146 matches found
CVE-2026-46672
Actual is a local-first personal finance app. Prior to 26.6.0, @actual-app/cli ships a hand-rolled CSV serializer in packages/cli/src/output.ts used whenever the global --format csv option is passed, whose escapeCsv helper only handles RFC 4180 delimiter, quote, and newline escaping and does not...
Malicious code in uol-simple-api-futebol (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 962c38ed6ec061ce6a530aeea5a960dfc2b75caec56f7a1bc648f6b6cb655271 The package's only documented function, getJogos default export, unconditionally invokes an internal helper named prepareCacheMatchs which POSTs the...
EUVD-2026-29878
A Remote Code Execution vulnerability in Claris FileMaker Cloud allowed a user with Admin Console privileges to bypass a front-end restriction on OS Script schedule types and execute arbitrary operating system commands on the underlying host. This issue is fixed in FileMaker Cloud 2.22.0.5...
kimai 安全漏洞
Kimai is a web-based, multi-user time tracking application developed by Kimai’s individual developers. Versions of Kimai from 2.27.0 to 2.54.0 contained security vulnerabilities. These vulnerabilities stemmed from the possibility for any ROLEUSER to create tags with formula strings as names using...
CVE-2026-5753 All-in-One WP Migration Unlimited Extension <= 2.83 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Backup Schedule Creation and Backup File Download
The All-in-One WP Migration Unlimited Extension plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.83. This is due to the 'Ai1wmveSchedulesController::save' handler for 'adminpostai1wmscheduleeventsave' not verifying user capabilities before saving...
EUVD-2026-16715
AVideo: Missing Authorization in Playlist Schedule Creation Allows Cross-User Broadcast Hijacking...
Missing Authorization
Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Missing Authorization in the add.json.php process. An attacker can gain unauthorized control over another user's broadcast schedules and execute rebroadcasts as th...
CVE-2026-34245
WWBN AVideo is affected by CVE-2026-34245: in versions up to 26.0, the endpoint plugin/PlayLists/View/Playlists_schedules/add.json.php allows any authenticated user with streaming permission to create/modify broadcast schedules for any playlist, regardless of ownership. When a scheduled rebroadca...
CVE-2026-34245 AVideo's Missing Authorization in Playlist Schedule Creation Allows Cross-User Broadcast Hijacking
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the plugin/PlayLists/View/Playlistsschedules/add.json.php endpoint allows any authenticated user with streaming permission to create or modify broadcast schedules targeting any playlist on the platform, regardless...
FUXA Unauthenticated Remote Arbitrary Scheduler Write
Summary An authorization bypass vulnerability in the FUXA allows an unauthenticated, remote attacker to create and modify arbitrary schedulers, exposing connected ICS/SCADA environments to follow-on actions. This vulnerability affects FUXA version 1.2.8 through version 1.2.10. This has been patch...
CVE-2025-3653
Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an improper access control vulnerability that allows unauthorized device manipulation by accepting arbitrary serial numbers without ownership verification. Attackers can control any device by sending serial numbers to device contro...
CVE-2025-3653
Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an improper access control vulnerability that allows unauthorized device manipulation by accepting arbitrary serial numbers without ownership verification. Attackers can control any device by sending serial numbers to device contro...
CVE-2025-3653 Petlibro Smart Pet Feeder through 1.7.31 Platform Improper Access Control via API endpoint
Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an improper access control vulnerability that allows unauthorized device manipulation by accepting arbitrary serial numbers without ownership verification. Attackers can control any device by sending serial numbers to device contro...
RosarioSIS 6.7.2 - Cross-Site Scripting (XSS)
Exploit Title: RosarioSIS 6.7.2 - Cross-Site Scripting XSS Date: 2025-11-25 Exploit Author: CodeSecLab Vendor Homepage: https://gitlab.com/francoisjacquet/rosariosis Software Link: https://gitlab.com/francoisjacquet/rosariosis Version: 6.7.2 Tested on: Windows CVE : CVE-2020-15718 Proof Of Concep...
EUVD-2020-3568
Malware in sbrugna...
EUVD-2021-26251
Malware in sbrugna...
EUVD-2022-37604
Malicious code in bioql PyPI...
EUVD-2021-29305
Malicious code in bioql PyPI...
EUVD-2022-36197
Malicious code in bioql PyPI...
EUVD-2022-35834
Malicious code in bioql PyPI...