CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2025-71275 Zimbra Collaboration Suite PostJournal 8.8.15 Unauthenticated Remote Code Execution via SMTP Injection 24.03.2026 9.3
CVE-2026-33309 Langflow has an Arbitrary File Write (RCE) via v2 API 24.03.2026 10
CVE-2026-33475 Langflow GitHub Actions Shell Injection 24.03.2026 9.1
CVE-2019-25628 Download Accelerator Plus DAP 10.0.6.0 SEH Buffer Overflow 24.03.2026 9.3
CVE-2019-25646 Tabs Mail Carrier 2.5.1 Buffer Overflow via MAIL FROM 24.03.2026 9.3
CVE-2026-4755 CWE-20 in MolotovCherry Android-ImageMagick7 24.03.2026 9.8
CVE-2026-4750 Out-of-bounds Read in fabiangreffrath woof 24.03.2026 9.1
CVE-2026-4753 Out-of-bounds Read in slajerek RetroDebugger 24.03.2026 9.1
CVE-2026-4283 WP DSGVO Tools (GDPR) <= 3.1.38 - Missing Authorization to Unauthenticated Account Destruction of Non-Admin Users 24.03.2026 9.1
CVE-2026-4745 Arbitrary Code Execution via Crafted Bytecode in dendibakh/perf-ninja 24.03.2026 10
CVE-2026-4746 Heap Buffer Over-Write Vulenrabilty in timeplus-io/proton 24.03.2026 10
CVE-2026-4734 Heap Buffer Overflow in yoyofr/modizer 24.03.2026 9.4
CVE-2026-4738 GDAL Bundled zlib (inftree9.c) Pointer Offset Optimization Undefined Behavior Allows Heap Corruption or Remote Code Execution 24.03.2026 9.4
CVE-2026-4739 Integer overflow vulnerabilities in InsightSoftwareConsortium/ITK 24.03.2026 9.4
CVE-2026-4744 Notepad3 Bundled Oniguruma compile_string_node() Heap Buffer Overflow via Crafted Regex Pattern Allows Arbitrary Code Execution 24.03.2026 9.3
CVE-2026-33211 Tekton Pipelines git resolver has path traversal that allows reading arbitrary files from the resolver pod 24.03.2026 9.6
CVE-2026-33286 Graphiti Affected by Arbitrary Method Execution via Unvalidated Relationship Names 24.03.2026 9.1
CVE-2026-4001 Woocommerce Custom Product Addons Pro <= 5.4.1 - Unauthenticated Remote Code Execution via Custom Pricing Formula 24.03.2026 9.8
CVE-2026-4681 Critical Remote Code Execution vulnerability reported in Windchill 24.03.2026 9.3
CVE-2026-33634 Trivy ecosystem supply chain briefly compromised 24.03.2026 9.4
CVE-2025-60949 Census CSWeb leaked configuration files 23.03.2026 9.3
CVE-2026-3055 Insufficient input validation leading to memory overread 24.03.2026 9.3
CVE-2026-30849 MantisBT SOAP API has an authentication bypass vulnerability on MySQL 23.03.2026 9.3
CVE-2026-0898 An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robot Studio developers who are automating Google Chrome and Microsoft Edge using either version 22.1 or R25. 24.03.2026 9
CVE-2026-33716 AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php 24.03.2026 9.4
CVE-2026-33502 AVideo has Unauthenticated SSRF via plugin/Live/test.php 24.03.2026 9.3
CVE-2026-33478 AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection 23.03.2026 10
CVE-2026-33351 AVideo has Unauthenticated SSRF via `webSiteRootURL` Parameter in saveDVR.json.php, Chaining to Verification Bypass 23.03.2026 9.1
CVE-2026-33352 AVideo has an Unauthenticated SQL Injection via `doNotShowCats` Parameter (Backslash Escape Bypass) 23.03.2026 9.8
CVE-2025-41008 SQL Injection in Sinturno 23.03.2026 9.3
CVE-2025-41007 SQL Injection in Cuantis 23.03.2026 9.3
CVE-2026-32968 Unauthenticated RCE in com_mb24sysapi 23.03.2026 9.8
CVE-2026-4585 Tiandy Easy7 Integrated Management Platform Configuration ImportSystemConfiguration.jsp os command injection 23.03.2026 9.3
CVE-2026-3587 Hidden CLI Function Allows Root Access 24.03.2026 10
CVE-2026-4599 23.03.2026 9.3
CVE-2026-4600 23.03.2026 9.1
CVE-2026-4601 23.03.2026 9.4
CVE-2026-4567 Tenda A15 UploadCfg stack-based overflow 23.03.2026 9.3
CVE-2026-4606 GeoVision ERM Improper Privilege Assignment Leads to SYSTEM-Level Privilege 24.03.2026 10
CVE-2019-25614 Free Float FTP 1.0 STOR Command Remote Buffer Overflow 23.03.2026 9.3
CVE-2019-25568 Memu Play 6.0.7 Privilege Escalation via Insecure File Permissions 23.03.2026 9.3
CVE-2026-24060 Automated Logic WebCTRL Premium Server Cleartext Transmission of Sensitive Information 23.03.2026 9.1
CVE-2026-29796 IGL-Technologies eParking.fi Missing Authentication for Critical Function 23.03.2026 9.3
CVE-2026-25192 CTEK Chargeportal Missing Authentication for Critical Function 23.03.2026 9.3
CVE-2026-33186 gRPC-Go has an authorization bypass via missing leading slash in :path 20.03.2026 9.1
CVE-2026-3584 Kali Forms <= 2.4.9 - Unauthenticated Remote Code Execution via form_process 23.03.2026 9.8
CVE-2026-22898 QVR Pro 20.03.2026 9.3
CVE-2026-22172 OpenClaw < 2026.3.12 - Scope Elevation in WebSocket Shared-Auth Connections 20.03.2026 9.4
