Remote code execution in AVideo versions 29.0 and below allows unauthenticated attackers to execute arbitrary shell commands on the server via command injection in the CloneSite plugin's cloneServer.json.php endpoint. Attackers exploit unsanitized user input in the 'url' parameter that gets directly concatenated into a wget command executed through PHP's exec() function. With CVSS 8.9 (AV:N/AC:L/PR:N/UI:N) and proof-of-concept exploitation confirmed (E:P), this represents a critical risk requiring immediate patching. Fix available in commit 473c609fc2defdea8b937b00e86ce88eba1f15bb.
Stored cross-site scripting (XSS) in mailcow: dockerized (versions prior to 2026-03b) allows remote unauthenticated attackers to execute arbitrary JavaScript in administrator sessions by delivering emails with malicious attachment filenames. When administrators view quarantined emails through the web interface, unsanitized filenames inject into HTML without escaping, triggering automatic JavaScript execution that can compromise administrator accounts. No public exploit or active exploitation confirmed at time of analysis, though CVSS 8.9 (CVSS 4.0) reflects high impact with low attack complexity requiring user interaction.
A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to extract sensitive environment variables from the instance through a timing side-channel attack against the notebook rendering service. When private mode was disabled, the notebook viewer followed HTTP redirects without revalidating the destination host, enabling an unauthenticated SSRF to internal services. By chaining this with regex filter queries against an internal API and measuring response time differences, an attacker could infer secret values character by character. Exploitation required that private mode be disabled and that the attacker be able to chain the instance's open redirect endpoint through an external redirect to reach internal services. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.14.26, 3.15.21, 3.16.17, 3.17.14, 3.18.8, 3.19.5, and 3.20.1. This vulnerability was reported via the GitHub Bug Bounty program.
Unauthenticated remote attackers can access administrative diagnostic endpoints in FreeScout versions prior to 1.8.213, exploiting a predictable MD5 hash derived from the exposed APP_KEY. Attackers can harvest sensitive server information (full path disclosure, process IDs) and trigger resource exhaustion denial-of-service by repeatedly invoking unprotected background tasks. The vulnerability has publicly available exploit code (CVSS E:P), making it immediately actionable for attackers. EPSS data not provided, but the combination of network exposure (AV:N), no authentication required (PR:N), and confirmed POC significantly elevates real-world risk for internet-facing FreeScout installations.
Remote code execution in Dolibarr ERP 22.0.4 and earlier allows authenticated users with PHP content editing permissions to execute arbitrary OS commands on the server. The vulnerability stems from a bypassable blacklist-based filter for dangerous PHP functions in the Website module. Attack complexity is low (CVSS AV:N/AC:L/PR:L), requiring only valid low-privilege credentials. Public proof-of-concept code exists on GitHub, though CISA has not confirmed active exploitation. EPSS data is unavailable, but SSVC assessment indicates total technical impact with no current exploitation evidence.
Privilege escalation in Neko virtual browser (versions 3.0.0-3.0.10, 3.1.0-3.1.1) allows any authenticated user with low privileges to immediately gain full administrative control over the entire instance, including member management, room settings, broadcast control, and session termination. This complete instance compromise requires only network access and valid user credentials (CVSS 8.8, AV:N/AC:L/PR:L). While EPSS exploitation probability is low (0.12%, 31st percentile) and no active exploitation has been confirmed, the vulnerability is trivially exploitable by any authenticated user and classified as non-automatable but with total technical impact per SSVC. Vendor patches are available in versions 3.0.11 and 3.1.2.
Privilege escalation in Firefox WebRender allows remote attackers to gain elevated access through malicious web content requiring user interaction. Affects Firefox versions before 150, Firefox ESR before 115.35, and Firefox ESR before 140.10. Mozilla released patches in advisories MFSA2026-30 through MFSA2026-34. CVSS 8.8 (High) severity with network attack vector, but exploitation requires user interaction (visiting malicious site). No public exploit identified at time of analysis, with SSVC framework indicating no confirmed exploitation and partial technical impact.
Insecure token generation in FreeScout <1.8.213 allows unauthenticated remote attackers to download private email attachments by forging MD5-based download tokens. The predictable formula (md5(APP_KEY + sequential_attachment_id + guessable_size)) enables enumeration of all stored attachments without credentials. CVSS 8.8 reflects high confidentiality and integrity impact via network vector with no authentication required. EPSS data not provided. Proof-of-concept exploitation exists (E:P in CVSS vector). Vendor-released patch version 1.8.213 available via GitHub.
