Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
8.8 HIGH
CVE-2026-33717 — AVideo Vulnerable to Remote Code Execution via Persistent PHP Temp File in Encoder downlo…

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `downloadVideoFromDownloadURL()` function in `objects/aVideoEncoder.json.php` saves remote content to a web-acc…

Remote | Path Traversal
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
9.4 CRITICAL
CVE-2026-33716 — AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in …

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the standalone live stream control endpoint at `plugin/Live/standAloneFiles/control.json.php` accepts a user-suppli…

Remote | Authentication
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
5.3 MEDIUM
CVE-2026-33690 — AVideo vulnerable to IP Address Spoofing via Untrusted HTTP Headers in getRealIpAddr()

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `getRealIpAddr()` function in `objects/functions.php` trusts user-controlled HTTP headers to determine the clie…

Remote | Information Disclosure
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
5.3 MEDIUM
CVE-2026-33688 — AVideo has Pre-Captcha User Enumeration and Account Status Disclosure in Password Recover…

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the password recovery endpoint at `objects/userRecoverPass.php` performs user existence and account status checks b…

Remote | Information Disclosure
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
5.3 MEDIUM
CVE-2026-33685 — AVideo Allows Unauthenticated Access to AD_Server reports.json.php that Exposes Ad Campai…

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/AD_Server/reports.json.php` endpoint performs no authentication or authorization checks, allowing any u…

Remote | Authorization
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
5.4 MEDIUM
CVE-2026-33683 — AVideo vulnerable to Stored XSS via html_entity_decode() Reversing xss_esc() Sanitization…

WWBN AVideo is an open source video platform. In versions up to and including 26.0, a sanitization order-of-operations flaw in the user profile "about" field allows any registered user to inject arbi…

Remote | Cross-Site Scripting
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
7.2 HIGH
CVE-2026-33681 — AVideo has Path Traversal in pluginRunDatabaseScript.json.php Enables Arbitrary SQL File …

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/pluginRunDatabaseScript.json.php` endpoint accepts a `name` parameter via POST and passes it to `Plugi…

Remote | Path Traversal
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
8.1 HIGH
CVE-2026-33651 — AVideo has a Blind SQL Injection in Live Schedule Reminder via Unsanitized live_schedule_…

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `remindMe.json.php` endpoint passes `$_REQUEST['live_schedule_id']` through multiple functions without sanitiza…

Remote | Injection
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
7.6 HIGH
CVE-2026-33650 — AVideo's Video Moderator Privilege Escalation via Ownership Transfer Enables Arbitrary Vi…

WWBN AVideo is an open source video platform. In versions up to and including 26.0, a user with the "Videos Moderator" permission can escalate privileges to perform full video management operations —…

Remote | Authorization
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
8.1 HIGH
CVE-2026-33649 — AVideo's GET-Based CSRF in setPermission.json.php Enables Privilege Escalation via Arbitr…

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/Permissions/setPermission.json.php` endpoint accepts GET parameters for a state-changing operation that…

Remote | Cross-Site Request Forgery
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
8.8 HIGH
CVE-2026-33648 — AVideo Vulnerable to OS Command Injection via Unsanitized `users_id` and `liveTransmition…

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the restreamer endpoint constructs a log file path by embedding user-controlled `users_id` and `liveTransmitionHist…

Remote | Injection
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
8.8 HIGH
CVE-2026-33647 — AVideo Vulnerable to Remote Code Execution via MIME/Extension Mismatch in ImageGallery Fi…

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `ImageGallery::saveFile()` method validates uploaded file content using `finfo` MIME type detection but derives…

Remote | Misconfiguration
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
8.6 HIGH
CVE-2026-33513 — AVideo has an Unauthenticated Local File Inclusion in API locale (RCE possible with writa…

WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated API endpoint (`APIName=locale`) concatenates user input into an `include` path with no canonical…

Remote | Path Traversal
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
7.5 HIGH
CVE-2026-33512 — AVideo has an unauthenticated decrypt oracle leaking any ciphertext

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the API plugin exposes a `decryptString` action without any authentication. Anyone can submit ciphertext and receiv…

Remote | Authentication
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
7.5 HIGH
CVE-2026-26209 — cbor2 has a Denial of Service via Uncontrolled Recursion in cbor2.loads

cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. Versions prior to 5.9.0 are vulnerable to a Denial of Service (DoS) attack caused by unc…

Remote | Denial of Service
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
8.7 HIGH
CVE-2026-25075 — strongSwan 4.5.0 < 6.0.5 EAP-TTLS AVP Parsing Integer Underflow

strongSwan versions 4.5.0 prior to 6.0.5 contain an integer underflow vulnerability in the EAP-TTLS AVP parser that allows unauthenticated remote attackers to cause a denial of service by sending cra…

Remote | Denial of Service
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
9.0 CRITICAL
CVE-2026-0898 — An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robot …

An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robot Studio developers who are automating Google Chrome and Microsoft Edge using either version 22.1 or R25. This v…

Remote | Misconfiguration
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
7.1 HIGH
CVE-2025-15606 — Denial of Service (DoS) in HTTPD Input Handling on TP-Link TD-W8961N

A Denial-of-Service (DoS) vulnerability in the httpd component of TP-Link's TD-W8961N v4.0 due to improper input sanitization, allows crafted requests to trigger a processing error that causes the ht…

| Denial of Service
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
7.5 HIGH
CVE-2026-4594 — erupts erupt EruptJpaUtils.java geneEruptHqlOrderBy sql injection

A vulnerability has been found in erupts erupt up to 1.13.3. Affected by this issue is the function geneEruptHqlOrderBy of the file erupt-data/erupt-jpa/src/main/java/xyz/erupt/jpa/dao/EruptJpaUtils.…

Remote | Injection
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
8.5 HIGH
CVE-2025-15605 — Hardcoded Cryptographic Key in Configuration Encryption Mechanism on TP-Link Archer NX200…

A hardcoded cryptographic key within the configuration mechanism on TP-Link Archer NX200, NX210, NX500 and NX600 enables decryption and re-encryption of device configuration data. An authenticated at…

| Cryptography
Mar 23, 2026 Mar 23, 2026
Mar 23, 2026
Mar 23, 2026
Showing 20 of 5280 Results