CVE-2026-33134 WeGIA has Authenticated Time-Based Blind SQL Injection in `restaurar_produto.php` via `id_produto` parameter 20.03.2026 9.3
CVE-2026-33135 WeGIA has Reflected Cross-Site Scripting (XSS) in `novo_memorandoo.php` via `sccs` parameter 20.03.2026 9.3
CVE-2026-33136 WeGIA has Reflected Cross-Site Scripting (XSS) in `listar_memorandos_ativos.php` via `sccd` parameter 20.03.2026 9.3
CVE-2026-33075 FastGPT has Arbitrary Code Execution in GitHub Actions via pull_request_target in fastgpt-preview-image.yml 20.03.2026 9.4
CVE-2026-33057 Mesop Affected by Unauthenticated Remote Code Execution via Test Suite Route /exec-py 20.03.2026 9.8
CVE-2026-33054 Mesop: Path Traversal utilizing `FileStateSessionBackend` leads to Application Denial of Service and File Write/Deletion 20.03.2026 10
CVE-2026-4478 Yi Technology YI Home Camera HTTP Firmware Update ipc signature verification 20.03.2026 9.2
CVE-2026-33017 Langflow has Unauthenticated Remote Code Execution via Public Flow Build Endpoint 23.03.2026 9.3
CVE-2026-33024 AVideo-Encoder has Unauthenticated Blind Server-Side Request Forgery via Public Thumbnail Generator 20.03.2026 9.3
CVE-2026-32938 SiYuan has an Arbitrary File Read in its Desktop Publish Service 20.03.2026 9.9
CVE-2026-32940 SiYuan has a SanitizeSVG bypass via data:text/xml in getDynamicIcon (incomplete fix for CVE-2026-29183) 20.03.2026 9.3
CVE-2026-4038 Aimogen Pro <= 2.7.5 - Unauthenticated Privilege Escalation via Arbitrary Function Call 20.03.2026 9.8
CVE-2026-21992 24.03.2026 9.8
CVE-2026-32890 Anchorr: Stored XSS in User Mapping dropdown allows unprivileged Discord users to exfiltrate all secrets via /api/config 20.03.2026 9.7
CVE-2026-32891 Anchorr Privilege Escalation: Jellyseerr User → Anchorr Admin via Stored XSS 20.03.2026 9.1
CVE-2026-32817 Admidio is Missing Authorization and CSRF Protection on Document and Folder Deletion 20.03.2026 9.1
CVE-2026-32767 SiYuan: Authorization Bypass Allows Arbitrary SQL Execution via Search API 20.03.2026 9.8
CVE-2026-32985 Xerte Online Toolkits <= 3.14 Unauthenticated Template Import Arbitrary File Upload Leading to Remote Code Execution 20.03.2026 9.3
CVE-2026-32760 File Browser Self Registration Grants Any User Admin Access When Default Permissions Include Admin 19.03.2026 10
CVE-2026-22732 Under Some Conditions Spring Security HTTP Headers Are not Written 21.03.2026 9.1
CVE-2026-29103 SuiteCRM Vulnerable to Remote Code Execution via Module Loader Package Scanner Bypass 20.03.2026 9.1
CVE-2026-32038 OpenClaw - Sandbox Network Isolation Bypass via docker.network=container Parameter 20.03.2026 9.3
CVE-2026-30872 OpenWrt Project has a Stack-based Buffer Overflow vulnerability via IPv6 reverse DNS lookup 20.03.2026 9.5
CVE-2026-30871 OpenWrt Project has Stack-based Buffer Overflow in DNS PTR Query 20.03.2026 9.5
CVE-2026-32754 FreeScout: Stored XSS via Unescaped Email Template Rendering ({!! $thread->body !!}) 20.03.2026 9.3
CVE-2026-32194 Microsoft Bing Images Remote Code Execution Vulnerability 23.03.2026 9.8
CVE-2026-26137 Microsoft 365 Copilot BizChat Elevation of Privilege Vulnerability 23.03.2026 9.9
CVE-2026-32169 Azure Cloud Shell Elevation of Privilege Vulnerability 23.03.2026 10
CVE-2026-32191 Microsoft Bing Images Remote Code Execution Vulnerability 23.03.2026 9.8
CVE-2026-30924 qui CORS Misconfiguration: Arbitrary Origins Trusted 20.03.2026 9
CVE-2026-4428 CRL Distribution Point Scope Check Logic Error in AWS-LC 19.03.2026 9.1
CVE-2026-30836 Step CA: Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18) 19.03.2026 10
CVE-2026-32238 OpenEMR has Remote Code Execution in backup functionality 20.03.2026 9.1
CVE-2026-32865 OPEXUS eComplaint and eCase insecure password reset 19.03.2026 9.2
CVE-2026-22557 19.03.2026 10
CVE-2026-27065 WordPress BuilderPress plugin <= 2.0.1 - Local File Inclusion vulnerability 19.03.2026 9.8
CVE-2026-27067 WordPress Mobile App Editor plugin <= 1.3.1 - Arbitrary File Upload vulnerability 19.03.2026 9.1
CVE-2025-60233 WordPress Zuut theme <= 1.4.2 - PHP Object Injection vulnerability 19.03.2026 9.8
CVE-2025-60237 WordPress Finag theme <= 1.5.0 - PHP Object Injection vulnerability 19.03.2026 9.8
CVE-2026-27413 WordPress Profile Builder Pro plugin <= 3.13.9 - SQL Injection vulnerability 19.03.2026 9.3
CVE-2026-27540 WordPress Woocommerce Wholesale Lead Capture plugin <= 2.0.3.1 - Arbitrary File Upload vulnerability 19.03.2026 9
CVE-2026-27542 WordPress Woocommerce Wholesale Lead Capture plugin <= 2.0.3.1 - Privilege Escalation vulnerability 19.03.2026 9.8
