28 matches found
PT-2026-45722
LDAP filter injection vulnerability in Yandex Database prior to 25.3.1.25 allows a remote attacker with valid LDAP credentials to bypass group membership checks resulting in unauthorized access to the database...
UBUNTU-CVE-2025-60481
A NULL pointer dereference in the gfodfac4cfgdsiv1 function /odf/descriptors.c of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service DoS via supplying a crafted AC4 file...
CVE-2025-40899 Stored Cross-Site Scripting (XSS) in Assets and Nodes in Guardian/CMC before 26.0.0
A Stored Cross-Site Scripting vulnerability was discovered in the Assets and Nodes functionality due to improper validation of an input parameter. An authenticated user with custom fields privileges can define a malicious custom field containing a JavaScript payload. When the victim views the...
CVE-2026-2728
LibreNMS versions before 26.3.0 are affected by an authenticated Cross-site Scripting vulnerability on the showconfig page. Successful exploitation requires administrative privileges. Exploitation could result in XSS attacks being performed against other users with access to the page...
WWBN AVideo 安全漏洞
WWBN AVideo is a video platform building system developed by the WWBN team using PHP. Versions of WWBN AVideo prior to 26.0 contained security vulnerabilities. These vulnerabilities stemmed from a lack of ownership checks at the plugin/PlayLists/View/Playlistsschedules/add.json.php endpoint, whic...
Actual Sync Server has an Authenticated Path Traversal
Description Actual Sync Server allows authenticated users to upload files through POST /sync/upload-user-file. In versions prior to 26.3.0, improper validation of the user-controlled x-actual-file-id header means that traversal segments ../ can escape the intended directory and write files outsid...
CVE-2026-23605
GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Attachment Filtering rule creation workflow. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv1$TXBRuleName parameter to...
CVE-2025-67077
File upload vulnerability in Omnispace Agora Project before 25.10 allowing authenticated, or under certain conditions also guest users, via the UploadTmpFile action...
CVE-2025-34438
AVideo versions prior to 20.1 contain an insecure direct object reference vulnerability allowing users with upload permissions to modify the rotation metadata of any video. The endpoint verifies upload capability but fails to enforce ownership or management rights for the targeted video...
AVideo 安全漏洞
AVideo is an open source broadcast network creation tool from World Wide Broadcast Network. A security vulnerability exists in AVideo versions prior to 20.0, which stems from a lack of ownership checks on endpoints, and could lead to authenticated users uploading comment images to other users'...
PT-2025-51887
Name of the Vulnerable Software and Affected Versions AVideo versions prior to 20.1 Description AVideo versions prior to 20.1 are susceptible to an insecure direct object reference IDOR that permits any authenticated user to delete media files owned by other users. The affected endpoint confirms...
CVE-2025-61927
CVE-2025-61927 affects Happy DOM v19 and earlier, where the Node.js VM Context is not isolated and untrusted JavaScript executed inside the Happy DOM VM can escape to access process-level functionality. Depending on module system (ESM vs CommonJS), attackers may obtain access to powerful objects ...
EUVD-2025-33386
An Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Juniper Networks Junos Space allows an attacker to inject script tags in the Device Template Definition page that, when visited by another user, enables the attacker to execute commands with the...
EUVD-2025-27727
Malicious code in bioql PyPI...
CVE-2025-1301 Reflected XSS in Yordam Informatics' Library Automation System
Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in Yordam Informatics Library Automation System allows Reflected XSS. This issue affects Library Automation System: before 21.6...
Firmanet ERP SQL注入漏洞
Firmanet ERP is an e-commerce system from Firmanet, Inc. A SQL injection vulnerability exists in Firmanet ERP version 22.11.2024 and earlier, which stems from vulnerability to SQL injection attacks...
X.org Server Security Vulnerability
X.org Server is an open source free software from the X.org Foundation. A security vulnerability exists in versions of X.org Server prior to 21.1.11 that stems from incorrectly handling memory and could be exploited by an attacker to cause a denial of service, obtain sensitive information, or...
SUSE CVE-2012-2832
The image-codec implementation in the PDF functionality in Google Chrome before 20.0.1132.43 does not initialize an unspecified pointer, which allows remote attackers to cause a denial of service or possibly have unknown other impact via a crafted document...
CVE-2022-1059
Aethon TUG Home Base Server versions prior to version 24 are affected by un unauthenticated attacker who can freely access hashed user credentials...
CVE-2021-39261
A crafted NTFS image can cause a heap-based buffer overflow in ntfscompressedpwrite in NTFS-3G 2021.8.22...