Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
0.0 NA
CVE-2026-32879 — New API has passkey-based secure step-up verification bypass for root-only channel secret…

New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Starting in version 0.10.0, a logic flaw in the universal secure verification flow allows an a…

| Authentication
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
0.0 NA
CVE-2026-4596 — projectworlds Lawyer Management System lawyers.php cross site scripting

A vulnerability was identified in projectworlds Lawyer Management System 1.0. This issue affects some unknown processing of the file /lawyers.php. The manipulation of the argument first_Name leads to…

| Cross-Site Scripting
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
0.0 NA
CVE-2026-30886 — New API: IDOR in VideoProxy allows cross-user video content access via missing ownership …

New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.11.4-alpha.2, an Insecure Direct Object Reference (IDOR) vulnerability in t…

| Authorization
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
4.8 MEDIUM
CVE-2026-4595 — code-projects Exam Form Submission update_s6.php cross site scripting

A vulnerability was determined in code-projects Exam Form Submission 1.0. This vulnerability affects unknown code of the file /admin/update_s6.php. Executing a manipulation of the argument sname can …

Remote | Cross-Site Scripting
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
7.1 HIGH
CVE-2026-33723 — AVideo Vulnerable to SQL Injection in Subscribe Endpoint via Unsanitized user_id Paramete…

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `Subscribe::save()` method in `objects/subscribe.php` concatenates the `$this->users_id` property directly into…

Remote | Injection
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
8.6 HIGH
CVE-2026-33719 — AVideo Vulnerable to Unauthenticated CDN Configuration Takeover via Empty Default Key Byp…

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the CDN plugin endpoints `plugin/CDN/status.json.php` and `plugin/CDN/disable.json.php` use key-based authenticatio…

Remote | Authentication
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
8.8 HIGH
CVE-2026-33717 — AVideo Vulnerable to Remote Code Execution via Persistent PHP Temp File in Encoder downlo…

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `downloadVideoFromDownloadURL()` function in `objects/aVideoEncoder.json.php` saves remote content to a web-acc…

Remote | Path Traversal
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
9.4 CRITICAL
CVE-2026-33716 — AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in …

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the standalone live stream control endpoint at `plugin/Live/standAloneFiles/control.json.php` accepts a user-suppli…

Remote | Authentication
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
5.3 MEDIUM
CVE-2026-33690 — AVideo vulnerable to IP Address Spoofing via Untrusted HTTP Headers in getRealIpAddr()

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `getRealIpAddr()` function in `objects/functions.php` trusts user-controlled HTTP headers to determine the clie…

Remote | Information Disclosure
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
5.3 MEDIUM
CVE-2026-33688 — AVideo has Pre-Captcha User Enumeration and Account Status Disclosure in Password Recover…

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the password recovery endpoint at `objects/userRecoverPass.php` performs user existence and account status checks b…

Remote | Information Disclosure
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
5.3 MEDIUM
CVE-2026-33685 — AVideo Allows Unauthenticated Access to AD_Server reports.json.php that Exposes Ad Campai…

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/AD_Server/reports.json.php` endpoint performs no authentication or authorization checks, allowing any u…

Remote | Authorization
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
5.4 MEDIUM
CVE-2026-33683 — AVideo vulnerable to Stored XSS via html_entity_decode() Reversing xss_esc() Sanitization…

WWBN AVideo is an open source video platform. In versions up to and including 26.0, a sanitization order-of-operations flaw in the user profile "about" field allows any registered user to inject arbi…

Remote | Cross-Site Scripting
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
7.2 HIGH
CVE-2026-33681 — AVideo has Path Traversal in pluginRunDatabaseScript.json.php Enables Arbitrary SQL File …

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/pluginRunDatabaseScript.json.php` endpoint accepts a `name` parameter via POST and passes it to `Plugi…

Remote | Path Traversal
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
8.1 HIGH
CVE-2026-33651 — AVideo has a Blind SQL Injection in Live Schedule Reminder via Unsanitized live_schedule_…

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `remindMe.json.php` endpoint passes `$_REQUEST['live_schedule_id']` through multiple functions without sanitiza…

Remote | Injection
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
7.6 HIGH
CVE-2026-33650 — AVideo's Video Moderator Privilege Escalation via Ownership Transfer Enables Arbitrary Vi…

WWBN AVideo is an open source video platform. In versions up to and including 26.0, a user with the "Videos Moderator" permission can escalate privileges to perform full video management operations —…

Remote | Authorization
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
8.1 HIGH
CVE-2026-33649 — AVideo's GET-Based CSRF in setPermission.json.php Enables Privilege Escalation via Arbitr…

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/Permissions/setPermission.json.php` endpoint accepts GET parameters for a state-changing operation that…

Remote | Cross-Site Request Forgery
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
8.8 HIGH
CVE-2026-33648 — AVideo Vulnerable to OS Command Injection via Unsanitized `users_id` and `liveTransmition…

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the restreamer endpoint constructs a log file path by embedding user-controlled `users_id` and `liveTransmitionHist…

Remote | Injection
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
8.8 HIGH
CVE-2026-33647 — AVideo Vulnerable to Remote Code Execution via MIME/Extension Mismatch in ImageGallery Fi…

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `ImageGallery::saveFile()` method validates uploaded file content using `finfo` MIME type detection but derives…

Remote | Misconfiguration
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
8.6 HIGH
CVE-2026-33513 — AVideo has an Unauthenticated Local File Inclusion in API locale (RCE possible with writa…

WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated API endpoint (`APIName=locale`) concatenates user input into an `include` path with no canonical…

Remote | Path Traversal
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
7.5 HIGH
CVE-2026-33512 — AVideo has an unauthenticated decrypt oracle leaking any ciphertext

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the API plugin exposes a `decryptString` action without any authentication. Anyone can submit ciphertext and receiv…

Remote | Authentication
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
Showing 20 of 5262 Results