CVE-2026-32731 ApostropheCMS has Arbitrary File Write (Zip Slip / Path Traversal) in Import-Export Gzip Extraction 19.03.2026 10
CVE-2026-32698 OpenProject has a SQL Injection via Custom Field Name that can be chained to Remote Code Execution 19.03.2026 9.1
CVE-2026-32703 OpenProject's repository files are served with the MIME type allowing them to be used to bypass Content Security Policy 19.03.2026 9.1
CVE-2026-25873 OmniGen2-RL Reward Server Unsafe Deserialization RCE 19.03.2026 9.3
CVE-2026-32633 Glances's Browser API Exposes Reusable Downstream Credentials via `/api/4/serverslist` 18.03.2026 9.1
CVE-2026-2991 KiviCare – Clinic & Patient Management System (EHR) <= 4.1.2 - Unauthenticated Authentication Bypass via Social Login Token 18.03.2026 9.8
CVE-2026-25449 WordPress Traveler theme < 3.2.8.1 - PHP Object Injection vulnerability 18.03.2026 9.8
CVE-2026-30884 mdjnelson/moodle-mod_customcert Vulnerable to Authorization Bypass Through User-Controlled Key 18.03.2026 9.6
CVE-2026-31938 jsPDF has HTML Injection in New Window paths 18.03.2026 9.6
CVE-2026-21994 18.03.2026 9.8
CVE-2026-32841 Edimax GS-5008PL <= 1.00.54 Global Authentication State Across All Clients 18.03.2026 9.2

Latest Updates

CVE Title Updated Score
CVE-2026-29839 24.03.2026
CVE-2026-29840 24.03.2026
CVE-2026-33676 Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read 24.03.2026 6.5
CVE-2026-33677 Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API 24.03.2026 6.5
CVE-2026-33678 Vikunja has IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion 24.03.2026 8.1
CVE-2026-33679 Vikunja has SSRF via OpenID Connect Avatar Download that Bypasses Webhook SSRF Protections 24.03.2026 6.4
CVE-2026-33680 Vikunja Vulnerable to Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation 24.03.2026 7.5
CVE-2026-33700 Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share Deletion 24.03.2026
CVE-2025-71275 Zimbra Collaboration Suite PostJournal 8.8.15 Unauthenticated Remote Code Execution via SMTP Injection 24.03.2026
CVE-2026-33334 Vikunja Desktop: Any frontend XSS escalates to Remote Code Execution due to nodeIntegration 24.03.2026
CVE-2026-33335 Vikunja Desktop allows arbitrary local application invocation via unvalidated shell.openExternal 24.03.2026
CVE-2026-33336 Vikunja Desktop vulnerable to Remote Code Execution via same-window navigation 24.03.2026
CVE-2026-33473 Vikunja has TOTP Reuse During Validity Window 24.03.2026 5.7
CVE-2026-33474 Vikunja Affected by DoS via Image Preview Generation 24.03.2026 6.5
CVE-2026-33668 Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect 24.03.2026
CVE-2026-33675 Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal Network Resources 24.03.2026 6.4
CVE-2026-30653 24.03.2026
CVE-2026-30655 24.03.2026
CVE-2026-33313 Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments 24.03.2026
CVE-2026-33315 Vikunja has a 2FA Bypass via Caldav Basic Auth 24.03.2026
CVE-2026-33316 Vikunja’s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement 24.03.2026 8.1
CVE-2026-4775 Libtiff: libtiff: arbitrary code execution or denial of service via signed integer overflow in tiff file processing 24.03.2026
CVE-2026-27651 NGINX ngx_mail_auth_http_module vulnerability 24.03.2026 7.5
CVE-2026-27654 NGINX ngx_http_dav_module vulnerability 24.03.2026 8.2
CVE-2026-27784 NGINX ngx_http_mp4_module vulnerability 24.03.2026 7.8
CVE-2026-28753 NGINX ngx_mail_proxy_module vulnerability 24.03.2026 3.7
CVE-2026-28755 NGINX ngx_stream_ssl_module vulnerability 24.03.2026 5.4
CVE-2026-30661 24.03.2026
CVE-2026-30662 24.03.2026
CVE-2026-32647 NGINX ngx_http_mp4_module vulnerability 24.03.2026 7.8
CVE-2026-33554 24.03.2026
CVE-2026-33310 Intake has a Command Injection via shell() Expansion in Parameter Defaults 24.03.2026 8.8
CVE-2026-33311 @dicebear/core and @dicebear/initials Vulnerable to SVG Injection via Unsanitized Options 24.03.2026 4.7
CVE-2026-33418 @dicebear/converter ensureSize() Vulnerable to SVG Dimension Capping Bypass via XML Comment Injection 24.03.2026 7.5
CVE-2026-33484 Langflow has Unauthenticated IDOR on Image Downloads 24.03.2026 7.5
CVE-2026-33497 Langflow: /profile_pictures/{folder_name}/{file_name} endpoint file reading 24.03.2026
CVE-2026-33309 Langflow has an Arbitrary File Write (RCE) via v2 API 24.03.2026 10
CVE-2026-33475 Langflow GitHub Actions Shell Injection 24.03.2026 9.1
CVE-2026-4684 Race condition, use-after-free in the Graphics: WebRender component 24.03.2026
CVE-2026-4685 Incorrect boundary conditions in the Graphics: Canvas2D component 24.03.2026
