CVE Field Guide

Critical CVEs

CVE	Title	Updated	Score
CVE-2026-27897	Vociferous Unauthenticated Remote Path Traversal (RCE via CSRF)	11.03.2026	10
CVE-2026-28229	Argo Workflows has unauthorized access to Argo Workflows Template	11.03.2026	9.8
CVE-2026-30903		11.03.2026	9.6
CVE-2026-3826	WellChoose｜IFTOP - Local File Inclusion	11.03.2026	9.3
CVE-2023-27573		11.03.2026	9
CVE-2026-24448		11.03.2026	9.3
CVE-2026-27842		11.03.2026	9.3
CVE-2026-23813	Authentication Bypass in Web Interface allows Unauthenticated Admin Password Reset	11.03.2026	9.8
CVE-2026-29515	MiCode FileExplorer SwiFTP Server Authentication Bypass	11.03.2026	9.3
CVE-2026-28806	Improper authorization in device bulk actions and device update API allows cross-organization device control	11.03.2026	9.4
CVE-2026-0124		11.03.2026	10
CVE-2026-30965	Parse Server session token exfiltration via `redirectClassNameForKey` query parameter	11.03.2026	9.9
CVE-2026-30966	Parse Server role escalation and CLP bypass via direct `_Join` table write	11.03.2026	10
CVE-2026-29792	Feathersjs has an OAuth Callback Account Takeover	11.03.2026	9.3
CVE-2026-29793	NoSQL Injection via WebSocket id Parameter in MongoDB Adapter	11.03.2026	9.3
CVE-2025-48611		11.03.2026	10
CVE-2026-28495	GetSimple CMS has CSRF to Remote Code Execution via Arbitrary PHP Write in gsconfig.php	10.03.2026	9.7
CVE-2026-27825	MCP Atlassian has an arbitrary file write leading to arbitrary code execution via unconstrained download_path in confluence_download_attachment	10.03.2026	9.1
CVE-2026-28292	simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE	11.03.2026	9.8
CVE-2026-30960	RSSN has Arbitrary Code Execution via Unvalidated JIT Instruction Generation in C-FFI Interface	10.03.2026	9.4
CVE-2026-30956	OneUptime has authorization bypass via client‑controlled is-multi-tenant-query header	10.03.2026	10
CVE-2026-30957	OneUptime Synthetic Monitor RCE via exposed Playwright browser object	10.03.2026	10
CVE-2025-40943		10.03.2026	9.4
CVE-2026-3843	SQL Injection in Nefteprodukttekhnika BUK TS-G Allows Remote Code Execution	10.03.2026	9.3
CVE-2025-41709	Command injection in power analyzer via Modbus-TCP and Modbus-RTU	10.03.2026	9.8
CVE-2026-0953	Tutor LMS Pro <= 3.9.5 - Authentication Bypass via Social Login	10.03.2026	9.8
CVE-2026-27685	Insecure Deserialization in SAP NetWeaver Enterprise Portal Administration	11.03.2026	9.1
CVE-2026-30921	OneUptime Synthetic Monitor RCE via exposed Playwright browser object	10.03.2026	10
CVE-2026-30887	OneUptime Affected by Unsandboxed Code Execution in Probe Allows Any Project Member to Achieve RCE	10.03.2026	10
CVE-2026-30862	Critical Stored XSS & Privilege Escalation in Appsmith	10.03.2026	9.1
CVE-2026-30869	SiYuan has a Path Traversal in /export Endpoint Allows Arbitrary File Read and Secret Leakage	10.03.2026	9.3
CVE-2025-11158	Hitachi Vantara Pentaho Data Integration & Analytics - Missing Authorization	10.03.2026	9.1
CVE-2026-28431	Misskey lacks proper authorization checks and input validation	10.03.2026	9.2
CVE-2026-30240	Budibase PWA ZIP Upload Path Traversal Allows Reading Arbitrary Server Files Including All Environment Secrets	10.03.2026	9.6
CVE-2026-31816	Budibase Universal Auth Bypass via Webhook Query Param Injection	10.03.2026	9.1
CVE-2025-41764	Unchecked role in wwwupdate.cgi	09.03.2026	9.1
