5.3
CVE-2026-35450 - WWBN AVideo has Unauthenticated FFmpeg Remote Server Status Disclosure via check.ffmpeg.json.php
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/API/check.ffmpeg.json.php endpoint probes the FFmpeg remote server configuration and returns connectivity status without any authentication. All sibling FFmpeg management endpoints (kill.ffmpeg.json.php, list.ffmpeβ¦
5.3
CVE-2026-35449 - WWBN AVideo has Unauthenticated Information Disclosure via Disabled CLI Guard in install/test.php
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the install/test.php diagnostic script has its CLI-only access guard disabled by commenting out the die() statement. The script remains accessible via HTTP after installation, exposing video viewer statistics including IP addβ¦
8.7
CVE-2026-5686 - Tenda CX12L RouteStatic fromRouteStatic stack-based overflow
A security flaw has been discovered in Tenda CX12L 16.03.53.12. This vulnerability affects the function fromRouteStatic of the file /goform/RouteStatic. The manipulation of the argument page results in stack-based buffer overflow. The attack can be launched remotely. The exploit has been released tβ¦
3.7
CVE-2026-35448 - WWBN AVideo Provides Unauthenticated Access to Payment Order Data via BlockonomicsYPT check.php
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the BlockonomicsYPT plugin's check.php endpoint returns payment order data for any Bitcoin address without requiring authentication. The endpoint was designed as an AJAX polling helper for the authenticated invoice.php page, β¦
7.1
CVE-2026-35444 - SDL_image has a heap buffer overflow READ via unchecked colormap index in XCF loader
SDL_image is a library to load images of various formats as SDL surfaces. In do_layer_surface() in src/IMG_xcf.c, pixel index values from decoded XCF tile data are used directly as colormap indices without validating them against the colormap size (cm_num). A crafted .xcf file with a small colormapβ¦
9.8
CVE-2026-35471 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, tdeleteFile() missing return after path traversal check. This vulnerability is fixed in 2.0.0-beta.3.
8.1
CVE-2026-35442 - Directus: Authenticated Users Can Extract Concealed Fields via Aggregate Queries
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, aggregate functions (min, max) applied to fields with the conceal special type incorrectly return raw database values instead of the masked placeholder. When combined with groupBy, any authenticated uβ¦
6.5
CVE-2026-35441 - Directus Affected by GraphQL Alias Amplification Denial-of-Service Due to Missing Query Cost/Compleβ¦
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus' GraphQL endpoints (/graphql and /graphql/system) did not deduplicate resolver invocations within a single request. An authenticated user could exploit GraphQL aliasing to repeat an expensiveβ¦
5.3
CVE-2026-35413 - Directus GraphQL Schema SDL Disclosure Setting
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, when GRAPHQL_INTROSPECTION=false is configured, Directus correctly blocks standard GraphQL introspection queries (__schema, __type). However, the server_specs_graphql resolver on the /graphql/system eβ¦
7.1
CVE-2026-35412 - Directus has a TUS Upload Authorization Bypass Allows Arbitrary File Overwrite
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, Directus' TUS resumable upload endpoint (/files/tus) allows any authenticated user with basic file upload permissions to overwrite arbitrary existing files by UUID. The TUS controller performs only coβ¦