CVE-2026-4686 Incorrect boundary conditions in the Graphics: Canvas2D component 24.03.2026
CVE-2026-4687 Sandbox escape due to incorrect boundary conditions in the Telemetry component 24.03.2026
CVE-2026-4688 Sandbox escape due to use-after-free in the Disability Access APIs component 24.03.2026
CVE-2026-4689 Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component 24.03.2026
CVE-2026-4690 Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component 24.03.2026
CVE-2026-4691 Use-after-free in the CSS Parsing and Computation component 24.03.2026
CVE-2026-4692 Sandbox escape in the Responsive Design Mode component 24.03.2026
CVE-2026-4693 Incorrect boundary conditions in the Audio/Video: Playback component 24.03.2026
CVE-2026-4694 Incorrect boundary conditions, integer overflow in the Graphics component 24.03.2026
CVE-2026-4695 Incorrect boundary conditions in the Audio/Video: Web Codecs component 24.03.2026
CVE-2026-4696 Use-after-free in the Layout: Text and Fonts component 24.03.2026
CVE-2026-4697 Incorrect boundary conditions in the Audio/Video: Web Codecs component 24.03.2026
CVE-2026-4698 JIT miscompilation in the JavaScript Engine: JIT component 24.03.2026
CVE-2026-4699 Incorrect boundary conditions in the Layout: Text and Fonts component 24.03.2026
CVE-2026-4700 Mitigation bypass in the Networking: HTTP component 24.03.2026
CVE-2026-4701 Use-after-free in the JavaScript Engine component 24.03.2026
CVE-2026-4702 JIT miscompilation in the JavaScript Engine component 24.03.2026
CVE-2026-4704 Denial-of-service in the WebRTC: Signaling component 24.03.2026
CVE-2026-4705 Undefined behavior in the WebRTC: Signaling component 24.03.2026
CVE-2026-4706 Incorrect boundary conditions in the Graphics: Canvas2D component 24.03.2026
CVE-2026-4707 Incorrect boundary conditions in the Graphics: Canvas2D component 24.03.2026
CVE-2026-4708 Incorrect boundary conditions in the Graphics component 24.03.2026
CVE-2026-4709 Incorrect boundary conditions in the Audio/Video: GMP component 24.03.2026
CVE-2026-4710 Incorrect boundary conditions in the Audio/Video component 24.03.2026
CVE-2026-4711 Use-after-free in the Widget: Cocoa component 24.03.2026
CVE-2026-4712 Information disclosure in the Widget: Cocoa component 24.03.2026
CVE-2026-4713 Incorrect boundary conditions in the Graphics component 24.03.2026
CVE-2026-4714 Incorrect boundary conditions in the Audio/Video component 24.03.2026
CVE-2026-4715 Uninitialized memory in the Graphics: Canvas2D component 24.03.2026
CVE-2026-4716 Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component 24.03.2026
CVE-2026-4717 Privilege escalation in the Netmonitor component 24.03.2026
CVE-2026-4718 Undefined behavior in the WebRTC: Signaling component 24.03.2026
CVE-2026-4719 Incorrect boundary conditions in the Graphics: Text component 24.03.2026
CVE-2026-4720 Memory safety bugs fixed in Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149 24.03.2026
CVE-2026-4721 Memory safety bugs fixed in Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149 24.03.2026
CVE-2026-4722 Privilege escalation in the IPC component 24.03.2026
CVE-2026-4723 Use-after-free in the JavaScript Engine component 24.03.2026
CVE-2026-4724 Undefined behavior in the Audio/Video component 24.03.2026
CVE-2026-4725 Sandbox escape due to use-after-free in the Graphics: Canvas2D component 24.03.2026
CVE-2026-4726 Denial-of-service in the XML component 24.03.2026
CVE-2026-4727 Denial-of-service in the Libraries component in NSS 24.03.2026
CVE-2026-4728 Spoofing issue in the Privacy: Anti-Tracking component 24.03.2026
CVE-2026-4729 Memory safety bugs fixed in Firefox 149 and Thunderbird 149 24.03.2026
CVE-2019-25626 River Past Cam Do 3.7.6 Local Buffer Overflow in Activation Code 24.03.2026
CVE-2019-25627 FlexHEX 2.71 Local Buffer Overflow via SEH Unicode 24.03.2026
CVE-2019-25628 Download Accelerator Plus DAP 10.0.6.0 SEH Buffer Overflow 24.03.2026
CVE-2019-25629 AIDA64 Extreme 5.99.4900 SEH Buffer Overflow via Logging 24.03.2026
CVE-2019-25630 PhreeBooks ERP 5.2.3 Arbitrary File Upload via Image Manager 24.03.2026
CVE-2019-25631 AIDA64 Business 5.99.4900 SEH Buffer Overflow via EggHunter 24.03.2026
CVE-2019-25632 phpFileManager 1.7.8 Local File Inclusion via index.php 24.03.2026
CVE-2019-25633 AIDA64 Extreme 5.99.4900 SEH Buffer Overflow via EggHunter 24.03.2026
CVE-2019-25634 Base64 Decoder 1.1.2 Local Buffer Overflow SEH Egghunter 24.03.2026
CVE-2019-25635 Zeeways Matrimony CMS Lastest SQL Injection via profile_list 24.03.2026