Authenticated users with restricted HTML/JavaScript editing permissions in Dolibarr ERP & CRM 22.0.4 and earlier can escalate privileges to execute arbitrary PHP code via the Website module. The vulnerability exploits inconsistent permission enforcement across input parameters during website page creation, allowing low-privileged authenticated users to bypass intended restrictions and inject PHP code. Public proof-of-concept exists on GitHub (PhDg1410), though no active exploitation is confirmed by CISA KEV. EPSS data unavailable, but the CVSS 8.8 score reflects high impact across confidentiality, integrity, and availability when exploited by authenticated insiders or compromised accounts.
State corruption in UltraDAG 0.1 allows remote unauthenticated attackers to bypass authorization controls and manipulate blockchain state integrity through malformed SmartOp::Vote transactions. The vulnerability enables attackers to trigger state mutations before authorization checks complete, causing high availability impact and low integrity impact to the blockchain. No active exploitation or public POC has been identified, but the CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates trivial remote exploitation against default configurations. Upstream fixes are available via GitHub commits but no tagged release version has been confirmed.
Privilege escalation in Firefox's Debugger component allows remote attackers to gain elevated system privileges after user interaction with a malicious site. Affects Firefox versions prior to 150 and Firefox ESR versions prior to 140.10. CVSS 8.8 severity with network attack vector and no authentication required. SSVC framework indicates no active exploitation detected and non-automatable attack pattern. Vendor-released patches available in Firefox 150 and Firefox ESR 140.10 per Mozilla security advisories MFSA2026-30 through MFSA2026-34.
Remote attackers can escalate privileges in Firefox and Firefox ESR through a flaw in the Networking component when a user interacts with malicious content. The vulnerability affects Firefox versions prior to 150 and Firefox ESR versions prior to 140.10, allowing attackers with no initial privileges to achieve high impact on confidentiality, integrity, and availability. Mozilla has released patches for both product lines. EPSS data not available; no confirmed active exploitation (not listed in CISA KEV); public exploit code status unknown.
Electric is a Postgres sync engine. From 1.1.12 to before 1.5.0, the order_by parameter in the ElectricSQL /v1/shape API is vulnerable to error-based SQL injection, allowing any authenticated user to read, write, and destroy the full contents of the underlying PostgreSQL database through crafted ORDER BY expressions. This vulnerability is fixed in 1.5.0.
Remote filesystem bridge in OpenClaw (<2026.3.31) enables sandbox escape through a TOCTOU race condition in readFile validation. Authenticated remote attackers can exploit the timing gap between path validation and file read operations to bypass sandbox restrictions and access arbitrary files outside the intended security boundary, potentially compromising both confidentiality and integrity of the underlying system. EPSS score of 0.03% (7th percentile) suggests low probability of widespread exploitation despite CVSS 8.8 severity, though patch availability from vendor (commit 121870a) enables defenders to remediate proactively before active exploitation begins.
A SQL injection vulnerability exists in Genesys Latitude v25.1.0.420 that allows an authenticated attacker to execute arbitrary SQL queries against the backend database. The vulnerability is caused by unsanitized user-supplied input being concatenated directly into SQL statements.
Out-of-bounds buffer write in CPython's asyncio.ProactorEventLoop (Windows only) allows remote attackers to trigger memory corruption via oversized network data. The sock_recvfrom_into() method lacks buffer size validation when the nbytes parameter is used, enabling writes beyond allocated memory boundaries. Patch available via GitHub PR #148809. CVSS 8.8 reflects network-accessible attack surface with no authentication required, though exploitation is platform-specific (Windows only) and requires specific asyncio usage patterns.
Remote code execution in Quantum Networks router QN-I-470 allows authenticated attackers to execute arbitrary OS commands as root via command injection in the management CLI interface. The vulnerability stems from inadequate input sanitization, enabling low-privileged authenticated users to escalate privileges to root level. CVSS 8.7 (Critical) reflects network-accessible exploitation with low complexity, requiring only low-privilege authentication. No active exploitation (CISA KEV) or public exploit code identified at time of analysis, but the authenticated nature and CLI access requirement limits exploitation to users with existing device credentials.
