|
3011
|
6.5 |
MEDIUM
Network
|
wwbn
|
avideo
|
WWBN AVideo is an open source video platform. In versions 29.0 and below, the `isSSRFSafeURL()` function in `objects/functions.php` contains a same-domain shortcircuit (lines 4290-4296) that allows a…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-41060
|
2026-04-25 00:08 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3012
|
8.1 |
HIGH
Network
|
wwbn
|
avideo
|
WWBN AVideo is an open source video platform. In versions 29.0 and below, the incomplete fix for AVideo's CloneSite `deleteDump` parameter does not apply path traversal filtering, allowing `unlink()`…
|
CWE-22
Path Traversal
|
CVE-2026-41058
|
2026-04-25 00:07 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3013
|
7.1 |
HIGH
Network
|
wwbn
|
avideo
|
WWBN AVideo is an open source video platform. In versions 29.0 and below, the CORS origin validation fix in commit `986e64aad` is incomplete. Two separate code paths still reflect arbitrary `Origin` …
|
CWE-346
Origin Validation Error
|
CVE-2026-41057
|
2026-04-25 00:07 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3014
|
8.8 |
HIGH
Network
|
praison
|
praisonai
|
PraisonAI is a multi-agent teams system. Prior to 4.5.128, cmd_unpack in the recipe CLI extracts .praison tar archives using raw tar.extract() without validating archive member paths. A .praison bund…
|
CWE-22
Path Traversal
|
CVE-2026-40157
|
2026-04-25 00:07 |
2026-04-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3015
|
6.5 |
MEDIUM
Network
|
vikunja
|
vikunja
|
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's link share authentication (GetLinkShareFromClaims in pkg/models/link_sharing.go) constructs authorization obj…
|
CWE-613
Insufficient Session Expiration
|
CVE-2026-35594
|
2026-04-24 23:53 |
2026-04-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3016
|
6.5 |
MEDIUM
Network
|
praison
|
praisonaiagents
|
PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, the web_crawl() function in praisonaiagents/tools/web_crawl_tools.py accepts arbitrary URLs from AI agents with zero validation. No sc…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-40150
|
2026-04-24 23:53 |
2026-04-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3017
|
5.5 |
MEDIUM
Network
|
-
|
-
|
IBM Security Verify Directory (Container) 10.0.0 through 10.0.0.3 IBM Security Verify Directory could be vulnerable to malicious file upload by not validating file type. A privileged user could uploa…
|
CWE-434
Unrestricted Upload of File with Dangerous Type
|
CVE-2025-36074
|
2026-04-24 23:50 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3018
|
9.8 |
CRITICAL
Network
|
-
|
-
|
In Rocket.Chat <8.3.0, <8.2.1, <8.1.2, <8.0.3, <7.13.5, <7.12.6, <7.11.6, and <7.10.9, a NoSQL injection vulnerability can lead to account takeover of the first user with a generated token when an OA…
|
CWE-89
SQL Injection
|
CVE-2026-29198
|
2026-04-24 23:50 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3019
|
7.8 |
HIGH
Local
|
-
|
-
|
The installers of LiveOn Meet Client for Windows (Downloader5Installer.exe and Downloader5InstallerForAdmin.exe) and the installers of Canon Network Camera Plugin (CanonNWCamPlugin.exe and CanonNWCam…
|
CWE-427
Uncontrolled Search Path Element
|
CVE-2026-32679
|
2026-04-24 23:50 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3020
|
7.5 |
HIGH
Network
|
-
|
-
|
IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.4 IBM WebSphere Application Server Liberty is vulnerable to identity spoofing under limited conditions when an application is deploy…
|
CWE-269
Improper Privilege Management
|
CVE-2026-3621
|
2026-04-24 23:50 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
