OSV
added 2026/06/26 11:32 p.m.5 views

GHSA-2FP4-5V5C-4448 gonic: Path Traversal in playlist `id` bypasses ownership check, enabling any user to read/delete other users' playlists

Summary The maintainer's recent fix in 6dd71e6a3c966867ef8c900d359a7df75789f410 fixsubsonic: enforce playlist ownership on getPlaylist/deletePlaylist added an ownership check based on playlist.UserID. However, playlist.UserID is derived from the first path segment of the attacker-controlled...

7.1CVSS5.9AI score0.00262EPSS
Exploits0References5
Snyk
Snyk
added 2026/06/26 11:32 p.m.4 views

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the id parameter in playlist operations. An attacker can access or delete other users' playlists, and probe for the existence of arbitrary files by supplying a crafted base64-encoded...

7.1CVSS6.1AI score0.00262EPSS
Exploits0References3
NVD
NVD
added 2026/06/19 7:16 p.m.11 views

CVE-2026-49338

gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, the Subsonic API endpoints /rest/deletePlaylist.view and /rest/getPlaylist.view perform no per-resource authorization. Once authenticated as any user admin or not, an attacker can delete...

7.1CVSS0.00168EPSS
Exploits0References2
NVD
NVD
added 2026/06/19 7:16 p.m.17 views

CVE-2026-49339

gonic is a music streaming server / free-software subsonic server API implementation. The maintainer's fix in commit 6dd71e6a3c966867ef8c900d359a7df75789f410 added an ownership check based on playlist.UserID. However, playlist.UserID is derived from the first path segment of the attacker-controll...

7.1CVSS0.00262EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/06/19 7:8 p.m.5 views

CVE-2026-49338

gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, the Subsonic API endpoints /rest/deletePlaylist.view and /rest/getPlaylist.view perform no per-resource authorization. Once authenticated as any user admin or not, an attacker can delete...

7.1CVSS5.9AI score0.00168EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/19 12:0 a.m.21 views

PT-2026-51012

Name of the Vulnerable Software and Affected Versions gonic versions prior to 0.21.0 Description The Subsonic API endpoints '/rest/deletePlaylist.view' and '/rest/getPlaylist.view' lack per-resource authorization. An authenticated user, regardless of privilege level, can delete any playlist or re...

7.1CVSS5.8AI score0.00168EPSS
Exploits0References11
RedhatCVE
RedhatCVE
added 2026/06/05 7:10 p.m.14 views

CVE-2026-8679

The AudioIgniter plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. This is due to the handleplaylistendpoint function hooked to templateredirect accepting a user-controlled playlist ID via the audioigniterplaylistid query var or the...

7.5CVSS5.5AI score0.01508EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2026/05/29 12:0 a.m.13 views

Linux Distros Unpatched Vulnerability : CVE-2026-49130

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Music Player Daemon MPD before version 0.24.11 contains a CRLF injection vulnerability in the xspfchardata function within the XSPF playlist plugin that allows...

6.9CVSS5.5AI score0.0026EPSS
Exploits0References3
Debian CVE
Debian CVE
added 2026/05/28 7:12 p.m.13 views

CVE-2026-49130

Music Player Daemon MPD before version 0.24.11 contains a CRLF injection vulnerability in the xspfchardata function within the XSPF playlist plugin that allows attackers to embed literal CR/LF bytes in URI fields by supplying a malicious XSPF playlist with XML numeric character references...

6.9CVSS5.8AI score0.0026EPSS
Exploits0
PyPA
PyPA
added 2026/05/27 5:16 p.m.28 views

PYSEC-2026-180

Streamlink is a CLI utility which pipes video streams from various services into a video player. Prior to 8.4.0, Streamlink's HLS and DASH parsers do not validate the URI scheme of segment entries and other resources. A remote .m3u8 HLS playlist or .mpd DASH manifest can list file:///path/to/file...

6.5CVSS5.8AI score0.00345EPSS
Exploits1References1Affected Software1
Snyk
Snyk
added 2026/05/11 2:28 p.m.16 views

External Control of File Name or Path

Overview streamlink is a Streamlink is a command-line utility that extracts streams from various services and pipes them into a video player of choice. Affected versions of this package are vulnerable to External Control of File Name or Path via the parsing process for HLS and DASH playlists or...

7.1CVSS6AI score0.00345EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/04/16 12:0 a.m.4 views

CVE-2026-37337

SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/viewplaylist.php...

5.9AI score0.00169EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/03/28 4:59 p.m.5 views

CVE-2026-34245

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the plugin/PlayLists/View/Playlistsschedules/add.json.php endpoint allows any authenticated user with streaming permission to create or modify broadcast schedules targeting any playlist on the platform, regardless...

6.3CVSS5.9AI score0.00249EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/03/28 4:59 p.m.3 views

CVE-2026-33759

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the objects/playlistsVideos.json.php endpoint returns the full video contents of any playlist by ID without any authentication or authorization check. Private playlists including watchlater and favorite types are...

5.3CVSS5.9AI score0.00295EPSS
Exploits1References1
NVD
NVD
added 2026/03/27 3:16 p.m.8 views

CVE-2026-33759

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the objects/playlistsVideos.json.php endpoint returns the full video contents of any playlist by ID without any authentication or authorization check. Private playlists including watchlater and favorite types are...

5.3CVSS0.00295EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/03/27 2:18 p.m.1 views

CVE-2026-33759

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the objects/playlistsVideos.json.php endpoint returns the full video contents of any playlist by ID without any authentication or authorization check. Private playlists including watchlater and favorite types are...

5.3CVSS5.9AI score0.00295EPSS
Exploits1References3Affected Software1
Rows per page
Query Builder