6.9
CVE-2026-32845 - jkuhlmann / cgltf <= 1.15 Sparse Accessor Validation Integer Overflow
cgltf version 1.15 and prior contain an integer overflow vulnerability in the cgltf_validate() function when validating sparse accessors that allows attackers to trigger out-of-bounds reads by supplying crafted glTF/GLB input files with attacker-controlled size values. Attackers can exploit uncheckโฆ
7.3
CVE-2026-33492 - AVideo has Session Fixation via GET PHPSESSID Parameter With Disabled Login Session Regeneration
WWBN AVideo is an open source video platform. In versions up to and including 26.0, AVideo's `_session_start()` function accepts arbitrary session IDs via the `PHPSESSID` GET parameter and sets them as the active PHP session. A session regeneration bypass exists for specific blacklisted endpoints wโฆ
7.4
CVE-2026-33488 - AVideo has a PGP 2FA Bypass via Cryptographically Broken 512-bit RSA Key Generation in LoginControlโฆ
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `createKeys()` function in the LoginControl plugin's PGP 2FA system generates 512-bit RSA keys, which have been publicly factorable since 1999. An attacker who obtains a target user's public key can factor the 5โฆ
5.1
CVE-2026-4591 - kalcaddle kodbox fileThumb Endpoint app.php checkBin os command injection
A weakness has been identified in kalcaddle kodbox 1.64. This affects the function checkBin of the file /workspace/source-code/plugins/fileThumb/app.php of the component fileThumb Endpoint. Executing a manipulation can lead to os command injection. The attack can be executed remotely. The exploit hโฆ
0.0
CVE-2026-4656 -
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
9.4
CVE-2026-4404 - Use of hard coded credentials in GoHarbor Harbor
Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI.
2.3
CVE-2026-4590 - kalcaddle kodbox loginSubmit API index.class.php cross-site request forgery
A security flaw has been discovered in kalcaddle kodbox 1.64. The impacted element is an unknown function of the file /workspace/source-code/plugins/oauth/controller/bind/index.class.php of the component loginSubmit API. Performing a manipulation of the argument third results in cross-site request โฆ
7.5
CVE-2026-33485 - AVideo has an Unauthenticated Blind SQL Injection in RTMP on_publish Callback via Stream Name Paramโฆ
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the RTMP `on_publish` callback at `plugin/Live/on_publish.php` is accessible without authentication. The `$_POST['name']` parameter (stream key) is interpolated directly into SQL queries in two locations โ `LiveTranโฆ
7.5
CVE-2026-33483 - AVideo Affected by Unauthenticated Disk Space Exhaustion via Unlimited Temp File Creation in aVideoโฆ
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `aVideoEncoderChunk.json.php` endpoint is a completely standalone PHP script with no authentication, no framework includes, and no resource limits. An unauthenticated remote attacker can send arbitrary POST dataโฆ
8.1
CVE-2026-33482 - AVideo has an OS Command Injection via $() Shell Substitution Bypass in sanitizeFFmpegCommand()
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `sanitizeFFmpegCommand()` function in `plugin/API/standAlone/functions.php` is designed to prevent OS command injection in ffmpeg commands by stripping dangerous shell metacharacters (`&&`, `;`, `|`, `` ` ``, `<โฆ