CVE-2026-40928

WWBN AVideo is an open source video platform. In versions 29.0 and prior, multiple AVideo JSON endpoints under objects/ accept state-changing requests via $REQUEST/$GET and persist changes tied to the caller's session user, without any anti-CSRF token, origin check, or referer check. A malicious...

PT-2026-34198

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions prior to 29.1 Description Multiple JSON endpoints under 'objects/' accept state-changing requests via $ REQUEST and $ GET without anti-CSRF tokens, origin checks, or referer checks. This allows a malicious page to perform...

PT-2026-33548

Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can access the user-management endpoints /settings/users and use them to enumerate all users and create a new administrator account. This happens because the route...

CVE-2026-24443

EventSentry versions prior to 6.0.1.20 contain an unverified password change vulnerability in the account management functionality of the Web Reports interface. The password change mechanism does not require validation of the current password before allowing a new password to be set. An attacker...

Exploit for Code Injection in Craftcms Craft_Cms

CraftCMS CVE-2025-32432 Vulnerability Exploitation Tool Set A...

CVE-2021-35242

Serv-U server responds with valid CSRFToken when the request contains only Session...

CVE-2024-43099

The session hijacking attack targets the application layer's control mechanism, which manages authenticated sessions between a host PC and a PLC. During such sessions, a session key is utilized to maintain security. However, if an attacker captures this session key, they can inject traffic into a...

Uvdesk v1.1.3 - File Upload Remote Code Execution (Authenticated) Exploit

Exploit Title: Uvdesk v1.1.3 - File Upload Remote Code Execution RCE Authenticated Exploit Author: Daniel Barros @cupc4k3d - Hakai Offensive Security Vendor Homepage: https://www.uvdesk.com Software Link: https://github.com/uvdesk/community-skeleton Version: 1.1.3 Example: python3 CVE-2023-39147....

TCG TPM2.0 implementations vulnerable to memory corruption

Overview Two buffer overflow vulnerabilities were discovered in the Trusted Platform Module TPM 2.0 reference library specification, currently at Level 00, Revision 01.59 November 2019. An attacker who has access to a TPM-command interface can send maliciously-crafted commands to the module and...

generator-jhipster vulnerable to login check Regular Expression Denial of Service

Impact For applications using JWT or session-based authentication not OIDC, users can input a login string which can cause a denial of service, as parsing it will be too complex. Here is an example: https://gist.github.com/atomfrede/311f8a9c6eb74c5c5226af0481155207 The vulnerable expression was...

CVE-2021-3417

An internal product security audit of LXCO, prior to version 1.2.2, discovered that credentials for Lenovo XClarity Administrator LXCA, if added as a Resource Manager, are encoded then written to an internal LXCO log file each time a session is established with LXCA. Affected logs are captured in...

GHSA-W542-CPP9-R3G7 Field Test CSRF vulnerability

The Field Test dashboard is vulnerable to cross-site request forgery CSRF with non-session based authentication methods in versions v0.2.0 through v0.3.2. Impact The Field Test dashboard is vulnerable to CSRF with non-session based authentication methods, like basic authentication. Session-based...

CSRF Vulnerability with Non-Session Based Authentication

The Field Test dashboard is vulnerable to CSRF with non-session based authentication methods. Impact The Field Test dashboard is vulnerable to CSRF with non-session based authentication methods, like basic authentication. Session-based authentication methods like Devise's default authentication a...

CVE-2002-0396

The web management server for Red-M 1050 Bluetooth Access Point does not use session-based credentials to authenticate users, which allows attackers to connect to the server from the same IP address as a user who has already established a session...