5.3
CVE-2026-34369 - AVIdeo has Video Password Protection Bypass via API Endpoints Returning Full Playback Sources Withoβ¦
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_video_file` and `get_api_video` API endpoints in AVideo return full video playback sources (direct MP4 URLs, HLS manifests) for password-protected videos without verifying the video password. While the β¦
5.3
CVE-2026-34368 - AVideo Vulnerable to Wallet Balance Double-Spend via TOCTOU Race Condition in transferBalance
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `transferBalance()` method in `plugin/YPTWallet/YPTWallet.php` contains a Time-of-Check-Time-of-Use (TOCTOU) race condition. The method reads the sender's wallet balance, checks sufficiency in PHP, then writes tβ¦
5.3
CVE-2026-34364 - AVideo has User Group-Based Category Access Control Bypass via Missing and Broken Group Filtering iβ¦
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `categories.json.php` endpoint, which serves the category listing API, fails to enforce user group-based access controls on categories. In the default request path (no `?user=` parameter), user group filtering iβ¦
6.3
CVE-2025-15617 - Wazuh GitHub Actions Workflow Exposure of Sensitive Credentials
Wazuh version 4.12.0 contains an exposure vulnerability in GitHub Actions workflow artifacts that allows attackers to extract the GITHUB_TOKEN from uploaded artifacts. Attackers can use the exposed token within a limited time window to perform unauthorized actions such as pushing malicious commits β¦
5.3
CVE-2026-4968 - SourceCodester Diary App diary.php cross-site request forgery
A vulnerability was determined in SourceCodester Diary App 1.0. The affected element is an unknown function of the file diary.php. Executing a manipulation can lead to cross-site request forgery. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized.
5.3
CVE-2026-4966 - itsourcecode Free Hotel Reservation System index.php sql injection
A flaw has been found in itsourcecode Free Hotel Reservation System 1.0. Impacted is an unknown function of the file /admin/mod_room/index.php?view=edit. Executing a manipulation of the argument ID can lead to sql injection. The attack can be launched remotely. The exploit has been published and maβ¦
6.9
CVE-2026-4965 - letta-ai letta Incomplete Fix CVE-2025-6101 ast_parsers.py resolve_type eval injection
A vulnerability was detected in letta-ai letta 0.16.4. This issue affects the function resolve_type of the file letta/functions/ast_parsers.py of the component Incomplete Fix CVE-2025-6101. Performing a manipulation results in improper neutralization of directives in dynamically evaluated code. Theβ¦
5.3
CVE-2026-4964 - letta-ai letta File URL message_helper.py _convert_message_create_to_message server-side request foβ¦
A security vulnerability has been detected in letta-ai letta 0.16.4. This vulnerability affects the function _convert_message_create_to_message of the file letta/helpers/message_helper.py of the component File URL Handler. Such manipulation of the argument ImageContent leads to server-side request β¦
5.3
CVE-2026-4963 - huggingface smolagents Incomplete Fix CVE-2025-9959 local_python_executor.py evaluate_with code injβ¦
A weakness has been identified in huggingface smolagents 1.25.0.dev0. This affects the function evaluate_augassign/evaluate_call/evaluate_with of the file src/smolagents/local_python_executor.py of the component Incomplete Fix CVE-2025-9959. This manipulation causes code injection. It is possible tβ¦
7.3
CVE-2026-4962 - UltraVNC Service version.dll uncontrolled search path
A security flaw has been discovered in UltraVNC up to 1.6.4.0. Affected by this issue is some unknown functionality in the library version.dll of the component Service. The manipulation results in uncontrolled search path. The attack needs to be approached locally. This attack is characterized by hβ¦