Path traversal in WWBN AVideo 29.0 and earlier allows authenticated administrators (or CSRF-tricked admins) to write arbitrary PHP files anywhere on the server filesystem, achieving remote code execution. The locale save endpoint fails to sanitize the 'flag' parameter used in file path construction and lacks CSRF protection despite SameSite=None cookies, enabling straightforward exploitation by lower-privilege attackers who chain CSRF against admin sessions. Upstream fix committed to GitHub (57f89ffb) but released patched version not independently confirmed. CVSS 8.7 reflects high impact but requires privileged access - real-world risk depends heavily on admin session hijacking opportunities.
Authorization bypass in OpenClaw before 2026.3.28 allows authenticated Discord users to approve pending host execution requests without proper privileges. Attackers with low-privileged Discord accounts can bypass the execApprovals.approvers allowlist by sending crafted Discord text commands, gaining unauthorized approval authority for exec requests. EPSS score is relatively low (0.06%, 18th percentile), and no active exploitation is confirmed, but the vulnerability enables complete compromise of the execution approval workflow with low attack complexity.
Information disclosure in Quantum Networks Router QN-I-470 version 6.1.1.B1 allows unauthenticated remote attackers to access sensitive internal data including API endpoints, scripts, and directories through exposed web management interface. Vulnerability stems from improper access control and insecure default configuration (CWE-306). CVSS 8.7 reflects network-accessible, low-complexity attack requiring no authentication or user interaction. No public exploit code identified at time of analysis, though the attack surface (exposed API endpoints) suggests straightforward exploitation. Reported by CERT-In (India national CERT), indicating potential regional targeting or discovery during incident response.
Oxia is a metadata store and coordination system. Prior to 0.16.2, when OIDC authentication fails, the full bearer token is logged at DEBUG level in plaintext. If debug logging is enabled in production, JWT tokens are exposed in application logs and any connected log aggregation system. This vulnerability is fixed in 0.16.2.
Oxia is a metadata store and coordination system. Prior to 0.16.2, a race condition between session heartbeat processing and session closure can cause the server to panic with send on closed channel. The heartbeat() method uses a blocking channel send while holding a mutex, and under specific timing with concurrent close() calls, this can lead to either a deadlock (channel buffer full) or a panic (send on closed channel after TOCTOU gap in KeepAlive). This vulnerability is fixed in 0.16.2.
Remote attackers can install and activate arbitrary plugins in HKUDS OpenHarness through exposed plugin management commands. Pre-PR#156 versions expose /plugin install, /plugin enable, /plugin disable, and /reload-plugins endpoints to unauthenticated remote senders via the channel layer, allowing complete control over plugin trust and activation state. Vendor patch available in v0.1.7 (commit 59017e0). CVSS 8.7 with network vector and no authentication required, though user interaction is needed. No active exploitation confirmed (not in CISA KEV), but VulnCheck advisory and GitHub references provide technical details that could facilitate exploitation.
Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server. While the vulnerability is in Oracle HTTP Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle HTTP Server accessible data as well as unauthorized access to critical data or complete access to all Oracle HTTP Server accessible data. CVSS 3.1 Base Score 8.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N).
Remote code execution with root privileges in Quantum Networks router QN-I-470 version 6.1.1.B1 allows adjacent network attackers to execute arbitrary OS commands through the management CLI interface via command injection. The vulnerability requires no authentication (CVSS PR:N) and exploits inadequate input sanitization (CWE-78). Adjacent network access (AV:A) limits attack surface to local network segments. No active exploitation (CISA KEV) or public exploit code identified at time of analysis, though EPSS data unavailable to assess real-world exploitation probability.
Command injection in FreePBX API module 17.0.8 and earlier allows authenticated attackers with valid bearer tokens to execute arbitrary operating system commands as the web server user via malicious GraphQL mutations. The initiateGqlAPIProcess() function passes unsanitized GraphQL moduleOperations mutation input directly to shell_exec(), enabling backtick-wrapped command execution. While requiring high privileges (PR:H), the vulnerability provides complete system compromise within the web server context (CVSS 8.6). Vendor patch available via GitHub commit 5f194e39. No public exploit code or active exploitation confirmed at time of analysis.
