|
3491
|
9.3 |
CRITICAL
Network
|
wwbn
|
avideo
|
WWBN AVideo is an open source video platform. In versions up to and including 29.0, an incomplete fix for AVideo's `test.php` adds `escapeshellarg` for wget but leaves the `file_get_contents` and `cu…
|
CWE-78
OS Command
|
CVE-2026-41064
|
2026-04-25 00:10 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3492
|
5.4 |
MEDIUM
Network
|
wwbn
|
avideo
|
WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete XSS fix in AVideo's `ParsedownSafeWithLinks` class overrides `inlineMarkup` for raw HTML but does not override …
|
CWE-79
Cross-site Scripting
|
CVE-2026-41063
|
2026-04-25 00:08 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3493
|
6.5 |
MEDIUM
Network
|
wwbn
|
avideo
|
WWBN AVideo is an open source video platform. In versions 29.0 and below, the directory traversal fix introduced in commit 2375eb5e0 for `objects/aVideoEncoderReceiveImage.json.php` only checks the U…
|
CWE-22
Path Traversal
|
CVE-2026-41062
|
2026-04-25 00:08 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3494
|
5.4 |
MEDIUM
Network
|
wwbn
|
avideo
|
WWBN AVideo is an open source video platform. In versions 29.0 and below, the `isValidDuration()` regex at `objects/video.php:918` uses `/^[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}/` without a `$` end anchor,…
|
CWE-79
Cross-site Scripting
|
CVE-2026-41061
|
2026-04-25 00:08 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3495
|
6.5 |
MEDIUM
Network
|
wwbn
|
avideo
|
WWBN AVideo is an open source video platform. In versions 29.0 and below, the `isSSRFSafeURL()` function in `objects/functions.php` contains a same-domain shortcircuit (lines 4290-4296) that allows a…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-41060
|
2026-04-25 00:08 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3496
|
8.1 |
HIGH
Network
|
wwbn
|
avideo
|
WWBN AVideo is an open source video platform. In versions 29.0 and below, the incomplete fix for AVideo's CloneSite `deleteDump` parameter does not apply path traversal filtering, allowing `unlink()`…
|
CWE-22
Path Traversal
|
CVE-2026-41058
|
2026-04-25 00:07 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3497
|
7.1 |
HIGH
Network
|
wwbn
|
avideo
|
WWBN AVideo is an open source video platform. In versions 29.0 and below, the CORS origin validation fix in commit `986e64aad` is incomplete. Two separate code paths still reflect arbitrary `Origin` …
|
CWE-346
Origin Validation Error
|
CVE-2026-41057
|
2026-04-25 00:07 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3498
|
8.8 |
HIGH
Network
|
praison
|
praisonai
|
PraisonAI is a multi-agent teams system. Prior to 4.5.128, cmd_unpack in the recipe CLI extracts .praison tar archives using raw tar.extract() without validating archive member paths. A .praison bund…
|
CWE-22
Path Traversal
|
CVE-2026-40157
|
2026-04-25 00:07 |
2026-04-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3499
|
6.5 |
MEDIUM
Network
|
vikunja
|
vikunja
|
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's link share authentication (GetLinkShareFromClaims in pkg/models/link_sharing.go) constructs authorization obj…
|
CWE-613
Insufficient Session Expiration
|
CVE-2026-35594
|
2026-04-24 23:53 |
2026-04-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3500
|
6.5 |
MEDIUM
Network
|
praison
|
praisonaiagents
|
PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, the web_crawl() function in praisonaiagents/tools/web_crawl_tools.py accepts arbitrary URLs from AI agents with zero validation. No sc…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-40150
|
2026-04-24 23:53 |
2026-04-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