CVE-2025-41765	Unchecked role in wwwupload.cgi	09.03.2026	9.1
CVE-2026-3823	Atop Technologies｜EHG2408 series switch - Stack-based Buffer Overflow	09.03.2026	9.3
CVE-2026-3630	Stack-based Buffer Overflow Vulnerability in COMMGR2	09.03.2026	9.8
CVE-2026-3703	Wavlink NU516U1 login.cgi sub_401A10 out-of-bounds write	10.03.2026	9.3
CVE-2026-30860	WeKnora: Remote Code Execution via SQL Injection Bypass in AI Database Query Tool	09.03.2026	10
CVE-2026-30861	WeKnora: Remote Code Execution (RCE) via Command Injection in MCP Stdio Configuration Validation	09.03.2026	10
CVE-2026-30863	Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters	09.03.2026	9.3
CVE-2026-30832	Soft Serve: SSRF via unvalidated LFS endpoint in repo import	09.03.2026	9.1
CVE-2026-29191	ZITADEL: 1-Click Account Takeover via XSS in /saml-post Endpoint	09.03.2026	9.3
CVE-2026-25070	XikeStor SKS8310-8X PingTestSet Command Injection	10.03.2026	9.3
CVE-2026-29789	Vito: Cross-project privilege escalation in workflow site-creation actions allows unauthorized server modification	09.03.2026	10
CVE-2026-30847	Wekan Credential Leak via notificationUsers Publication Exposes Password Hashes and Session Tokens	09.03.2026	9.3
CVE-2026-30843	Wekan has Cross-Board IDOR in Custom Fields Update Endpoints	09.03.2026	9.3
CVE-2026-30844	Wekan Vulnerable to SSRF through Lack of Validation or Filtering in Attachment URL Loading	09.03.2026	9.3
CVE-2026-28514	Rocket.Chat: Users can login with any password via the EE ddp-streamer-service	11.03.2026	9.3
CVE-2026-26288	Everon api.everon.io Missing Authentication for Critical Function	10.03.2026	9.3
CVE-2026-26051	Mobiliti e-mobi.hu Missing Authentication for Critical Function	09.03.2026	9.3
CVE-2026-2330	CVE-2026-2330	09.03.2026	9.4
CVE-2026-2331	CVE-2026-2331	09.03.2026	9.8
CVE-2026-29183	SiYuan: Unauthenticated reflected SVG XSS in `/api/icon/getDynamicIcon` (`type=8`) enables arbitrary JavaScript execution	06.03.2026	9.3
CVE-2026-29058	AVideo: Unauthenticated OS Command Injection via base64Url in objects/getImage.php	09.03.2026	9.8
CVE-2026-28794	oRPC: Prototype Pollution in `@orpc/client` via `StandardRPCJsonSerializer` Deserialization	09.03.2026	9.3
CVE-2026-28508	Idno: Unauthenticated SSRF via URL Unfurl Endpoint	06.03.2026	9.2
CVE-2026-28680	Ghostfolio: Full-Read SSRF in Manual Asset Import	06.03.2026	9.3
CVE-2026-28785	Ghostfolio: Time-Based Blind SQL Injection in Manual Asset Import	06.03.2026	9.3
CVE-2025-59542	Chamilo: Account Takeover via Stored XSS in Course Learning Paths	06.03.2026	9.1
CVE-2025-59543	Chamilo: Account Takeover via Stored XSS in Course Description	09.03.2026	9.1
CVE-2026-28497	TinyWeb: Integer Overflow in `_Val` (HTTP Request Smuggling)	06.03.2026	9.3
CVE-2026-28501	WWBN AVideo: Unauthenticated SQL Injection via JSON Request Bypass in objects/videos.json.php	06.03.2026	9.8
CVE-2026-28502	WWBN AVideo: Authenticated Remote Code Execution via Unsafe Plugin ZIP Extraction	06.03.2026	9.3
CVE-2026-29046	TinyWeb: HTTP Header Control Character Injection into CGI Environment	06.03.2026	9.2
CVE-2026-22552	ePower epower.ie Missing Authentication for Critical Function	09.03.2026	9.3
CVE-2026-21536	Microsoft Devices Pricing Program Remote Code Execution Vulnerability	11.03.2026	9.8
