User Impersonation

Overview Affected versions of this package are vulnerable to User Impersonation via the isHealthCheckRequest function in pkg/middleware/healthcheck.go. An attacker can reach protected endpoints by sending a request with a configured health-check User-Agent, causing the middleware to treat the...

CVE-2026-35449

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the install/test.php diagnostic script has its CLI-only access guard disabled by commenting out the die statement. The script remains accessible via HTTP after installation, exposing video viewer statistics including IP...

CVE-2026-35449

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the install/test.php diagnostic script has its CLI-only access guard disabled by commenting out the die statement. The script remains accessible via HTTP after installation, exposing video viewer statistics including IP...

CVE-2026-35449

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the install/test.php diagnostic script has its CLI-only access guard disabled by commenting out the die statement. The script remains accessible via HTTP after installation, exposing video viewer statistics including IP...

CVE-2026-35449 WWBN AVideo has Unauthenticated Information Disclosure via Disabled CLI Guard in install/test.php

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the install/test.php diagnostic script has its CLI-only access guard disabled by commenting out the die statement. The script remains accessible via HTTP after installation, exposing video viewer statistics including IP...

AVideo: Unauthenticated Information Disclosure via Disabled CLI Guard in install/test.php

Summary The install/test.php diagnostic script has its CLI-only access guard disabled by commenting out the die statement. The script remains accessible via HTTP after installation, exposing video viewer statistics including IP addresses, session IDs, and user agents to unauthenticated visitors...

GHSA-HG8Q-8WQR-35XX AVideo: Unauthenticated Information Disclosure via Disabled CLI Guard in install/test.php

Summary The install/test.php diagnostic script has its CLI-only access guard disabled by commenting out the die statement. The script remains accessible via HTTP after installation, exposing video viewer statistics including IP addresses, session IDs, and user agents to unauthenticated visitors...

Information Exposure

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Information Exposure via the install/test.php script when the command-line interface guard is disabled. An attacker can access sensitive information such as viewer...

EUVD-2026-17650

AVideo: Missing Authentication in CreatePlugin list.json.php Template Affects 21 Endpoints...

AVideo: Missing Authentication in CreatePlugin list.json.php Template Affects 21 Endpoints

Summary The AVideo CreatePlugin template for list.json.php does not include any authentication or authorization check. While the companion templates add.json.php and delete.json.php both require admin privileges, the list.json.php template was shipped without this guard. Every plugin that uses th...

CVE-2026-34732

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo CreatePlugin template for list.json.php does not include any authentication or authorization check. While the companion templates add.json.php and delete.json.php both require admin privileges, the list.json.php...

CVE-2026-34732

WWBN AVideo CVE-2026-34732 affects the CreatePlugin list.json.php template (versions ≤26.0). The template ships without authentication/authorization checks, while add.json.php and delete.json.php require admin privileges. This omission creates 21 unauthenticated data-listing endpoints across the ...

PT-2026-29362

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo CreatePlugin template for list.json.php does not include any authentication or authorization check. While the companion templates add.json.php and delete.json.php both require admin privileges, the list.json.php...

payload-labkit

payload-labkit Salam, praktisi keamanan! Berikut tiga daftar...

EUVD-2021-30937

Malicious code in bioql PyPI...

EUVD-2022-0064

Malicious code in bioql PyPI...

When AI chatbots leak and how it happens

In a recent article on Cybernews there were two clear signs of how fast the world of AI chatbots is growing. A company I had never even heard of had over 150 million app downloads across its portfolio, and it also had an exposed unprotected Elasticsearch instance. This needs a bit of an...

Router-Exploiter

Router-Exploiter A powerful and stealthy penetration testing t...

Malicious code in scrapy-user-agents (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d8ff2592eed2257896f8765049b3073fd6bb14f2696691bb3ed2f8925b0ea1e6 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-4880 Malicious code in scrapy-user-agents (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d8ff2592eed2257896f8765049b3073fd6bb14f2696691bb3ed2f8925b0ea1e6 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...