•2 minutes ago•CVE-2026-33499
6.1CVE-2026-33499: Reflected Cross-Site Scripting in WWBN AVideo Password Forms
WWBN AVideo versions up to and including 26.0 suffer from a reflected Cross-Site Scripting (XSS) vulnerability. The application fails to sanitize the `unlockPassword` parameter in password-protected page templates, allowing unauthenticated attackers to execute arbitrary JavaScript in a victim's browser context.
0 views•6 min read
•32 minutes ago•CVE-2026-33513
8.6CVE-2026-33513: Unauthenticated Local File Inclusion in WWBN AVideo API Plugin
CVE-2026-33513 is a high-severity vulnerability within the API plugin of WWBN AVideo (formerly YouPHPTube). The flaw resides in the locale API name handling, exposing an unauthenticated endpoint to directory traversal. Attackers can leverage this vulnerability to perform arbitrary PHP file inclusion, leading to information disclosure and potential Remote Code Execution (RCE) on the underlying server.
2 views•6 min read
•about 1 hour ago•CVE-2026-33500
5.4CVE-2026-33500: Stored Cross-Site Scripting via Markdown Parsing Bypass in WWBN AVideo
WWBN AVideo versions up to and including 26.0 contain a stored Cross-Site Scripting (XSS) vulnerability. The application utilizes a custom Markdown parsing class that intentionally disables built-in security features, allowing authenticated attackers to inject malicious JavaScript via formatted links. This flaw bypasses previous sanitization efforts introduced to remediate CVE-2026-27568.
2 views•6 min read
•about 2 hours ago•CVE-2026-33501
5.3CVE-2026-33501: Missing Authorization Information Disclosure in WWBN AVideo Permissions Plugin
WWBN AVideo versions 26.0 and prior suffer from a missing authorization vulnerability (CWE-862) in the Permissions plugin. Unauthenticated attackers can query the list.json.php endpoint to extract the complete internal permission matrix, detailing the relationships between user groups and plugins. This flaw arises from a failure to implement functional level access control checks that are present in sibling administrative endpoints.
4 views•5 min read
•about 2 hours ago•CVE-2026-33507
8.8CVE-2026-33507: Remote Code Execution via Cross-Site Request Forgery in WWBN AVideo
WWBN AVideo versions up to and including 26.0 are vulnerable to a Cross-Site Request Forgery (CSRF) flaw in the plugin upload mechanism. Due to an insecure session cookie configuration and missing request validation, an unauthenticated attacker can upload a malicious plugin by tricking an authenticated administrator into visiting a crafted webpage. This allows the attacker to deploy a web shell and achieve Remote Code Execution (RCE) on the underlying server.
4 views•7 min read
•about 3 hours ago•CVE-2026-33502
9.3CVE-2026-33502: Unauthenticated SSRF and Command Injection in WWBN AVideo
WWBN AVideo versions up to and including 26.0 suffer from a critical unauthenticated Server-Side Request Forgery (SSRF) and OS Command Injection vulnerability in the Live plugin's test endpoint. This flaw permits remote attackers to probe internal networks, exfiltrate cloud metadata, and execute arbitrary system commands.
3 views•7 min read
•2 days ago•CVE-2025-55988
9.8CVE-2025-55988: Path Traversal and Remote Code Execution in DreamFactory Core
DreamFactory Core v1.0.3 contains a critical directory traversal vulnerability within the RestController component. The application fails to properly sanitize the resource URI parameter before utilizing it in downstream service logic. This allows an unauthenticated attacker to bypass implemented filters using nested traversal sequences, leading to arbitrary file read and remote code execution.
8 views•6 min read
•2 days ago•GHSA-F67F-HCR6-94MF
9.3GHSA-f67f-hcr6-94mf: OS Command Injection in Zen-Ai-Pentest GitHub Actions Workflows
A critical OS command injection vulnerability exists in multiple GitHub Actions workflows within the SHAdd0WTAka/Zen-Ai-Pentest repository. The vulnerability allows unauthenticated attackers to execute arbitrary shell commands on the GitHub runner by submitting specially crafted issue titles, leading to the exfiltration of repository secrets.
6 views•6 min read
•3 days ago•GHSA-PWJX-QHCG-RVJ4
4.4GHSA-pwjx-qhcg-rvj4: Certificate Revocation Bypass via Iterator Exhaustion in rustls-webpki
The `rustls-webpki` crate contains a logic flaw in its certificate revocation enforcement mechanism. Due to the improper reuse of one-shot DER iterators during Certificate Revocation List (CRL) processing, the verifier fails to match legitimate Distribution Points (DPs) to Issuing Distribution Points (IDPs), potentially leading to the acceptance of revoked certificates under permissive configurations.
6 views•7 min read
•3 days ago•GHSA-MWJC-5J4X-R686
10.0CVE-2025-34433: Unauthenticated Remote Code Execution via Cryptographic Failures in AVideo
AVideo platforms version 14.3.1 through 20.0 are vulnerable to an unauthenticated Remote Code Execution (RCE) flaw. The vulnerability arises from a chain of information disclosure, predictable cryptographic salt generation, and an unsafe evaluation sink. An unauthenticated attacker can mathematically derive the internal encryption key and forge authenticated payloads to achieve full system compromise.
9 views•6 min read
•3 days ago•GHSA-8FW8-Q79C-FP9M
8.6GHSA-8FW8-Q79C-FP9M: Unauthenticated Local File Inclusion and Remote Code Execution in AVideo API
The AVideo platform contains an unauthenticated Local File Inclusion (LFI) vulnerability in its API locale handler. The application fails to sanitize user input before concatenating it into a PHP include statement, allowing attackers to execute arbitrary local PHP files and potentially achieve Remote Code Execution.
8 views•7 min read
•3 days ago•GHSA-X49Q-FHHM-R9JF
9.9GHSA-rqpp-rjj8-7wv8: Privilege Escalation via WebSocket Authorization Bypass in OpenClaw
A logic flaw in the OpenClaw gateway WebSocket connection handler permits clients authenticating with shared tokens to self-declare and retain elevated administrative scopes. This vulnerability allows an attacker possessing a low-privileged shared secret to bypass intended device-identity boundaries and execute administrative RPC commands against the gateway.
7 views•5 min read