CVE-2026-28391	OpenClaw < 2026.2.2 - Command Injection via cmd.exe Parsing Bypass in Allowlist Enforcement	10.03.2026	9.2
CVE-2026-28446	OpenClaw < 2026.2.1 - Inbound Allowlist Policy Bypass in voice-call Extension via Empty Caller ID and Suffix Matching	11.03.2026	9.2
CVE-2026-28466	OpenClaw < 2026.2.14 - Remote Code Execution via Node Invoke Approval Bypass	09.03.2026	9.4
CVE-2026-28470	OpenClaw < 2026.2.2 - Exec Allowlist Bypass via Command Substitution in Double Quotes	09.03.2026	9.2
CVE-2026-28472	OpenClaw < 2026.2.2 - Device Identity Check Bypass in Gateway WebSocket Connect Handshake	09.03.2026	9.2
CVE-2026-28474	OpenClaw Nextcloud Talk < 2026.2.6 - Allowlist Bypass via actor.name Display Name Spoofing	09.03.2026	9.3
CVE-2026-21622	Password Reset Tokens Do Not Expire	10.03.2026	9.5
CVE-2025-55208	Chamilo LMS has Stored Cross Site Scripting on Social Networks Uploaded Files	06.03.2026	9.1
CVE-2026-29188	File Browser: TUS Delete Endpoint Bypasses Delete Permission Check	06.03.2026	9.1
CVE-2026-0848	Arbitrary Code Execution in NLTK StanfordSegmenter via Untrusted JAR Loading	06.03.2026	10
CVE-2026-28353	Trivy Vulnerability Scanner: Unauthorized AI Agent Execution Code Included in OpenVSX Extension Release	06.03.2026	10
CVE-2026-25921	Gogs: Cross-repository LFS object overwrite via missing content hash verification	06.03.2026	9.3
CVE-2026-24457		06.03.2026	9.1
CVE-2026-27944	Nginx UI: Unauthenticated Backup Download with Encryption Key Disclosure	06.03.2026	9.8
CVE-2026-30789	RustDesk Client Generates Auth Proof Without Client-Side Nonce, Enabling Replay Attacks	05.03.2026	9.3
CVE-2026-30790	RustDesk Server Controls All Handshake Entropy (Salt/Challenge), Enabling Offline Brute-Force	10.03.2026	9.3
CVE-2026-30797	RustDesk rustdesk://config/ URI Silently Re-homes Client to Attacker-Controlled Server	05.03.2026	9.3
CVE-2026-30792	RustDesk Client Blindly Merges Unauthenticated Strategy Payloads, Bypassing Local Security Settings	06.03.2026	9.1
CVE-2026-30793	RustDesk Flutter URI Handler Sets Permanent Password Without Privilege Check or User Confirmation	05.03.2026	9.3
CVE-2026-30794	RustDesk HTTP Client Silently Accepts Invalid TLS Certificates After Handshake Failure	05.03.2026	9.1
CVE-2026-2599	Database for Contact Form 7, WPforms, Elementor forms <= 1.4.7 - Unauthenticated PHP Object Injection via 'download_csv'	05.03.2026	9.8
CVE-2026-21628	Extension - astroidframe.work - Unauthenticated Remote Code Execution in Astroid Framework 2.0.0 - 3.3.10 for Joomla	05.03.2026	10
CVE-2026-28536		05.03.2026	9.6
CVE-2026-2743	SEPPmail User Web Interface Arbitrary File Write to RCE	05.03.2026	10
CVE-2026-1678	dns: memory‑safety issue in the DNS name parser	05.03.2026	9.4
CVE-2026-29127	Incorrect Permission Assignment(777) on `monitor` Users Home Directory Containing SUID Root Binaries in IDC SFX2100	05.03.2026	9.2
CVE-2026-2835	HTTP Request Smuggling via HTTP/1.0 and Transfer-Encoding Misparsing	06.03.2026	9.3
CVE-2026-2833	HTTP Request Smuggling via Premature Upgrade	06.03.2026	9.3
CVE-2026-29000	pac4j-jwt JwtAuthenticator Authentication Bypass	11.03.2026	9.3

Latest Updates

CVE	Title	Updated	Score
CVE-2025-12690	Local Privilege Escalation in NGFW Engine	11.03.2026
CVE-2026-1732	Improper Removal of Sensitive Information Before Storage or Transfer in GitLab	11.03.2026	4.3
