|
3191
|
6.5 |
MEDIUM
Network
|
wwbn
|
avideo
|
WWBN AVideo is an open source video platform. In versions 29.0 and below, the directory traversal fix introduced in commit 2375eb5e0 for `objects/aVideoEncoderReceiveImage.json.php` only checks the U…
|
CWE-22
Path Traversal
|
CVE-2026-41062
|
2026-04-25 00:08 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3192
|
5.4 |
MEDIUM
Network
|
wwbn
|
avideo
|
WWBN AVideo is an open source video platform. In versions 29.0 and below, the `isValidDuration()` regex at `objects/video.php:918` uses `/^[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}/` without a `$` end anchor,…
|
CWE-79
Cross-site Scripting
|
CVE-2026-41061
|
2026-04-25 00:08 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3193
|
6.5 |
MEDIUM
Network
|
wwbn
|
avideo
|
WWBN AVideo is an open source video platform. In versions 29.0 and below, the `isSSRFSafeURL()` function in `objects/functions.php` contains a same-domain shortcircuit (lines 4290-4296) that allows a…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-41060
|
2026-04-25 00:08 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3194
|
8.1 |
HIGH
Network
|
wwbn
|
avideo
|
WWBN AVideo is an open source video platform. In versions 29.0 and below, the incomplete fix for AVideo's CloneSite `deleteDump` parameter does not apply path traversal filtering, allowing `unlink()`…
|
CWE-22
Path Traversal
|
CVE-2026-41058
|
2026-04-25 00:07 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3195
|
7.1 |
HIGH
Network
|
wwbn
|
avideo
|
WWBN AVideo is an open source video platform. In versions 29.0 and below, the CORS origin validation fix in commit `986e64aad` is incomplete. Two separate code paths still reflect arbitrary `Origin` …
|
CWE-346
Origin Validation Error
|
CVE-2026-41057
|
2026-04-25 00:07 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3196
|
8.8 |
HIGH
Network
|
praison
|
praisonai
|
PraisonAI is a multi-agent teams system. Prior to 4.5.128, cmd_unpack in the recipe CLI extracts .praison tar archives using raw tar.extract() without validating archive member paths. A .praison bund…
|
CWE-22
Path Traversal
|
CVE-2026-40157
|
2026-04-25 00:07 |
2026-04-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3197
|
6.5 |
MEDIUM
Network
|
vikunja
|
vikunja
|
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's link share authentication (GetLinkShareFromClaims in pkg/models/link_sharing.go) constructs authorization obj…
|
CWE-613
Insufficient Session Expiration
|
CVE-2026-35594
|
2026-04-24 23:53 |
2026-04-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3198
|
6.5 |
MEDIUM
Network
|
praison
|
praisonaiagents
|
PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, the web_crawl() function in praisonaiagents/tools/web_crawl_tools.py accepts arbitrary URLs from AI agents with zero validation. No sc…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-40150
|
2026-04-24 23:53 |
2026-04-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3199
|
5.5 |
MEDIUM
Network
|
-
|
-
|
IBM Security Verify Directory (Container) 10.0.0 through 10.0.0.3 IBM Security Verify Directory could be vulnerable to malicious file upload by not validating file type. A privileged user could uploa…
|
CWE-434
Unrestricted Upload of File with Dangerous Type
|
CVE-2025-36074
|
2026-04-24 23:50 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3200
|
9.8 |
CRITICAL
Network
|
-
|
-
|
In Rocket.Chat <8.3.0, <8.2.1, <8.1.2, <8.0.3, <7.13.5, <7.12.6, <7.11.6, and <7.10.9, a NoSQL injection vulnerability can lead to account takeover of the first user with a generated token when an OA…
|
CWE-89
SQL Injection
|
CVE-2026-29198
|
2026-04-24 23:50 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