CVE-2019-25636 Zeeways Jobsite CMS Lastest SQL Injection via id Parameter 24.03.2026
CVE-2019-25637 X-NetStat Pro 5.63 Local Buffer Overflow via EggHunter 24.03.2026
CVE-2019-25638 Meeplace Business Review Script Lastest SQL Injection via addclick.php 24.03.2026
CVE-2019-25639 Matrimony Website Script M-Plus Multiple SQL Injection 24.03.2026
CVE-2019-25640 Inout Article Base CMS Lastest SQL Injection via portalLogin.php 24.03.2026
CVE-2019-25641 Netartmedia Vlog System Lastest SQL Injection via email Parameter 24.03.2026
CVE-2019-25642 Bootstrapy CMS Lastest Multiple SQL Injection via Forum and Contact Modules 24.03.2026
CVE-2019-25643 eNdonesia Portal v8.7 SQL Injection via banners.php 24.03.2026
CVE-2019-25644 WinMPG Video Convert 9.3.5 Buffer Overflow Local Denial of Service 24.03.2026
CVE-2019-25645 WinAVI iPod 3GP MP4 PSP Converter 4.4.2 Denial of Service 24.03.2026
CVE-2019-25646 Tabs Mail Carrier 2.5.1 Buffer Overflow via MAIL FROM 24.03.2026
CVE-2019-25647 PhreeBooks ERP 5.2.3 Remote Code Execution via Image Manager 24.03.2026
CVE-2025-64998 Session hijacking via exposed session signing secret in distributed Checkmk setups 24.03.2026
CVE-2026-4649 Auth bypass in Apache Artemis allows reading all internal messages 24.03.2026
CVE-2026-32642 Apache Artemis, Apache ActiveMQ Artemis: Temporary address auto-created for OpenWire consumer without createAddress permission 24.03.2026
CVE-2025-41660 CODESYS Control Boot Application Replacement Enables Code Execution 24.03.2026 8.8
CVE-2026-3509 CODESYS Control Audit Log Format String DoS 24.03.2026 7.5
CVE-2026-33852 Missing Release of Memory after Effective Lifetime in MolotovCherry Android-ImageMagick7 24.03.2026 7.5
CVE-2026-4754 CWE-79 in MolotovCherry Android-ImageMagick7 24.03.2026 6.1
CVE-2026-4755 CWE-20 in MolotovCherry Android-ImageMagick7 24.03.2026 9.8
CVE-2026-4756 Out-of-bounds Write in MolotovCherry Android-ImageMagick7 24.03.2026 7.8
CVE-2026-33847 Improper Restriction of Operations within the Bounds of a Memory Buffer in linkingvision rapidvms 24.03.2026 7.8
CVE-2026-33848 Improper Restriction of Operations within the Bounds of a Memory Buffer in linkingvision rapidvms 24.03.2026 8.8
CVE-2026-33849 Improper Restriction of Operations within the Bounds of a Memory Buffer in linkingvision rapidvms 24.03.2026 8.8
CVE-2026-33850 Out-of-bounds Write in WujekFoliarz DualSenseY-v2 24.03.2026 7.8
CVE-2026-33851 Improper Restriction of Operations within the Bounds of a Memory Buffer in joncampbell123 doslib 24.03.2026 7.8
CVE-2026-33853 NULL Pointer Dereference in MolotovCherry Android-ImageMagick7 24.03.2026 5.5
CVE-2026-33854 Out-of-bounds Write in MolotovCherry Android-ImageMagick7 24.03.2026 8.8
CVE-2026-33855 Integer Overflow or Wraparound in MolotovCherry Android-ImageMagick7 24.03.2026 5.5
CVE-2026-33856 Missing Release of Memory after Effective Lifetime in MolotovCherry Android-ImageMagick7 24.03.2026 7.5
CVE-2026-4750 Out-of-bounds Read in fabiangreffrath woof 24.03.2026 9.1
CVE-2026-4751 NULL Pointer Dereference in tmate-io tmate 24.03.2026 5.3
CVE-2026-4752 Use After Free in No-Chicken Echo-Mate 24.03.2026 6.4
CVE-2026-4753 Out-of-bounds Read in slajerek RetroDebugger 24.03.2026 9.1
CVE-2026-4749 NVD-CWE-noinfo in albfan miraclecast 24.03.2026 6.5
CVE-2026-3138 Product Filter for WooCommerce by WBW <= 3.1.2 - Missing Authorization to Unauthenticated Filter Data Deletion via TRUNCATE TABLE 24.03.2026 6.5
CVE-2026-4283 WP DSGVO Tools (GDPR) <= 3.1.38 - Missing Authorization to Unauthenticated Account Destruction of Non-Admin Users 24.03.2026 9.1
CVE-2026-4639 Galaxy Software Services|Vitals ESP - Incorrect Authorization 24.03.2026
CVE-2026-4640 Galaxy Software Services|Vitals ESP - Missing Authentication 24.03.2026
CVE-2026-4662 JetEngine <= 3.8.6.1 - Unauthenticated SQL Injection via Listing Grid 'filtered_query' Parameter 24.03.2026 7.5
CVE-2026-3260 Undertow: undertow: denial of service due to premature multipart/form-data parsing in get requests 24.03.2026
CVE-2026-4627 D-Link DIR-825/DIR-825R NTP Service libdeuteron_modules.so handler_update_system_time os command injection 24.03.2026
CVE-2026-4632 itsourcecode Online Enrollment System Parameter index.php sql injection 24.03.2026
CVE-2026-4745 Arbitrary Code Execution via Crafted Bytecode in dendibakh/perf-ninja 24.03.2026
CVE-2026-4746 Heap Buffer Over-Write Vulenrabilty in timeplus-io/proton 24.03.2026
CVE-2026-4625 SourceCodester Online Admission System programmes.php sql injection 24.03.2026
CVE-2026-4626 projectworlds Lawyer Management System lawyer_booking.php cross site scripting 24.03.2026
