Lucene search
+L

3133 matches found

Snyk
Snyk
added 2026/05/18 1:30 p.m.10 views

Improper Authorization

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Improper Authorization via the mention.json.php process. An attacker can enumerate user information by sending unauthenticated requests that match the required inp...

6.9CVSS5.8AI score0.00193EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/05/18 1:30 p.m.19 views

AVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unauthenticated user enumeration sibling that survives `d9cdc7024`

CVE-2026-43881 fix d9cdc7024 patched users.json.php only. The same anti-pattern survives at master HEAD in: objects/mention.json.php:17 $ignoreAdmin = true; objects/mention.json.php:18 $users = User::getAllUsers$ignoreAdmin, 'name', 'email', 'user', 'channelName', 'a'; No User::loginCheck, no adm...

5.3CVSS5.8AI score0.0027EPSS
Exploits0References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/18 12:0 a.m.9 views

PT-2026-41716

Name of the Vulnerable Software and Affected Versions AVideo versions 29.0 and earlier Description An issue exists in the open source video platform where the endpoint "objects/mention.json.php" lacks a User::loginCheck or admin gate. The endpoint only implements an entry guard using preg...

5.3CVSS5.8AI score0.00193EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/05/15 7:18 p.m.67 views

CVE-2026-45399 Open WebUI: Low-privilege authenticated users can enumerate and stop global background tasks, causing system-wide chat disruption

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user with low privileges can enumerate active background tasks across the system and stop tasks belonging to other users via the GET /api/tasks and POST...

7.1CVSS0.0027EPSS
Exploits1References1
NVD
NVD
added 2026/05/12 10:16 p.m.15 views

CVE-2026-44306

Statamic is a Laravel and Git powered content management system CMS. Prior to 5.73.21 and 6.15.0, responses from the forgot password forms hinted at whether an account existed for a given email address. An unauthenticated attacker could use this to enumerate valid users, which can aid in follow-u...

5.3CVSS0.00206EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/12 9:30 p.m.8 views

CVE-2026-44306

Statamic is a Laravel and Git powered content management system CMS. Prior to 5.73.21 and 6.15.0, responses from the forgot password forms hinted at whether an account existed for a given email address. An unauthenticated attacker could use this to enumerate valid users, which can aid in follow-u...

5.3CVSS5.8AI score0.00206EPSS
Exploits0References2Affected Software1
CNNVD
CNNVD
added 2026/05/12 12:0 a.m.13 views

Statamic 安全漏洞

Statamic is a powerful flat-file CMS built using Laravel by Statamic Inc. It allows all content, templates, assets, and settings to be stored in files rather than in a database. There were security vulnerabilities in versions prior to Statamic 5.73.21 and 6.15.0, where the password form’s respons...

5.3CVSS5.8AI score0.00206EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/11 8:38 p.m.7 views

CVE-2026-43881 WWBN AVideo: Unauthenticated User Enumeration in `objects/users.json.php` via `isCompany` Parameter Flips `$ignoreAdmin = true` and Defeats Admin-Only Listing Guard

WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/users.json.php exposes two unauthenticated paths that disclose the full set of registered user accounts. The isCompany request parameter causes the handler to set $ignoreAdmin = true for any non-admin call...

5.3CVSS5.7AI score0.0027EPSS
Exploits0References2
CVE
CVE
added 2026/05/11 8:38 p.m.12 views

CVE-2026-43881

Technical details about CVE-2026-43881 are not provided in the connected documents. The Initial Description summarizes the vulnerability, but no vendor/product/version specifics or remediation are included here. Monitor for updated advisories and fixes.

5.3CVSS5.7AI score0.0027EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/11 8:38 p.m.41 views

CVE-2026-43881 WWBN AVideo: Unauthenticated User Enumeration in `objects/users.json.php` via `isCompany` Parameter Flips `$ignoreAdmin = true` and Defeats Admin-Only Listing Guard

WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/users.json.php exposes two unauthenticated paths that disclose the full set of registered user accounts. The isCompany request parameter causes the handler to set $ignoreAdmin = true for any non-admin call...

