5.3
CVE-2026-4970 - code-projects Social Networking Site Endpoint delete_photos.php sql injection
A security flaw has been discovered in code-projects Social Networking Site 1.0. This affects an unknown function of the file delete_photos.php of the component Endpoint. The manipulation of the argument ID results in sql injection. The attack can be executed remotely. The exploit has been releasedβ¦
5.1
CVE-2026-4969 - code-projects Social Networking Site Alert home.php cross site scripting
A vulnerability was identified in code-projects Social Networking Site 1.0. The impacted element is an unknown function of the file /home.php of the component Alert Handler. The manipulation of the argument content leads to cross site scripting. Remote exploitation of the attack is possible. The exβ¦
8.7
CVE-2026-26061 - Fleet's unbounded request body read allows remote Denial of Service
Fleet is open source device management software. Prior to 4.81.0, Fleet contained multiple unauthenticated HTTP endpoints that read request bodies without enforcing a size limit. An unauthenticated attacker could exploit this behavior by sending large or repeated HTTP payloads, causing excessive meβ¦
6
CVE-2026-26060 - Fleet: Password reset tokens remain valid after password change for 24 hours
Fleet is open source device management software. Prior to 4.81.0, a vulnerability in Fleetβs password management logic could allow previously issued password reset tokens to remain valid after a user changes their password. As a result, a stale password reset token could be reused to reset the accoβ¦
8.2
CVE-2026-34375 - AVideo Vulnerable to Reflected XSS via Unsanitized plugin Parameter in YPTWallet Stripe Payment Page
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the YPTWallet Stripe payment confirmation page directly echoes the `$_REQUEST['plugin']` parameter into a JavaScript block without any encoding or sanitization. The `plugin` parameter is not included in any of the fβ¦
9.1
CVE-2026-34374 - AVideo has SQL Injection in Live_schedule::keyExists() via Unparameterized Stream Key
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `Live_schedule::keyExists()` method constructs a SQL query by interpolating a stream key directly into the query string without parameterization. This method is called as a fallback from `LiveTransmition::keyExiβ¦
6.3
CVE-2025-15612 - Wazuh Provisioning Scripts / Build Infrastructure Improper Certificate Validation leading to MITM aβ¦
Wazuh provisioning scripts and Dockerfiles contain an insecure transport vulnerability where curl is invoked with the -k/--insecure flag, disabling SSL/TLS certificate validation. Attackers with network access can perform man-in-the-middle attacks to intercept and modify downloaded dependencies or β¦
5.3
CVE-2026-34369 - AVIdeo has Video Password Protection Bypass via API Endpoints Returning Full Playback Sources Withoβ¦
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_video_file` and `get_api_video` API endpoints in AVideo return full video playback sources (direct MP4 URLs, HLS manifests) for password-protected videos without verifying the video password. While the β¦
5.3
CVE-2026-34368 - AVideo Vulnerable to Wallet Balance Double-Spend via TOCTOU Race Condition in transferBalance
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `transferBalance()` method in `plugin/YPTWallet/YPTWallet.php` contains a Time-of-Check-Time-of-Use (TOCTOU) race condition. The method reads the sender's wallet balance, checks sufficiency in PHP, then writes tβ¦
5.3
CVE-2026-34364 - AVideo has User Group-Based Category Access Control Bypass via Missing and Broken Group Filtering iβ¦
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `categories.json.php` endpoint, which serves the category listing API, fails to enforce user group-based access controls on categories. In the default request path (no `?user=` parameter), user group filtering iβ¦