Total CVEs

143,818

Critical Severity

4,094

High Severity

14,786

Last 7 Days

1,526
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 19,741 - 19,760 of 40,223 CVEs
CVE-2026-41061 MEDIUM - 5.4

WWBN AVideo is an open source video platform. In versions 29.0 and below, the `isValidDuration()` regex at `objects/video.php:918` uses `/^[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}/` without a `$` end anchor, allowing arbitrary HTML/JavaScript to be appended after a valid duration prefix. The crafted duratio...

Vendor: WWBN
Product: AVideo
Published: Apr 21, 2026
Source: NVD
CVE-2026-41060 HIGH - 7.7

WWBN AVideo is an open source video platform. In versions 29.0 and below, the `isSSRFSafeURL()` function in `objects/functions.php` contains a same-domain shortcircuit (lines 4290-4296) that allows any URL whose hostname matches `webSiteRootURL` to bypass all SSRF protections. Because the check comp...

Vendor: WWBN
Product: AVideo
Published: Apr 21, 2026
Source: NVD
CVE-2026-41058 HIGH - 8.1

WWBN AVideo is an open source video platform. In versions 29.0 and below, the incomplete fix for AVideo's CloneSite `deleteDump` parameter does not apply path traversal filtering, allowing `unlink()` of arbitrary files via `../../` sequences in the GET parameter. Commit 3c729717c26f160014a5c86b...

Vendor: WWBN
Product: AVideo
Published: Apr 21, 2026
Source: NVD
CVE-2026-41057 HIGH - 7.1

WWBN AVideo is an open source video platform. In versions 29.0 and below, the CORS origin validation fix in commit `986e64aad` is incomplete. Two separate code paths still reflect arbitrary `Origin` headers with credentials allowed for all `/api/*` endpoints: (1) `plugin/API/router.php` lines 4-8 un...

Vendor: WWBN
Product: AVideo
Published: Apr 21, 2026
Source: NVD
CVE-2026-41056 HIGH - 8.1

WWBN AVideo is an open source video platform. In versions 29.0 and below, the `allowOrigin($allowAll=true)` function in `objects/functions.php` reflects any arbitrary `Origin` header back in `Access-Control-Allow-Origin` along with `Access-Control-Allow-Credentials: true`. This function is called by...

Vendor: WWBN
Product: AVideo
Published: Apr 21, 2026
Source: NVD
CVE-2026-41055 HIGH - 8.6

WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete SSRF fix in AVideo's LiveLinks proxy adds `isSSRFSafeURL()` validation but leaves DNS TOCTOU vulnerabilities where DNS rebinding between validation and the actual HTTP request redirects traffic to internal e...

Vendor: WWBN
Product: AVideo
Published: Apr 21, 2026
Source: NVD
CVE-2026-40935 MEDIUM - 5.3

WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/getCaptcha.php` accepts the CAPTCHA length (`ql`) directly from the query string with no clamping or sanitization, letting any unauthenticated client force the server to generate a 1-character CAPTCHA word. Combined w...

Vendor: WWBN
Product: AVideo
Published: Apr 21, 2026
Source: NVD
CVE-2026-40929 MEDIUM - 5.4

WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/commentDelete.json.php` is a state-mutating JSON endpoint that deletes comments but performs no CSRF validation. It does not call `forbidIfIsUntrustedRequest()`, does not verify a CSRF/global token, and does not check...

Vendor: WWBN
Product: AVideo
Published: Apr 21, 2026
Source: NVD
CVE-2026-40928 MEDIUM - 5.4

WWBN AVideo is an open source video platform. In versions 29.0 and prior, multiple AVideo JSON endpoints under `objects/` accept state-changing requests via `$_REQUEST`/`$_GET` and persist changes tied to the caller's session user, without any anti-CSRF token, origin check, or referer check. A ...