CVE-2026-4731 An Integer Overflow Vulnerability in artraweditor/ART 24.03.2026
CVE-2026-4732 Out-of-bounds Read Overflow in tildearrow/furnace 24.03.2026
CVE-2026-4733 Information disclosure in ixray-1.6-stcop 24.03.2026 5.3
CVE-2026-4734 Heap Buffer Overflow in yoyofr/modizer 24.03.2026
CVE-2026-4735 A stack overflow and DoS vulnerability in DTStack/chunjun 24.03.2026
CVE-2026-4736 Math Issue in No-Chicken/Echo-Mate 24.03.2026
CVE-2026-4737 Use-After-Free Vulnerability in No-Chicken/Echo-Mate 24.03.2026
CVE-2026-4738 GDAL Bundled zlib (inftree9.c) Pointer Offset Optimization Undefined Behavior Allows Heap Corruption or Remote Code Execution 24.03.2026
CVE-2026-4739 Integer overflow vulnerabilities in InsightSoftwareConsortium/ITK 24.03.2026
CVE-2026-4741 Path Traversal Vulnerability in TeamJCD/JoyConDroid 24.03.2026
CVE-2026-4742 HTTP Request Smuggling in visualfc/liteide 24.03.2026
CVE-2026-4743 Null-Pointer Dereference Vulnerability in taurusxin/ncmdump 24.03.2026
CVE-2026-4744 Notepad3 Bundled Oniguruma compile_string_node() Heap Buffer Overflow via Crafted Regex Pattern Allows Arbitrary Code Execution 24.03.2026
CVE-2026-33308 mod_gnutls missing key purpose check in client certificate verification 24.03.2026 6.8
CVE-2026-4623 DefaultFuction Jeson-Customer-Relationship-Management-System API Module System.php server-side request forgery 24.03.2026
CVE-2026-4624 SourceCodester Online Library Management System Parameter home.php sql injection 24.03.2026
CVE-2026-33307 mod_gnutils has stack-based buffer overflow caused by a long client certificate chain 24.03.2026 7.5
CVE-2026-3079 LearnDash LMS <= 5.0.3 - Authenticated (Contributor+) SQL Injection via 'filters[orderby_order]' Parameter 24.03.2026 6.5
CVE-2026-4617 SourceCodester Patients Waiting Area Queue Management System Patient Check-In api_patient_checkin.php ValidateToken improper authorization 24.03.2026
CVE-2026-22739 Spring Cloud Config Profile Substitution Can Allow Unintended Access To Files And Enable SSRF Attacks 24.03.2026 8.6
CVE-2026-33290 WPGraphQL Repo's updateComment allows low-privileged authenticated users to change comment moderation status (comment_approved) without moderate_comments permission 23.03.2026 4.3
CVE-2026-33298 llama.cpp has a Heap Buffer Overflow via Integer Overflow in GGUF Tensor Parsing 24.03.2026 7.8
CVE-2026-33306 bcrypt-ruby has an Integer Overflow that Causes Zero Key-Strengthening Iterations at Cost=31 on JRuby 24.03.2026
CVE-2026-33320 Dasel has unbounded YAML alias expansion in dasel leads to CPU/memory denial of service 24.03.2026 6.2
CVE-2026-4616 bolo-blog Article Title article cross site scripting 24.03.2026
CVE-2026-4673 24.03.2026
CVE-2026-4674 24.03.2026
CVE-2026-4675 24.03.2026
CVE-2026-4676 24.03.2026
CVE-2026-4677 24.03.2026
CVE-2026-4678 24.03.2026
CVE-2026-4679 24.03.2026
CVE-2026-4680 24.03.2026
CVE-2026-33211 Tekton Pipelines git resolver has path traversal that allows reading arbitrary files from the resolver pod 24.03.2026 9.6
CVE-2026-33282 Ella Core panics on malformed NGAP Location Report 23.03.2026 7.5
CVE-2026-33283 Ella Core panics on malformed ULNASTransport Message without a Request Type 24.03.2026 6.5
CVE-2026-33286 Graphiti Affected by Arbitrary Method Execution via Unvalidated Relationship Names 24.03.2026 9.1
CVE-2026-33195 Rails Active Storage has possible Path Traversal in DiskService 24.03.2026
CVE-2026-33202 Rails Active Storage has possible glob injection in its DiskService 24.03.2026
CVE-2026-33241 Salvo Affected by Denial of Service via Unbounded Memory Allocation in Form Data Parsing 23.03.2026
CVE-2026-33242 Salvo has a Path Traversal in salvo-proxy::encode_url_path allows API Gateway Bypass 24.03.2026 7.5
CVE-2026-33250 Crash when receiving specially-crafted packets 24.03.2026 7.5
CVE-2026-33252 MCP Go SDK Allows Cross-Site Tool Execution for HTTP Servers without Authorizatrion 23.03.2026 7.1
CVE-2026-33281 Ella Core panics on invalid PDU Session IDs in NGAP messages 24.03.2026 6.5
CVE-2026-4614 itsourcecode sanitize or validate this input Parameter subjects.php sql injection 23.03.2026
CVE-2026-4615 SourceCodester Online Catering Reservation search.php sql injection 24.03.2026
CVE-2026-33173 Rails Active Storage has possible content type bypass via metadata in direct uploads 24.03.2026
CVE-2026-33174 Rails Active Storage has a possible DoS vulnerability when in proxy mode via Range requests 24.03.2026
CVE-2026-33176 Rails Active Support has a possible DoS vulnerability in its number helpers 23.03.2026