5.3CVSS0.0027EPSS
Exploits0References2
OSV
OSV
added 2026/05/11 8:38 p.m.2 views

CVE-2026-43881 WWBN AVideo: Unauthenticated User Enumeration in `objects/users.json.php` via `isCompany` Parameter Flips `$ignoreAdmin = true` and Defeats Admin-Only Listing Guard

WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/users.json.php exposes two unauthenticated paths that disclose the full set of registered user accounts. The isCompany request parameter causes the handler to set $ignoreAdmin = true for any non-admin call...

5.3CVSS5.8AI score0.0027EPSS
Exploits0References4
Tenable Nessus
Tenable Nessus
added 2026/05/09 12:0 a.m.6 views

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: python-django (UTSA-2026-017335)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017335 advisory. An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The django.contrib.auth.handlers.modwsgi.checkpassword function for...

5.3CVSS5.8AI score0.00713EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/05/08 12:0 a.m.14 views

PT-2026-39276

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.0 Description An issue exists in the 'GET /api/v1/channels/id/members' endpoint where membership checks are only performed for group and dm channel types. For standard channels, including private ones, the syst...

4.3CVSS6.1AI score0.00221EPSS
Exploits1References12
EUVD
EUVD
added 2026/05/06 6:30 p.m.19 views

EUVD-2026-27863

A vulnerability in an identity management API endpoint of Cisco ISE could allow an unauthenticated, remote attacker to enumerate valid user accounts on an affected device. This vulnerability exists because error messages are observed when the affected API endpoint is called. An attacker could...

5.3CVSS5.8AI score0.00275EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/06 4:14 p.m.34 views

CVE-2026-20195 Cisco Identity Services Engine Observable Response Discrepancy Vulnerability

A vulnerability in an identity management API endpoint of Cisco ISE could allow an unauthenticated, remote attacker to enumerate valid user accounts on an affected device. This vulnerability exists because error messages are observed when the affected API endpoint is called. An attacker could...

5.3CVSS0.00275EPSS
Exploits0References1
CVE
CVE
added 2026/05/06 4:14 p.m.30 views

CVE-2026-20195

The CVE concerns Cisco Identity Services Engine (ISE) where an identity management API endpoint exposes error-based responses that let unauthenticated remote attackers enumerate valid usernames. The issue stems from observable error messages when the affected API is invoked, enabling an attacker ...

5.3CVSS5.8AI score0.00275EPSS
Exploits0References1Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/06 12:0 a.m.22 views

PT-2026-38302

Name of the Vulnerable Software and Affected Versions Statamic versions prior to 5.73.21 Statamic versions prior to 6.15.0 Description Responses from the forgot password forms reveal whether an account exists for a specific email address. This allows an unauthenticated attacker to perform user...

5.3CVSS5.8AI score0.00206EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/05/05 10:2 p.m.10 views

AVideo: Unauthenticated User Enumeration in objects/users.json.php via isCompany Parameter Allows Bypass of the Admin-Only Listing Restriction

Summary objects/users.json.php exposes two unauthenticated paths that disclose the full set of registered user accounts. The isCompany request parameter causes the handler to set $ignoreAdmin = true for any non-admin caller including unauthenticated visitors, which defeats the admin-only guard...

5.3CVSS5.8AI score0.0027EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/05/05 8:14 p.m.5 views

GHSA-MM2Q-QCMX-GW4W RustFS: ListServiceAccount authorizes against wrong admin action, enabling cross-user enumeration and root service account takeover

Summary ListServiceAccount GET /rustfs/admin/v3/list-service-accounts?user= authorizes cross-user requests against UpdateServiceAccountAdminAction instead of ListServiceAccountsAdminAction at rustfs/src/admin/handlers/serviceaccount.rs:936. The handler accepts the wrong admin action and rejects t...

8.7CVSS5.8AI score
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/05 8:14 p.m.25 views

RustFS: ListServiceAccount authorizes against wrong admin action, enabling cross-user enumeration and root service account takeover

Summary ListServiceAccount GET /rustfs/admin/v3/list-service-accounts?user= authorizes cross-user requests against UpdateServiceAccountAdminAction instead of ListServiceAccountsAdminAction at rustfs/src/admin/handlers/serviceaccount.rs:936. The handler accepts the wrong admin action and rejects t...

5.8AI score
Exploits0References2Affected Software1
Rows per page
Query Builder