PT-2026-47584

Summary An unauthenticated attacker Alice connects to FUXA's Socket.IO endpoint and emits a device-webapi-request event whose property.address field names an arbitrary URL. FUXA's DEVICE WEBAPI REQUEST handler at server/runtime/index.js:296 calls axios.getaddress server-side and broadcasts the fu...

CVE-2026-34247

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the plugin/Live/uploadPoster.php endpoint allows any authenticated user to overwrite the poster image for any scheduled live stream by supplying an arbitrary livescheduleid. The endpoint only checks User::isLogged...

CVE-2025-9036

A security issue in the runtime event system allows unauthenticated connections to receive a reusable API token. This token is broadcasted over a WebSocket and can be intercepted by any local client listening on the connection...

CVE-2025-9036

Rockwell Automation FactoryTalk Action Manager (v1.0.0 Runtime) is affected by a vulnerability in its runtime event system that permits unauthenticated local access to a reusable API token. The token is broadcast over a WebSocket and can be intercepted by any local client listening on the connect...