CVE-2026-3533 JupiterX Core <= 4.14.1 - Authenticated (Subscriber+) Missing Authorization To Limited File Upload via Popup Template Import 24.03.2026 8.8
CVE-2026-4001 Woocommerce Custom Product Addons Pro <= 5.4.1 - Unauthenticated Remote Code Execution via Custom Pricing Formula 24.03.2026 9.8
CVE-2026-4021 Contest Gallery <= 28.1.5 - Unauthenticated Privilege Escalation Admin Account Takeover via Registration Confirmation Email-to-ID Type Confusion 23.03.2026 8.1
CVE-2026-4056 User Registration & Membership <= 5.1.4 - Missing Authorization to Authenticated (Contributor+) Content Access Rule Manipulation 23.03.2026 5.4
CVE-2026-33169 Rails Active Support has a possible ReDoS vulnerability in number_to_delimited 24.03.2026
CVE-2026-33170 Rails Active Support has a possible XSS vulnerability in SafeBuffer#% 23.03.2026
CVE-2026-4613 SourceCodester E-Commerce Site products.php sql injection 24.03.2026
CVE-2026-33167 Rails has a possible XSS vulnerability in its Action Pack debug exceptions 23.03.2026
CVE-2026-33168 Rails has a possible XSS vulnerability in its Action View tag helpers 24.03.2026
CVE-2026-33046 Indico discloses local files resulting in Remote Code Execution through LaTeX injection 24.03.2026
CVE-2026-2412 Quiz and Survey Master (QSM) <= 10.3.5 - Authenticated (Contributor+) SQL Injection via 'merged_question' Parameter 23.03.2026 6.5
CVE-2026-3225 LearnPress <= 4.3.2.8 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Quiz Answer Deletion 23.03.2026 4.3
CVE-2026-4066 Smart Custom Fields <= 5.0.6 - Missing Authorization to Authenticated (Contributor+) Sensitive Information Exposure via Relational Post Search 24.03.2026 4.3
CVE-2026-4306 WP Job Portal <= 2.4.8 - Unauthenticated SQL Injection via 'radius' Parameter 24.03.2026 7.5
CVE-2026-4612 itsourcecode Free Hotel Reservation System Parameter index.php sql injection 24.03.2026
CVE-2026-4681 Critical Remote Code Execution vulnerability reported in Windchill 24.03.2026
CVE-2026-22173 23.03.2026
CVE-2026-27183 OpenClaw < 2026.3.7 - Shell Approval Gating Bypass via Dispatch Wrapper Depth Mismatch 24.03.2026
CVE-2026-27646 OpenClaw < 2026.3.7 - Sandbox Escape via /acp spawn Command 23.03.2026
CVE-2026-28455 23.03.2026
CVE-2026-28483 23.03.2026
CVE-2026-32012 23.03.2026
CVE-2026-32047 23.03.2026
CVE-2026-32066 23.03.2026
CVE-2026-32279 Connect CMS has SSRF in the External Page Migration Feature of its Page Management Plugin 24.03.2026 6.8
CVE-2026-32299 Connect CMS: Information Disclosure Due to Improper Authorization through the Page Content Retrieval Feature 24.03.2026 7.5
CVE-2026-32300 Connect CMS: Improper Authorization in the My Page Profile Update Feature Allows Modification of Arbitrary User Information 23.03.2026 8.1
CVE-2026-32900 23.03.2026
CVE-2026-32901 23.03.2026
CVE-2026-32902 23.03.2026
CVE-2026-32903 23.03.2026
CVE-2026-32904 23.03.2026
CVE-2026-32907 23.03.2026
CVE-2026-32908 23.03.2026
CVE-2026-32909 23.03.2026
CVE-2026-32910 23.03.2026
CVE-2026-32911 23.03.2026
CVE-2026-32912 23.03.2026
CVE-2026-32913 OpenClaw < 2026.3.7 - Custom Authorization Header Leakage via Cross-Origin Redirects 24.03.2026
CVE-2026-33634 Trivy ecosystem supply chain briefly compromised 24.03.2026
CVE-2026-1940 Gstreamer: incomplete fix of cve-2026-1940 24.03.2026
CVE-2026-32277 Connect-CMS has DOM-based Cross-Site Scripting (XSS) in the Cabinet Plugin List View 24.03.2026 8.7
CVE-2026-32278 Connect CMS has Stored Cross-site Scripting (XSS) in the File Field of its Form Plugin 23.03.2026 8.2
CVE-2025-60946 Census CSWeb path traversal 23.03.2026 8.8
CVE-2025-60947 Census CSWeb arbitrary file upload 23.03.2026 8.8
CVE-2025-60948 Census CSWeb stored XSS 23.03.2026 4.6
CVE-2025-60949 Census CSWeb leaked configuration files 23.03.2026
CVE-2026-29111 systemd: Local unprivileged user can trigger an assert 23.03.2026 5.5
CVE-2026-32276 Connect-CMS has Arbitrary Code Execution by an Authenticated User in its Code Study Plugin 24.03.2026 8.8
CVE-2026-4611 TOTOLINK X6000R shttpd setLanCfg privilege escalation 23.03.2026
CVE-2026-23485 Blinko: Unauthorized Path Traversal File Enumeration - music-metadata 24.03.2026
CVE-2026-23486 Blinko: Unauthorized User Information Leak 24.03.2026
CVE-2026-23487 Blinko: IDOR - user.detail Endpoint Leaks Superadmin Token 23.03.2026
CVE-2026-23488 Blinko: multiple interfaces in the comment feature allow unauthorized access 24.03.2026
CVE-2026-23882 Blinko: Admin RCE - MCP Server Command Injection 23.03.2026
CVE-2026-23480 Blinko: Low Privilege User Privilege Escalation - upsertUser Endpoint 24.03.2026