CVE-2026-22248	GLPI affected by Remote Code Execution via malicious upload	11.03.2026	8.1
CVE-2026-27897	Vociferous Unauthenticated Remote Path Traversal (RCE via CSRF)	11.03.2026	10
CVE-2026-28229	Argo Workflows has unauthorized access to Argo Workflows Template	11.03.2026	9.8
CVE-2026-31892	WorkflowTemplate Security Bypass via podSpecPatch in Strict/Secure Reference Mode	11.03.2026
CVE-2026-3848	Improper Neutralization of CRLF Sequences ('CRLF Injection') in GitLab	11.03.2026	5
CVE-2026-21888	MQTT v5 Variable Byte Integer parsing out-of-bounds: get_var_integer()	11.03.2026	7.5
CVE-2025-67298		11.03.2026
CVE-2026-30901	Zoom Rooms for Windows - Improper Input Validation	11.03.2026	7
CVE-2026-30902	Zoom Clients for Windows - Improper Privilege Management	11.03.2026	7.8
CVE-2026-30903		11.03.2026	9.6
CVE-2026-32229		11.03.2026	6.8
CVE-2026-3013	Path Traversal in Coppermine Photo Gallery	11.03.2026
CVE-2026-3946	PHPEMS index.php cross site scripting	11.03.2026
CVE-2025-70330		11.03.2026
CVE-2026-30900	Zoom Workplace Clients for Windows - Improper Check	11.03.2026	7.8
CVE-2025-70027		11.03.2026
CVE-2026-32059	OpenClaw 2026.2.22-2 < 2026.2.23 - Allowlist Bypass via sort Long-Option Abbreviation in tools.exec.safeBins	11.03.2026
CVE-2026-32060	OpenClaw < 2026.2.14 - Path Traversal in apply_patch via Crafted Paths	11.03.2026
CVE-2026-32061	OpenClaw < 2026.2.17 - Arbitrary File Read via $include Directive Path Traversal	11.03.2026
CVE-2026-32062	OpenClaw 2026.2.21-2 < 2026.2.22 - Unauthenticated WebSocket Resource Exhaustion via Media Stream	11.03.2026
CVE-2026-32063	OpenClaw 2026.2.19-2 < 2026.2.21 - Command Injection via Newline in systemd Unit Generation	11.03.2026
CVE-2026-3496	JetBooking <= 4.0.3 - Unauthenticated SQL Injection via 'check_in_date' Parameter	11.03.2026	7.5
CVE-2026-3904		11.03.2026
CVE-2026-3943	H3C ACG1000-AK230 aaa_portal_auth_local_submit command injection	11.03.2026
CVE-2026-3944	itsourcecode University Management System att_add.php sql injection	11.03.2026
CVE-2026-3178	Name Directory <= 1.32.1 - Unauthenticated Stored Cross-Site Scripting via 'name_directory_name'	11.03.2026	7.2
CVE-2026-1965	bad reuse of HTTP Negotiate connection	11.03.2026
CVE-2026-3783	token leak with redirect and netrc	11.03.2026
CVE-2026-3784	wrong proxy connection reuse with credentials	11.03.2026
CVE-2026-3805	use after free in SMB connection reuse	11.03.2026
CVE-2026-1992	ExactMetrics 8.6.0 - 9.0.2 - Authenticated (Custom) Insecure Direct Object Reference to Arbitrary Plugin Installation	11.03.2026	8.8
CVE-2026-1993	ExactMetrics 7.1.0 - 9.0.2 - Authenticated (Custom) Improper Privilege Management to Role Privilege Escalation via Settings Update	11.03.2026	8.8
CVE-2026-3231	Checkout Field Editor (Checkout Manager) for WooCommerce <= 2.1.7 - Unauthenticated Stored Cross-Site Scripting via Block Checkout Custom Radio Field	11.03.2026	7.2
CVE-2026-3492	Gravity Forms <= 2.9.28.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Form Title	11.03.2026	6.4
CVE-2026-3906	WordPress 6.9 - 6.9.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Note Creation via REST API	11.03.2026	4.3
CVE-2026-1454	Responsive Contact Form Builder & Lead Generation Plugin <= 2.0.1 - Unauthenticated Stored Cross-Site Scripting	11.03.2026	7.2
