arkmarta

2 exploits Active since Mar 2026
CVE-2026-28501 METASPLOIT CRITICAL ruby WORKING POC
WWBN AVideo < 24.0 - Unauthenticated SQL Injection via catName Parameter in JSON POST Request
WWBN AVideo is an open source video platform. Prior to version 24.0, an unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php components. The application fails to properly sanitize the catName parameter when it is supplied via a JSON-formatted POST request body. Because JSON input is parsed and merged into $_REQUEST after global security checks are executed, the payload bypasses the existing sanitization mechanisms. This issue has been patched in version 24.0.
CVSS 9.8
CVE-2026-29058 METASPLOIT CRITICAL ruby WORKING POC
AVideo < 7.0 - Unauthenticated OS Command Injection via base64Url GET Parameter
AVideo is a video-sharing Platform software. Prior to version 7.0, an unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the base64Url GET parameter. This can lead to full server compromise, data exfiltration (e.g., configuration secrets, internal keys, credentials), and service disruption. This issue has been patched in version 7.0.
CVSS 9.8