62 matches found
NocoBase Has SQL Injection via template variable substitution in workflow SQL node
Summary NocoBase = 2.0.8 plugin-workflow-sql substitutes template variables directly into raw SQL strings via getParsedValue without parameterization or escaping. Any user who triggers a workflow containing a SQL node with template variables from user-controlled data can inject arbitrary SQL...
PT-2026-29814
Name of the Vulnerable Software and Affected Versions NocoBase versions prior to 2.0.30 Description NocoBase is an AI-powered no-code/low-code platform. The plugin-workflow-sql component, in versions up to 2.0.8, directly substitutes template variables into raw SQL strings using getParsedValue...
EUVD-2026-17206
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. From version 2.14.2 to before version 2.17.0 for parameters "before" and "after" and from version 2.1.0-beta to before version 2.17.0 for parameters "sectionid" and "userid", the /api/v2?cmd=gethomestats endpoint passe...
CVE-2026-34374
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the Liveschedule::keyExists method constructs a SQL query by interpolating a stream key directly into the query string without parameterization. This method is called as a fallback from LiveTransmition::keyExists...
SQL Injection
wwbn/avideo is vulnerable to a SQL Injection. The vulnerability is due to direct interpolation of user-controlled input into SQL queries without parameterization in the fixCleanTitle method, which allows an attacker to inject and execute arbitrary SQL commands...
CVE-2026-34374
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the Liveschedule::keyExists method constructs a SQL query by interpolating a stream key directly into the query string without parameterization. This method is called as a fallback from LiveTransmition::keyExists...
CVE-2026-34374
CVE-2026-34374 affects WWBN AVideo up to version 26.0. The vulnerability is due to Live_schedule::keyExists() constructing a SQL query by directly interpolating the stream key (unparameterized) when used as a fallback from LiveTransmition::keyExists(), bypassing the parameterized protection. This...
CVE-2026-34374 AVideo has SQL Injection in Live_schedule::keyExists() via Unparameterized Stream Key
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the Liveschedule::keyExists method constructs a SQL query by interpolating a stream key directly into the query string without parameterization. This method is called as a fallback from LiveTransmition::keyExists...
CVE-2026-34374 AVideo has SQL Injection in Live_schedule::keyExists() via Unparameterized Stream Key
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the Liveschedule::keyExists method constructs a SQL query by interpolating a stream key directly into the query string without parameterization. This method is called as a fallback from LiveTransmition::keyExists...
CVE-2026-33770 AVideo has SQL Injection in category.php fixCleanTitle() via Unparameterized clean_title and id Variables
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the fixCleanTitle static method in objects/category.php constructs a SQL SELECT query by directly interpolating both $cleantitle and $id into the query string without using prepared statements or parameterized...
CVE-2026-33770
Summary: CVE-2026-33770 affects WWBN/AVideo up to version 26.0, where fixCleanTitle() in objects/category.php interpolates user-controlled data directly into a SQL query, enabling SQL injection when creating or renaming categories. The vulnerability stems from building the query with $clean_title...
CVE-2026-33770 AVideo has SQL Injection in category.php fixCleanTitle() via Unparameterized clean_title and id Variables
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the fixCleanTitle static method in objects/category.php constructs a SQL SELECT query by directly interpolating both $cleantitle and $id into the query string without using prepared statements or parameterized...
CVE-2026-33770 AVideo has SQL Injection in category.php fixCleanTitle() via Unparameterized clean_title and id Variables
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the fixCleanTitle static method in objects/category.php constructs a SQL SELECT query by directly interpolating both $cleantitle and $id into the query string without using prepared statements or parameterized...
PT-2026-28624
Name of the Vulnerable Software and Affected Versions WWBN AVideo versions up to and including 26.0 Description WWBN AVideo is an open source video platform. In versions up to and including 26.0, the Live schedule::keyExists method builds a SQL query by directly inserting a stream key into the...
CVE-2026-33909
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, several variables in the MedEx recall/reminder processing code are concatenated directly into SQL queries without parameterization or type casting, enabling SQL...
CVE-2026-33545
MobSF is a mobile application security testing tool used. Prior to version 4.4.6, MobSF's readsqlite function in mobsf/MobSF/utils.py lines 542-566 uses Python string formatting % to construct SQL queries with table names read from a SQLite database's sqlitemaster table. When a security analyst...
GHSA-584P-RPVQ-35VF AVideo has SQL Injection in category.php fixCleanTitle() via Unparameterized clean_title and id Variables
Summary The fixCleanTitle static method in objects/category.php constructs a SQL SELECT query by directly interpolating both $cleantitle and $id into the query string without using prepared statements or parameterized queries. An attacker who can trigger category creation or renaming with a craft...
AVideo has SQL Injection in category.php fixCleanTitle() via Unparameterized clean_title and id Variables
Summary The fixCleanTitle static method in objects/category.php constructs a SQL SELECT query by directly interpolating both $cleantitle and $id into the query string without using prepared statements or parameterized queries. An attacker who can trigger category creation or renaming with a craft...
SQL Injection
Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to SQL Injection in the getLike function in objects/like.php when user-supplied input for videosid is directly concatenated into a SQL query without proper...
PT-2026-28138
Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 8.0.0.3 Description OpenEMR is an electronic health records and medical practice management application. Versions prior to 8.0.0.3 contain a flaw where variables used in the MedEx recall/reminder processing code are...