2 matches found
CVE-2026-31845
CVE-2026-31845 describes a reflected XSS in Rukovoditel CRM ≤ 3.6.4 via the Zadarma telephony API endpoint (/api/tel/zadarma.php). The code path uses: if (isset($_GET['zd_echo'])) exit($_GET['zd_echo']); which directly reflects user input from the zd_echo GET parameter into the HTTP response with...
CVE-2026-29058 AVideo: Unauthenticated OS Command Injection via base64Url in objects/getImage.php
AVideo is a video-sharing Platform software. Prior to version 7.0, an unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the base64Url GET parameter. This can lead to full server compromise, data exfiltration e.g., configuration...