Lucene search
K

62 matches found

Github Security Blog
Github Security Blog
added 2026/04/01 11:44 p.m.9 views

NocoBase Has SQL Injection via template variable substitution in workflow SQL node

Summary NocoBase = 2.0.8 plugin-workflow-sql substitutes template variables directly into raw SQL strings via getParsedValue without parameterization or escaping. Any user who triggers a workflow containing a SQL node with template variables from user-controlled data can inject arbitrary SQL...

8.5CVSS6.3AI score0.00406EPSS
Exploits1References5Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/01 12:0 a.m.18 views

PT-2026-29814

Name of the Vulnerable Software and Affected Versions NocoBase versions prior to 2.0.30 Description NocoBase is an AI-powered no-code/low-code platform. The plugin-workflow-sql component, in versions up to 2.0.8, directly substitutes template variables into raw SQL strings using getParsedValue...

8.5CVSS6.1AI score0.00406EPSS
Exploits1References7
EUVD
EUVD
added 2026/03/30 7:42 p.m.5 views

EUVD-2026-17206

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. From version 2.14.2 to before version 2.17.0 for parameters "before" and "after" and from version 2.1.0-beta to before version 2.17.0 for parameters "sectionid" and "userid", the /api/v2?cmd=gethomestats endpoint passe...

4.9CVSS5.9AI score0.004EPSS
Exploits1References2
RedhatCVE
RedhatCVE
added 2026/03/28 11:9 p.m.4 views

CVE-2026-34374

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the Liveschedule::keyExists method constructs a SQL query by interpolating a stream key directly into the query string without parameterization. This method is called as a fallback from LiveTransmition::keyExists...

9.1CVSS5.9AI score0.00344EPSS
Exploits1References1
Veracode
Veracode
added 2026/03/28 5:15 a.m.6 views

SQL Injection

wwbn/avideo is vulnerable to a SQL Injection. The vulnerability is due to direct interpolation of user-controlled input into SQL queries without parameterization in the fixCleanTitle method, which allows an attacker to inject and execute arbitrary SQL commands...

9.8CVSS6.1AI score0.00492EPSS
Exploits1References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/03/27 6:16 p.m.2 views

CVE-2026-34374

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the Liveschedule::keyExists method constructs a SQL query by interpolating a stream key directly into the query string without parameterization. This method is called as a fallback from LiveTransmition::keyExists...

9.1CVSS5.9AI score0.00344EPSS
Exploits1References2Affected Software1
CVE
CVE
added 2026/03/27 6:16 p.m.10 views

CVE-2026-34374

CVE-2026-34374 affects WWBN AVideo up to version 26.0. The vulnerability is due to Live_schedule::keyExists() constructing a SQL query by directly interpolating the stream key (unparameterized) when used as a fallback from LiveTransmition::keyExists(), bypassing the parameterized protection. This...

9.1CVSS5.9AI score0.00344EPSS
Exploits1References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/27 6:16 p.m.4 views

CVE-2026-34374 AVideo has SQL Injection in Live_schedule::keyExists() via Unparameterized Stream Key

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the Liveschedule::keyExists method constructs a SQL query by interpolating a stream key directly into the query string without parameterization. This method is called as a fallback from LiveTransmition::keyExists...

9.1CVSS5.9AI score0.00344EPSS
Exploits1References1
OSV
OSV
added 2026/03/27 6:16 p.m.5 views

CVE-2026-34374 AVideo has SQL Injection in Live_schedule::keyExists() via Unparameterized Stream Key

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the Liveschedule::keyExists method constructs a SQL query by interpolating a stream key directly into the query string without parameterization. This method is called as a fallback from LiveTransmition::keyExists...

9.1CVSS5.9AI score0.00344EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/03/27 4:13 p.m.25 views

CVE-2026-33770 AVideo has SQL Injection in category.php fixCleanTitle() via Unparameterized clean_title and id Variables

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the fixCleanTitle static method in objects/category.php constructs a SQL SELECT query by directly interpolating both $cleantitle and $id into the query string without using prepared statements or parameterized...

