Langflow < 1.7.0 CORS Misconfiguration Account Takeover and RCE (CVE-2025-34291)

The version of Langflow installed on the remote host is prior to 1.7.0. It is, therefore, affected by a remote code execution vulnerability: - An overly permissive CORS configuration combined with a refresh token cookie configured as SameSite=None allows a malicious webpage to perform cross-origi...

PT-2026-34202

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions 29.0 and earlier Description The allowOrigin$allowAll=true function in objects/functions.php reflects any arbitrary Origin header back in Access-Control-Allow-Origin along with Access-Control-Allow-Credentials: true. This...

GHSA-CCQ9-R5CW-5HWQ WWBN AVideo has CORS Origin Reflection with Credentials on Sensitive API Endpoints Enables Cross-Origin Account Takeover

Summary The allowOrigin$allowAll=true function in objects/functions.php reflects any arbitrary Origin header back in Access-Control-Allow-Origin along with Access-Control-Allow-Credentials: true. This function is called by both plugin/API/get.json.php and plugin/API/set.json.php — the primary API...

AVideo: CSRF on Player Skin Configuration via admin/playerUpdate.json.php

Severity: Medium CWE: CWE-352 Cross-Site Request Forgery Summary The player skin configuration endpoint at admin/playerUpdate.json.php does not validate CSRF tokens. The plugins table is explicitly excluded from the ORM's domain-based security check via ignoreTableSecurityCheck, removing the only...

EUVD-2026-17658

AVideo: Reflected XSS via Unescaped ip Parameter in UserLocation testIP.php...

AVideo: Reflected XSS via Unescaped ip Parameter in User_Location testIP.php

Summary The UserLocation plugin's testIP.php page reflects the ip request parameter directly into an HTML input element without applying htmlspecialchars or any other output encoding. This allows an attacker to inject arbitrary HTML and JavaScript via a crafted URL. Although the page is restricte...

GHSA-G8X9-7MGH-7CVJ AVideo's GET-Based CSRF in setPermission.json.php Enables Privilege Escalation via Arbitrary Permission Modification

Summary The plugin/Permissions/setPermission.json.php endpoint accepts GET parameters for a state-changing operation that modifies user group permissions. The endpoint has no CSRF token validation, and the application explicitly sets session.cookiesamesite=None on session cookies. This allows an...

AVideo's GET-Based CSRF in setPermission.json.php Enables Privilege Escalation via Arbitrary Permission Modification

Summary The plugin/Permissions/setPermission.json.php endpoint accepts GET parameters for a state-changing operation that modifies user group permissions. The endpoint has no CSRF token validation, and the application explicitly sets session.cookiesamesite=None on session cookies. This allows an...

AVideo Affected by CSRF on Plugin Import Endpoint Enables Unauthenticated Remote Code Execution via Malicious Plugin Upload

Summary The objects/pluginImport.json.php endpoint allows admin users to upload and install plugin ZIP files containing executable PHP code, but lacks any CSRF protection. Combined with the application explicitly setting session.cookiesamesite = 'None' for HTTPS connections, an unauthenticated...

AVideo has PHP Code Injection via eval() in Gallery saveSort.json.php Exploitable Through CSRF Against Admin

Summary The Gallery plugin's saveSort.json.php endpoint passes unsanitized user input from $REQUEST'sections' array values directly into PHP's eval function. While the endpoint is gated behind User::isAdmin, it has no CSRF token validation. Combined with AVideo's explicit SameSite=None session...

PT-2026-26790

Summary The objects/pluginImport.json.php endpoint allows admin users to upload and install plugin ZIP files containing executable PHP code, but lacks any CSRF protection. Combined with the application explicitly setting session.cookie samesite = 'None' for HTTPS connections, an unauthenticated...

EUVD-2025-201507

Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive CORS configuration alloworigins='' with allowcredentials=True combined with a refresh token cookie configured as SameSite=None allows a malicio...

Langflow CORS misconfiguration enables Account Takeover and RCE

Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive CORS configuration alloworigins='' with allowcredentials=True combined with a refresh token cookie configured as SameSite=None allows a malicio...

CVE-2025-34291 Langflow <= 1.6.9 CORS Misconfiguration to Token Hijack & RCE

Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive CORS configuration alloworigins='' with allowcredentials=True combined with a refresh token cookie configured as SameSite=None allows a malicio...

PT-2025-34241 · Laravel +1 · Laravel +1

Name of the Vulnerable Software and Affected Versions: UnoPim versions prior to 0.2.1 Description: UnoPim, an open-source Product Information Management PIM system built on the Laravel framework, is susceptible to Cross-Site Request Forgery CSRF attacks. Certain endpoints lack appropriate CSRF...

PT-2023-22082 · Sveltekit · Sveltekit

Name of the Vulnerable Software and Affected Versions: SvelteKit versions prior to 1.15.2 Description: The SvelteKit framework provides out-of-the-box cross-site request forgery CSRF protection. However, this protection can be bypassed in versions prior to 1.15.2 by specifying an upper-cased...