6.5
CVE-2026-34613 - AVideo: CSRF on Plugin Enable/Disable Endpoint Allows Disabling Security Plugins
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/pluginSwitch.json.php allows administrators to enable or disable any installed plugin. The endpoint checks for an active admin session but does not validate a CSRF token. Additionally, the plugins β¦
6.5
CVE-2026-34611 - AVideo: CSRF on emailAllUsers.json.php Enables Mass Phishing Email to All Users
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/emailAllUsers.json.php allows administrators to send HTML emails to every registered user on the platform. While the endpoint verifies admin session status, it does not validate a CSRF token. Becauβ¦
6.1
CVE-2026-34396 - AVideo: Stored XSS via Unescaped Plugin Configuration Values in Admin Panel
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo admin panel renders plugin configuration values in HTML forms without applying htmlspecialchars() or any other output encoding. The jsonToFormElements() function in admin/functions.php directly interpolates user-coβ¦
8.1
CVE-2026-34394 - AVideo: CSRF on Admin Plugin Configuration Enables Payment Credential Hijacking
WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's admin plugin configuration endpoint (admin/save.json.php) lacks any CSRF token validation. There is no call to isGlobalTokenValid() or verifyToken() before processing the request. Combined with the application's explβ¦
6.5
CVE-2026-34395 - AVideo: Mass User PII Disclosure via Missing Authorization in YPTWallet users.json.php
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/YPTWallet/view/users.json.php endpoint returns all platform users with their personal information and wallet balances to any authenticated user. The endpoint checks User::isLogged() but does not check User::isAdminβ¦
4.5
CVE-2026-34384 - Admidio: Missing CSRF Protection on Registration Approval Actions
Admidio is an open-source user management solution. Prior to version 5.0.8, the create_user, assign_member, and assign_user action modes in modules/registration.php approve pending user registrations via GET request without validating a CSRF token. Unlike the delete_user mode in the same file (whicβ¦
4.3
CVE-2026-34383 - Admidio: CSRF and Form Validation Bypass in Inventory Item Save via `imported` Parameter
Admidio is an open-source user management solution. Prior to version 5.0.8, the inventory module's item_save endpoint accepts a user-controllable POST parameter imported that, when set to true, completely bypasses both CSRF token validation and server-side form validation. An authenticated user canβ¦
4.6
CVE-2026-34382 - Admidio: Missing CSRF Protection on Custom List Deletion in mylist_function.php
Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, the delete mode handler in mylist_function.php permanently deletes list configurations without validating a CSRF token. An attacker who can lure an authenticated user to a malicious page can silently desβ¦
7.5
CVE-2026-34381 - Admidio: Unauthenticated Access to Role-Restricted documents via neutralized .htaccess
Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, Admidio relies on adm_my_files/.htaccess to deny direct HTTP access to uploaded documents. The Docker image ships with AllowOverride None in the Apache configuration, which causes Apache to silently ignoβ¦
6.5
CVE-2026-34586 - PdfDing: Shared PDF Expiration, Max Views, and Deletion Bypass via Serve/Download Endpoints
PdfDing is a selfhosted PDF manager, viewer and editor offering a seamless user experience on multiple devices. Prior to version 1.7.1, check_shared_access_allowed() validates only session existence β it does not check SharedPdf.inactive (expiration / max views) or SharedPdf.deleted. The Serve and β¦