7.1CVSS0.00492EPSS
Exploits1References2
CVE
CVE
added 2026/03/27 4:13 p.m.15 views

CVE-2026-33770

Summary: CVE-2026-33770 affects WWBN/AVideo up to version 26.0, where fixCleanTitle() in objects/category.php interpolates user-controlled data directly into a SQL query, enabling SQL injection when creating or renaming categories. The vulnerability stems from building the query with $clean_title...

9.8CVSS6AI score0.00492EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/27 4:13 p.m.3 views

CVE-2026-33770 AVideo has SQL Injection in category.php fixCleanTitle() via Unparameterized clean_title and id Variables

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the fixCleanTitle static method in objects/category.php constructs a SQL SELECT query by directly interpolating both $cleantitle and $id into the query string without using prepared statements or parameterized...

7.1CVSS6AI score0.00492EPSS
Exploits1References2
OSV
OSV
added 2026/03/27 4:13 p.m.5 views

CVE-2026-33770 AVideo has SQL Injection in category.php fixCleanTitle() via Unparameterized clean_title and id Variables

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the fixCleanTitle static method in objects/category.php constructs a SQL SELECT query by directly interpolating both $cleantitle and $id into the query string without using prepared statements or parameterized...

7.1CVSS6AI score0.00492EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/03/27 12:0 a.m.2 views

PT-2026-28624

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions up to and including 26.0 Description WWBN AVideo is an open source video platform. In versions up to and including 26.0, the Live schedule::keyExists method builds a SQL query by directly inserting a stream key into the...

9.1CVSS5.8AI score0.00344EPSS
Exploits1References8
RedhatCVE
RedhatCVE
added 2026/03/26 11:3 p.m.4 views

CVE-2026-33909

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, several variables in the MedEx recall/reminder processing code are concatenated directly into SQL queries without parameterization or type casting, enabling SQL...

5.9CVSS6AI score0.0033EPSS
Exploits0References1
NVD
NVD
added 2026/03/26 9:17 p.m.4 views

CVE-2026-33545

MobSF is a mobile application security testing tool used. Prior to version 4.4.6, MobSF's readsqlite function in mobsf/MobSF/utils.py lines 542-566 uses Python string formatting % to construct SQL queries with table names read from a SQLite database's sqlitemaster table. When a security analyst...

6.5CVSS0.00276EPSS
Exploits1References3
OSV
OSV
added 2026/03/26 6:15 p.m.4 views

GHSA-584P-RPVQ-35VF AVideo has SQL Injection in category.php fixCleanTitle() via Unparameterized clean_title and id Variables

Summary The fixCleanTitle static method in objects/category.php constructs a SQL SELECT query by directly interpolating both $cleantitle and $id into the query string without using prepared statements or parameterized queries. An attacker who can trigger category creation or renaming with a craft...

7.1CVSS6AI score0.00492EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/03/26 6:15 p.m.7 views

AVideo has SQL Injection in category.php fixCleanTitle() via Unparameterized clean_title and id Variables

Summary The fixCleanTitle static method in objects/category.php constructs a SQL SELECT query by directly interpolating both $cleantitle and $id into the query string without using prepared statements or parameterized queries. An attacker who can trigger category creation or renaming with a craft...

9.8CVSS6AI score0.00492EPSS
Exploits1References4Affected Software1
Snyk
Snyk
added 2026/03/26 6:12 p.m.6 views

SQL Injection

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to SQL Injection in the getLike function in objects/like.php when user-supplied input for videosid is directly concatenated into a SQL query without proper...

8.8CVSS6AI score0.00509EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/03/25 12:0 a.m.4 views

PT-2026-28138

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 8.0.0.3 Description OpenEMR is an electronic health records and medical practice management application. Versions prior to 8.0.0.3 contain a flaw where variables used in the MedEx recall/reminder processing code are...

5.9CVSS6AI score0.0033EPSS
Exploits0References5
Rows per page
Query Builder