Total CVEs

142,588

Critical Severity

4,002

High Severity

14,356

Last 7 Days

1,797
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 18,501 - 18,520 of 38,993 CVEs
CVE-2026-41064 CRITICAL - 9.3

WWBN AVideo is an open source video platform. In versions up to and including 29.0, an incomplete fix for AVideo's `test.php` adds `escapeshellarg` for wget but leaves the `file_get_contents` and `curl` code paths unsanitized, and the URL validation regex `/^http/` accepts strings like `httpevi...

Vendor: WWBN
Product: AVideo
Published: Apr 22, 2026
Source: NVD
CVE-2026-41059 HIGH - 8.2

OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions 7.5.0 through 7.15.1 have a configuration-dependent authentication bypass. Deployments are affected when all of the following are true: Use of `skip_auth_routes` or the legacy `skip_auth_regex`; use of patt...

Vendor: oauth2-proxy
Product: oauth2-proxy
Published: Apr 22, 2026
Source: NVD
CVE-2026-5921 HIGH - 8.9

A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to extract sensitive environment variables from the instance through a timing side-channel attack against the notebook rendering service. When private mode was disabled, the noteboo...

Vendor: github
Product: enterprise_server
Published: Apr 21, 2026
Source: NVD

An improper authorization vulnerability in scoped user-to-server (ghu_) token authorization in GitHub Enterprise Server allows an authenticated attacker to access private repositories outside the intended installation scope, which can include write operations, via an authorization fallback that trea...

Published: Apr 21, 2026
Source: NVD

An improper authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated attacker to determine the names of private repositories by their numeric ID. The mobile upload policy API endpoint did not perform an early authorization check, and validation error messa...

Published: Apr 21, 2026
Source: NVD

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Published: Apr 21, 2026
Source: NVD

An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an authenticated Management Console administrator to execute arbitrary OS commands via shell metacharacter injection in proxy configuration fields such as http_proxy. Exploitation of ...

Published: Apr 21, 2026
Source: NVD

An incorrect regular expression vulnerability was identified in GitHub Enterprise Server that allowed an attacker to bypass OAuth redirect URI validation. An attacker with knowledge of a first-party OAuth application's registered callback URL could craft a malicious authorization link that, whe...

Published: Apr 21, 2026
Source: NVD
CVE-2026-41063 MEDIUM - 5.4

WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete XSS fix in AVideo's `ParsedownSafeWithLinks` class overrides `inlineMarkup` for raw HTML but does not override `inlineLink()` or `inlineUrlTag()`, allowing `javascript:` URLs in markdown link syntax to bypas...

Vendor: WWBN
Product: AVideo
Published: Apr 21, 2026
Source: NVD
CVE-2026-41062 MEDIUM - 6.5

WWBN AVideo is an open source video platform. In versions 29.0 and below, the directory traversal fix introduced in commit 2375eb5e0 for `objects/aVideoEncoderReceiveImage.json.php` only checks the URL path component (via `parse_url($url, PHP_URL_PATH)`) for `..` sequences. However, the downstream f...

Vendor: WWBN
Product: AVideo
Published: Apr 21, 2026
Source: NVD
CVE-2026-41061 MEDIUM - 5.4

WWBN AVideo is an open source video platform. In versions 29.0 and below, the `isValidDuration()` regex at `objects/video.php:918` uses `/^[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}/` without a `$` end anchor, allowing arbitrary HTML/JavaScript to be appended after a valid duration prefix. The crafted duratio...

Vendor: WWBN
Product: AVideo
Published: Apr 21, 2026
Source: NVD
CVE-2026-41060 HIGH - 7.7

WWBN AVideo is an open source video platform. In versions 29.0 and below, the `isSSRFSafeURL()` function in `objects/functions.php` contains a same-domain shortcircuit (lines 4290-4296) that allows any URL whose hostname matches `webSiteRootURL` to bypass all SSRF protections. Because the check comp...

Vendor: WWBN
Product: AVideo
Published: Apr 21, 2026
Source: NVD
CVE-2026-41058 HIGH - 8.1

WWBN AVideo is an open source video platform. In versions 29.0 and below, the incomplete fix for AVideo's CloneSite `deleteDump` parameter does not apply path traversal filtering, allowing `unlink()` of arbitrary files via `../../` sequences in the GET parameter. Commit 3c729717c26f160014a5c86b...

Vendor: WWBN
Product: AVideo
Published: Apr 21, 2026
Source: NVD
CVE-2026-41057 HIGH - 7.1

WWBN AVideo is an open source video platform. In versions 29.0 and below, the CORS origin validation fix in commit `986e64aad` is incomplete. Two separate code paths still reflect arbitrary `Origin` headers with credentials allowed for all `/api/*` endpoints: (1) `plugin/API/router.php` lines 4-8 un...

Vendor: WWBN
Product: AVideo
Published: Apr 21, 2026
Source: NVD
CVE-2026-41056 HIGH - 8.1

WWBN AVideo is an open source video platform. In versions 29.0 and below, the `allowOrigin($allowAll=true)` function in `objects/functions.php` reflects any arbitrary `Origin` header back in `Access-Control-Allow-Origin` along with `Access-Control-Allow-Credentials: true`. This function is called by...

Vendor: WWBN
Product: AVideo
Published: Apr 21, 2026
Source: NVD
CVE-2026-41055 HIGH - 8.6

WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete SSRF fix in AVideo's LiveLinks proxy adds `isSSRFSafeURL()` validation but leaves DNS TOCTOU vulnerabilities where DNS rebinding between validation and the actual HTTP request redirects traffic to internal e...

Vendor: WWBN
Product: AVideo
Published: Apr 21, 2026
Source: NVD
CVE-2026-40935 MEDIUM - 5.3

WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/getCaptcha.php` accepts the CAPTCHA length (`ql`) directly from the query string with no clamping or sanitization, letting any unauthenticated client force the server to generate a 1-character CAPTCHA word. Combined w...

Vendor: WWBN
Product: AVideo
Published: Apr 21, 2026
Source: NVD
CVE-2026-40929 MEDIUM - 5.4

WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/commentDelete.json.php` is a state-mutating JSON endpoint that deletes comments but performs no CSRF validation. It does not call `forbidIfIsUntrustedRequest()`, does not verify a CSRF/global token, and does not check...

Vendor: WWBN
Product: AVideo
Published: Apr 21, 2026
Source: NVD
CVE-2026-40928 MEDIUM - 5.4

WWBN AVideo is an open source video platform. In versions 29.0 and prior, multiple AVideo JSON endpoints under `objects/` accept state-changing requests via `$_REQUEST`/`$_GET` and persist changes tied to the caller's session user, without any anti-CSRF token, origin check, or referer check. A ...

Vendor: WWBN
Product: AVideo
Published: Apr 21, 2026
Source: NVD
CVE-2026-40926 HIGH - 7.1

WWBN AVideo is an open source video platform. In versions 29.0 and prior, three admin-only JSON endpoints — `objects/categoryAddNew.json.php`, `objects/categoryDelete.json.php`, and `objects/pluginRunUpdateScript.json.php` — enforce only a role check (`Category::canCreateCategory()` / `User::isAdmin...

Vendor: WWBN
Product: AVideo
Published: Apr 21, 2026
Source: NVD