CVE-2026-23481 Blinko: Authenticated Arbitrary File Write - saveAdditionalDevFile 23.03.2026
CVE-2026-23482 Blinko: Unauthorized Arbitrary File Read - /api/file/temp 24.03.2026
CVE-2026-23483 Blinko: Unauthorized Arbitrary File Read - /plugins 23.03.2026
CVE-2026-23484 Blinko: Authenticated Arbitrary File Write - saveDevPlugin 23.03.2026
CVE-2026-3055 Insufficient input validation leading to memory overread 24.03.2026
CVE-2026-4368 Race Condition leading to User Session Mixup 24.03.2026
CVE-2026-4597 648540858 wvp-GB28181-pro Stream Proxy Query StreamProxyProvider.java selectAll sql injection 24.03.2026
CVE-2025-52204 24.03.2026
CVE-2026-2298 24.03.2026
CVE-2024-46878 24.03.2026
CVE-2024-46879 24.03.2026
CVE-2026-30886 New API: IDOR in VideoProxy allows cross-user video content access via missing ownership check 23.03.2026 6.5
CVE-2026-32879 New API has passkey-based secure step-up verification bypass for root-only channel secret disclosure 24.03.2026 4.9
CVE-2026-4596 projectworlds Lawyer Management System lawyers.php cross site scripting 23.03.2026
CVE-2026-27131 Sprig Plugin for Craft CMS potentially discloses sensitive information via Sprig Playground 24.03.2026 5.5
CVE-2026-30849 MantisBT SOAP API has an authentication bypass vulnerability on MySQL 23.03.2026
CVE-2026-32850 MailEnable < 10.55 Reflected XSS via ManageShares.aspx SelectedIndex Parameter 24.03.2026
CVE-2026-32851 MailEnable < 10.55 Reflected XSS via FreeBusy.aspx Attendees Parameter 23.03.2026
CVE-2026-32852 MailEnable < 10.55 Reflected XSS via FreeBusy.aspx StartDate Parameter 24.03.2026
CVE-2026-33517 MantisBT Vulnerable to Stored HTML Injection in Tag Delete Confirmation 24.03.2026
CVE-2026-33548 MantisBT has Stored HTML Injection / XSS when displaying Tags in Timeline 23.03.2026
CVE-2025-15606 Denial of Service (DoS) in HTTPD Input Handling on TP-Link TD-W8961N 24.03.2026
CVE-2026-0898 An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robot Studio developers who are automating Google Chrome and Microsoft Edge using either version 22.1 or R25. 24.03.2026
CVE-2026-25075 strongSwan 4.5.0 < 6.0.5 EAP-TTLS AVP Parsing Integer Underflow 23.03.2026
CVE-2026-26209 cbor2 has a Denial of Service via Uncontrolled Recursion in cbor2.loads 23.03.2026
CVE-2026-33651 AVideo has a Blind SQL Injection in Live Schedule Reminder via Unsanitized live_schedule_id in Scheduler_commands::getAllActiveOrToRepeat() 24.03.2026 8.1
CVE-2026-33681 AVideo has Path Traversal in pluginRunDatabaseScript.json.php Enables Arbitrary SQL File Execution via Unsanitized Plugin Name 23.03.2026 7.2
CVE-2026-33683 AVideo vulnerable to Stored XSS via html_entity_decode() Reversing xss_esc() Sanitization in Channel About Field 23.03.2026 5.4
CVE-2026-33685 AVideo Allows Unauthenticated Access to AD_Server reports.json.php that Exposes Ad Campaign Analytics and User Data 24.03.2026 5.3
CVE-2026-33688 AVideo has Pre-Captcha User Enumeration and Account Status Disclosure in Password Recovery Endpoint 24.03.2026 5.3
CVE-2026-33690 AVideo vulnerable to IP Address Spoofing via Untrusted HTTP Headers in getRealIpAddr() 23.03.2026 5.3
CVE-2026-33716 AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php 24.03.2026 9.4
CVE-2026-33717 AVideo Vulnerable to Remote Code Execution via Persistent PHP Temp File in Encoder downloadURL with Resolution Validation Abort 23.03.2026 8.8
CVE-2026-33719 AVideo Vulnerable to Unauthenticated CDN Configuration Takeover via Empty Default Key Bypass and Mass-Assignment in status.json.php 23.03.2026 8.6
CVE-2026-33723 AVideo Vulnerable to SQL Injection in Subscribe Endpoint via Unsanitized user_id Parameter in subscribe.php 24.03.2026 7.1
CVE-2026-4595 code-projects Exam Form Submission update_s6.php cross site scripting 24.03.2026
CVE-2026-33512 AVideo has an unauthenticated decrypt oracle leaking any ciphertext 23.03.2026 7.5
CVE-2026-33513 AVideo has an Unauthenticated Local File Inclusion in API locale (RCE possible with writable PHP) 24.03.2026 8.6
CVE-2026-33647 AVideo Vulnerable to Remote Code Execution via MIME/Extension Mismatch in ImageGallery File Upload 23.03.2026 8.8
CVE-2026-33648 AVideo Vulnerable to OS Command Injection via Unsanitized `users_id` and `liveTransmitionHistory_id` in Restreamer Log File Path 23.03.2026 8.8
CVE-2026-33649 AVideo's GET-Based CSRF in setPermission.json.php Enables Privilege Escalation via Arbitrary Permission Modification 24.03.2026 8.1
CVE-2026-33650 AVideo's Video Moderator Privilege Escalation via Ownership Transfer Enables Arbitrary Video Deletion 24.03.2026 7.6