Vulnerabilities discovered and responsibly disclosed by Arkadiusz Marta.
- CVE-2025-3930 - Insufficient Session Expiration via JWT Token Reuse
- CVE-2026-22707 - Upload Plugin MIME Validation Bypass via Content API
- CVE-2025-4643 - Insufficient Session Expiration via JWT Token Reuse
- CVE-2025-4644 - Session Fixation in SQLite Adapter
- CVE-2026-34747 - SQL Injection via Query Handling
- CVE-2025-12465 - Blind SQL Injection via aFilesDelete Parameter
- CVE-2026-11860 - Insecure Deserialisation via Plaintext HTTP leading to Remote Code Execution
- CVE-2025-67683 - Reflected XSS via sSort Parameter
- CVE-2025-67684 - Remote Code Execution via Local File Inclusion
- CVE-2026-23516 - XSS via Skeleton SVG Images
- CVE-2026-23526 - Privilege Escalation of Users with Staff Status
- CVE-2026-27568 - Stored Cross-Site Scripting via Markdown Comment Injection
- CVE-2026-27732 - Authenticated Server-Side Request Forgery via downloadURL in aVideoEncoder.json.php
- CVE-2026-28501 - Unauthenticated SQL Injection via JSON Request Bypass in objects/videos.json.php
- CVE-2026-28502 - Authenticated Remote Code Execution via Unsafe Plugin ZIP Extraction
- CVE-2026-50182 - Unauthenticated Reflected XSS via $_GET['search'] in AVideo YouTubeAPI Gallery Pagination
- CVE-2026-50183 - Stored XSS via Hostile YouTube Video Title in AVideo YouTubeAPI Gallery Section
- CVE-2026-54458 - Unauthenticated Stored DOM Cross-Site Scripting via Per-Client Metadata Broadcast in YPTSocket Plugin
- CVE-2026-29058 - Unauthenticated OS Command Injection via base64Url in objects/getImage.php
- CVE-2026-33024 - Unauthenticated Blind Server-Side Request Forgery via Public Thumbnail Generator
- CVE-2026-33025 - Authenticated SQL Injection via ORDER BY Clause
- CVE-2026-28355 - Stored Self Cross-Site Scripting in the PWA Canarytoken
- CVE-2026-11859 - HTML Injection in the Canarytoken Links Email
- CVE-2026-13140 - Stored Cross-Site Scripting in the Exposed AWS API Key Store
- CVE-2026-24350 - Stored XSS via SVG File Upload
- CVE-2026-24351 - Stored XSS in Static Pages Editor
- CVE-2026-24352 - Session Fixation
- CVE-2026-25099 - Remote Code Execution via Unrestricted File Upload
- CVE-2026-25100 - Stored XSS via SVG File Upload
- CVE-2026-25101 - Session Fixation
- CVE-2026-12076 - SQL Injection within the OData filter