Authenticated users in Horilla HRMS 1.5.0 can overwrite or corrupt any employee's documents via insecure direct object reference (IDOR) in the document upload endpoint. By manipulating the document ID parameter in upload requests, attackers with low-level access can modify HR records belonging to other employees, including executives or administrators. This enables unauthorized tampering with sensitive personnel files such as contracts, certifications, or compliance documents. EPSS data not available; no confirmed active exploitation (not in CISA KEV), though exploitation requires only basic authentication and no technical complexity (CVSS AV:N/AC:L/PR:L).
WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete SSRF fix in AVideo's LiveLinks proxy adds `isSSRFSafeURL()` validation but leaves DNS TOCTOU vulnerabilities where DNS rebinding between validation and the actual HTTP request redirects traffic to internal endpoints. Commit 8d8fc0cadb425835b4861036d589abcea4d78ee8 contains an updated fix.
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. From 1.0.0 to before 1.11.0, the git resolver's revision parameter is passed directly as a positional argument to git fetch without any validation that it does not begin with a - character. Because git parses flags from mixed positional arguments, an attacker can inject arbitrary git fetch flags such as --upload-pack=<binary>. Combined with the validateRepoURL function explicitly permitting URLs that begin with / (local filesystem paths), a tenant who can submit ResolutionRequest objects can chain these two behaviors to execute an arbitrary binary on the resolver pod. The tekton-pipelines-resolvers ServiceAccount holds cluster-wide get/list/watch on all Secrets, so code execution on the resolver pod enables full cluster-wide secret exfiltration. This vulnerability is fixed in 1.11.1.
Stored cross-site scripting in FreeScout versions prior to 1.8.213 allows authenticated users with mailbox signature permissions to inject arbitrary JavaScript that executes automatically whenever any agent or administrator opens a conversation in the affected mailbox. The vulnerability stems from inadequate HTML sanitization (blocklisting only four tags: script, form, iframe, object) that permits event handlers on elements like <img>, <svg>, and <details>. Exploitation requires only low-privilege authenticated access (ACCESS_PERM_SIGNATURE permission) and triggers without user interaction (CVSS UI:N), enabling session hijacking under certain CSP bypass conditions, phishing overlays, email exfiltration via mass assignment, and self-propagating worm behavior across all mailboxes. EPSS data not provided; no public exploit code or CISA KEV listing identified at time of analysis. Vendor-released patch available in version 1.8.213.
Vulnerability in the Oracle Life Sciences Empirica Signal product of Oracle Life Science Applications (component: Common Core). Supported versions that are affected are 9.2.1-9.2.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Life Sciences Empirica Signal. While the vulnerability is in Oracle Life Sciences Empirica Signal, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Life Sciences Empirica Signal accessible data as well as unauthorized read access to a subset of Oracle Life Sciences Empirica Signal accessible data. CVSS 3.1 Base Score 8.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N).
Heap buffer overflow in PJSIP 2.16 and earlier allows local attackers with user interaction to execute arbitrary code or crash the application via maliciously crafted Opus audio frames. The vulnerability stems from undersized FEC decode buffers (960 bytes at 8 kHz mono) that receive up to 1280 bytes of encoded data without bounds checking during Opus codec decoding. With CVSS 8.5 severity and a public GitHub commit fix available, this represents a high-impact memory corruption vulnerability in a widely-deployed VoIP library, though exploitation requires local access and user interaction (AV:L/UI:P), limiting remote attack scenarios.
Local privilege escalation in CivetWeb v1.16 service allows authenticated users to execute arbitrary code with SYSTEM privileges via unquoted service path exploitation. The Windows service configuration lacks quotes around 'C:\Program Files\CivetWeb\CivetWeb.exe', enabling attackers to place malicious executables in directories scanned before the intended path (e.g., 'C:\Program.exe' or 'C:\Program Files\CivetWeb.exe'). No public exploit identified at time of analysis, though EPSS data not available. Patch available per vendor advisory from INCIBE.
Malicious workspace plugins in OpenClaw versions before 2026.4.2 achieve arbitrary code execution by shadowing built-in channel IDs during workspace clone and setup operations. The vulnerability exploits a trust boundary flaw (CWE-829) where untrusted plugins execute before explicit user trust confirmation, requiring only that a victim clone a poisoned workspace repository. With CVSS 8.5 (High) and local attack vector requiring user interaction, real-world risk is moderate: EPSS probability sits at 0.01% (2nd percentile) with no confirmed active exploitation (not in CISA KEV), and SSVC assessment classifies it as non-automatable with total technical impact but no current exploitation.