Vendor: WWBN
Product: AVideo
Published: Apr 21, 2026
Source: NVD
CVE-2026-40926 HIGH - 7.1

WWBN AVideo is an open source video platform. In versions 29.0 and prior, three admin-only JSON endpoints โ€” `objects/categoryAddNew.json.php`, `objects/categoryDelete.json.php`, and `objects/pluginRunUpdateScript.json.php` โ€” enforce only a role check (`Category::canCreateCategory()` / `User::isAdmin...

Vendor: WWBN
Product: AVideo
Published: Apr 21, 2026
Source: NVD

An authorization bypass vulnerability was identified in GitHub Enterprise Server that allowed an attacker with admin access on one repository to modify the secret scanning push protection delegated bypass reviewer list on another repository by manipulating the owner_id parameter in the request body....

Published: Apr 21, 2026
Source: NVD
CVE-2026-6832 HIGH - 8.1

Hermes WebUI contains an arbitrary file deletion vulnerability in the /api/session/delete endpoint that allows authenticated attackers to delete files outside the session directory by supplying an absolute path or path traversal payload in the session_id parameter. Attackers can exploit unvalidated ...

Published: Apr 21, 2026
Source: NVD
CVE-2026-6830 LOW - 3.3

nesquena hermes-webui contains an environment variable leakage vulnerability where profile switching does not clear environment variables from the previously active profile before loading the next profile. Attackers or users can exploit additive dotenv reload behavior to access provider API keys and...

Published: Apr 21, 2026
Source: NVD
CVE-2026-6829 MEDIUM - 6.3

nesquena hermes-webui contains a trust-boundary failure vulnerability that allows authenticated attackers to set or change a session workspace to an arbitrary existing directory on disk by manipulating workspace path parameters in endpoints such as /api/session/new, /api/session/update, /api/chat/st...

Published: Apr 21, 2026
Source: NVD
CVE-2026-6799 MEDIUM - 6.3

A security flaw has been discovered in Comfast CF-N1-S 2.6.0.1. Affected by this issue is some unknown functionality of the file /cgi-bin/mbox-config?method=SET&section=ping_config of the component Endpoint. Performing a manipulation of the argument destination results in command injection. The ...

Published: Apr 21, 2026
Source: NVD
CVE-2026-41527 MEDIUM - 6.9

KDE Kleopatra before 26.08.0 on Windows allows local users to obtain the privileges of a Kleopatra user, because there is an error in the mechanism (KUniqueService) for ensuring that only one instance is running.

Vendor: KDE
Product: Kleopatra
Published: Apr 21, 2026
Source: NVD

Oxia is a metadata store and coordination system. Prior to 0.16.2, the OIDC authentication provider unconditionally sets SkipClientIDCheck: true in the go-oidc verifier configuration, disabling the standard audience (aud) claim validation at the library level. This allows tokens issued for unrelated...

Vendor: oxia-db
Product: oxia
Published: Apr 21, 2026
Source: NVD

Oxia is a metadata store and coordination system. Prior to 0.16.2, when OIDC authentication fails, the full bearer token is logged at DEBUG level in plaintext. If debug logging is enabled in production, JWT tokens are exposed in application logs and any connected log aggregation system. This vulnera...

Vendor: oxia-db
Product: oxia
Published: Apr 21, 2026
Source: NVD

Oxia is a metadata store and coordination system. Prior to 0.16.2, the trustedCertPool() function in the TLS configuration only parses the first PEM block from CA certificate files. When a CA bundle contains multiple certificates (e.g., intermediate + root CA), only the first certificate is loaded. ...

Vendor: oxia-db
Product: oxia
Published: Apr 21, 2026
Source: NVD

Oxia is a metadata store and coordination system. Prior to 0.16.2, a race condition between session heartbeat processing and session closure can cause the server to panic with send on closed channel. The heartbeat() method uses a blocking channel send while holding a mutex, and under specific timing...

Vendor: oxia-db
Product: oxia
Published: Apr 21, 2026
Source: NVD