OpenClaw versions before 2026.3.28 allow local attackers to inject malicious environment variables by placing a .env file in the current working directory, which is loaded before trusted state-directory configuration during application startup. This enables attackers to override security-sensitive runtime settings without privileges, achieving high confidentiality, integrity, and availability impact with low complexity when a user launches OpenClaw from a compromised directory. Exploitation probability is minimal (EPSS 0.01%, percentile 2%) with no active exploitation confirmed (not in CISA KEV), but a public advisory from VulnCheck describes the attack mechanism, making exploitation straightforward for local threat actors.
Integer overflow in OpenEXR's DWA compressor (versions 3.2.0-3.2.7, 3.3.0-3.3.9, 3.4.0-3.4.9) enables local attackers to trigger memory corruption when processing maliciously crafted EXR image files requiring user interaction. This vulnerability represents a missed instance of the same integer overflow pattern addressed in related CVEs 2026-34589, 34588, and 34544, occurring in `internal_dwa_compressor.h:1040` where width multiplication lacks proper size_t casting. Given the local attack vector requiring user interaction (CVSS AV:L/UI:A), real-world exploitation requires social engineering to trick users into opening weaponized EXR files, making this primarily a workstation-targeted threat in media production environments. No active exploitation or public POC identified at time of analysis.
Integer overflow in OpenEXR's DWA compressor (versions 3.2.0-3.2.7, 3.3.0-3.3.9, 3.4.0-3.4.9) allows local attackers to trigger memory corruption via maliciously crafted EXR image files requiring user interaction. This overflow at internal_dwa_compressor.h:1722 was missed in the CVE-2026-34589 remediation batch, performing width*height multiplication in 32-bit arithmetic without proper bounds checking. While CVSS scores 8.4 (High), the local attack vector and required user interaction (opening malicious file) somewhat limit real-world exploitation compared to remotely exploitable vulnerabilities. No EPSS score or KEV status available; exploitation probability depends on attacker's ability to deliver weaponized EXR files to targets in media production environments.
Path traversal in OpenClaude CLI versions before 0.5.1 allows local authenticated users to bypass sandbox directory restrictions and access arbitrary filesystem paths. A logic flaw in the bash permission handler causes path constraint checks to be skipped when sandbox auto-allow is enabled without explicit deny rules, permitting traversal sequences like '../../../etc/passwd' to escape containment boundaries. EPSS score of 0.01% indicates low probability of widespread exploitation, and no active exploitation has been reported.
ClearanceKit 5.0.4 and earlier allows local attackers with low-privilege accounts to bypass file-system access controls and read/modify all protected files by spoofing Apple platform binary status. The vulnerability stems from incorrect validation of code signing identifiers - specifically, treating processes with empty Team IDs but non-empty Signing IDs as trusted Apple binaries. Malicious software can exploit this logic flaw to impersonate processes in the global allowlist and gain unauthorized access to sensitive data. CVSS 8.4 reflects high confidentiality and integrity impact in local attack scenarios. EPSS and KEV data not available; no public exploit confirmed at time of analysis, though the GitHub security advisory provides detailed vulnerability disclosure.
In NTFS-3G 2022.10.3 before 2026.2.25, a heap buffer overflow exists in ntfs_build_permissions_posix() in acls.c that allows an attacker to corrupt heap memory in the SUID-root ntfs-3g binary by crafting a malicious NTFS image. The overflow is triggered on the READ path (stat, readdir, open) when processing a security descriptor with multiple ACCESS_DENIED ACEs containing WRITE_OWNER from distinct group SIDs.
HKUDS OpenHarness prior to PR #147 remediation contains an insecure default configuration vulnerability where remote channels inherit allow_from = ["*"] permitting arbitrary remote senders to pass admission checks. Attackers who can reach the configured channel can bypass access controls and reach host-backed agent runtimes, potentially leading to unauthorized file disclosure and read access through default-enabled read-only tools.
WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/configurationUpdate.json.php` (also routed via `/updateConfig`) persists dozens of global site settings from `$_POST` but protects the endpoint only with `User::isAdmin()`. It does not call `forbidIfIsUntrustedRequest()`, does not verify a `globalToken`, and does not validate the Origin/Referer header. Because AVideo intentionally sets `session.cookie_samesite=None` to support cross-origin iframe embedding, a logged-in administrator who visits an attacker-controlled page will have the browser auto-submit a cross-origin POST that rewrites the site's encoder URL, SMTP credentials, site `<head>` HTML, logo, favicon, contact email, and more in a single request. Commit f9492f5e6123dff0292d5bb3164fde7665dc36b4 contains a fix.
Authentication bypass in OAuth2 Proxy 7.5.0-7.15.1 allows remote unauthenticated attackers to access protected resources by exploiting path normalization discrepancies between the proxy and backend services. When deployments use skip_auth_routes or skip_auth_regex with broad wildcard patterns, attackers can inject '#' or '%23' (URL-encoded fragment delimiter) to match public allowlist rules while the upstream application serves sensitive endpoints. CVSS 8.2 (AV:N/AC:L/PR:N/UI:N) reflects network-based unauthenticated access; no public exploit identified at time of analysis. EPSS data not provided. Fixed in version 7.15.2 through conservative path normalization.
Remote denial of service in Zervit portable HTTP/web server allows unauthenticated attackers to crash the application via malformed configuration reset requests. Network-accessible (AV:N) with low complexity (AC:L) but requires specific timing (AT:P). EPSS data unavailable; not listed in CISA KEV. No public exploit code identified at time of analysis. High availability impact (VA:H) makes this critical for production deployments, though manual restart capability partially mitigates sustained outage risk.
Out-of-bounds read in NVIDIA CUDA-Q endpoint allows remote unauthenticated attackers to crash services and disclose sensitive memory contents via malformed network requests. The vulnerability affects an exposed network endpoint with no authentication barrier (CVSS AV:N/AC:L/PR:N/UI:N), enabling trivial exploitation against internet-facing deployments. EPSS data not available; no CISA KEV listing or public POC identified at time of analysis, suggesting exploitation remains theoretical or limited to targeted scenarios.
Local privilege escalation in ClearanceKit opfilter system extension allows root-level processes on macOS to completely bypass file-access policy enforcement by suspending or killing the Endpoint Security extension. An attacker with root access can send SIGSTOP to the uk.craigbass.clearancekit.opfilter extension, causing all AUTH events to time out and silently default to allow, effectively disabling all ClearanceKit file-access controls. This represents a critical security control bypass for environments relying on ClearanceKit for file-system access restrictions. Fixed in version 5.0.6. No public exploit identified at time of analysis, though exploitation is straightforward for any attacker who has already achieved root access on the macOS system.
WWBN AVideo is an open source video platform. In versions 29.0 and below, the incomplete fix for AVideo's CloneSite `deleteDump` parameter does not apply path traversal filtering, allowing `unlink()` of arbitrary files via `../../` sequences in the GET parameter. Commit 3c729717c26f160014a5c86b0b6accdbd613e7b2 contains an updated fix.
WWBN AVideo is an open source video platform. In versions 29.0 and below, the `allowOrigin($allowAll=true)` function in `objects/functions.php` reflects any arbitrary `Origin` header back in `Access-Control-Allow-Origin` along with `Access-Control-Allow-Credentials: true`. This function is called by both `plugin/API/get.json.php` and `plugin/API/set.json.php` - the primary API endpoints that handle user data retrieval, authentication, livestream credentials, and state-changing operations. Combined with the application's `SameSite=None` session cookie policy, any website can make credentialed cross-origin requests and read authenticated API responses, enabling theft of user PII, livestream keys, and performing state changes on behalf of the victim. Commit caf705f38eae0ccfac4c3af1587781355d24495e contains a fix.
PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, a stack buffer overflow exists in pjsip_auth_create_digest2() in PJSIP when using pre-computed digest credentials (PJSIP_CRED_DATA_DIGEST). The function copies credential data using cred_info->data.slen as the length without an upper-bound check, which can overflow the fixed-size ha1 stack buffer (128 bytes) if data.slen exceeds the expected digest string length.
Account takeover in blueprintUE Self-Hosted Edition <4.2.0 allows authenticated attackers to permanently hijack any account by changing its password without current password verification. Attackers who obtain session access through XSS, session hijacking, physical access, or stolen cookies can immediately lock out legitimate users. The vulnerability requires low-privileged authentication (PR:L) but has high confidentiality and integrity impact, enabling full account control and data access. Fixed in version 4.2.0.