CVE-2024-14024	Video Station	11.03.2026
CVE-2024-14025	Video Station	11.03.2026
CVE-2024-14026	QTS, QuTS hero	11.03.2026
CVE-2026-1708	Appointment Booking Calendar <= 1.6.9.27 - Unauthenticated SQL Injection via 'append_where_sql' Parameter	11.03.2026	7.5
CVE-2026-2917	Happy Addons for Elementor <= 3.21.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Post Duplication via 'post_id' Parameter	11.03.2026	5.4
CVE-2026-2918	Happy Addons for Elementor <= 3.21.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Stored Cross-Site Scripting via Template Conditions	11.03.2026	6.4
CVE-2026-3903	Modular Connector <= 2.5.1 - Cross-Site Request Forgery via postConfirmOauth	11.03.2026	4.3
CVE-2026-31844	Authenticated SQL Injection in Koha displayby parameter of suggestion.pl	11.03.2026
CVE-2026-3534	Astra <= 4.12.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Meta	11.03.2026	6.4
CVE-2026-3824	WellChoose｜IFTOP - Open redirect	11.03.2026
CVE-2026-3825	WellChoose｜IFTOP - Reflected Cross-site Scripting	11.03.2026
CVE-2026-3826	WellChoose｜IFTOP - Local File Inclusion	11.03.2026
CVE-2026-1753	Gutena Forms < 1.6.1 - Contributor+ Arbitrary Limited Options Update	11.03.2026
CVE-2026-1867	WP Front User Submit < 5.0.6 - Unauthenticated Sensitive Information Exposure	11.03.2026
CVE-2026-2466	DukaPress <= 3.2.4 - Reflected XSS	11.03.2026
CVE-2026-2626	Divi Booster < 5.0.2 - Unauthenticated PHP Object Injection	11.03.2026
CVE-2026-2631	Datalogics Ecommerce Delivery < 2.6.60 - Unauthenticated Privilege Escalation	11.03.2026
CVE-2026-3911	Org.keycloak.services.resources.admin.userresource: keycloak: information disclosure of disabled user attributes via administrative endpoint	11.03.2026
CVE-2023-27573		11.03.2026	9
CVE-2026-20892		11.03.2026
CVE-2026-24448		11.03.2026
CVE-2026-27842		11.03.2026
CVE-2026-2358	WP ULike <= 5.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attribute	11.03.2026	6.4
CVE-2026-2707	weForms <= 1.6.27 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Hidden Field Value via REST API	11.03.2026	6.4
CVE-2026-3222	WP Maps <= 4.9.1 - Unauthenticated SQL Injection via 'location_id' Parameter	11.03.2026	7.5
CVE-2026-3884		11.03.2026	6.1
CVE-2025-13067	Royal Addons for Elementor <= 1.7.1049 - Authenticated (Author+) Arbitrary File Upload via main.php Upload Bypass	11.03.2026	8.8
CVE-2026-2413	Ally – Web Accessibility & Usability <= 4.0.3 - Unauthenticated SQL Injection via URL Path	11.03.2026	7.5
CVE-2026-23813	Authentication Bypass in Web Interface allows Unauthenticated Admin Password Reset	11.03.2026	9.8
CVE-2026-23814	Authenticated Command Injection found in AOS-CX CLI Command	11.03.2026	8.8
CVE-2026-23815	Authenticated Command Injection found in AOS-CX Administrative CLI Command	11.03.2026	7.2
CVE-2026-23816	Authenticated Command Injection found in admin AOS-CX CLI command	11.03.2026	7.2
CVE-2026-23817	Unauthenticated Open Redirect allows URL Manipulation in Web Interface	11.03.2026	6.5
CVE-2026-29515	MiCode FileExplorer SwiFTP Server Authentication Bypass	11.03.2026
CVE-2026-21282	Adobe Commerce \| Improper Input Validation (CWE-20)	11.03.2026	5.3
CVE-2026-21284	Adobe Commerce \| Cross-site Scripting (Stored XSS) (CWE-79)	11.03.2026	8.1
CVE-2026-21285	Adobe Commerce \| Incorrect Authorization (CWE-863)	11.03.2026	4.3
CVE-2026-21286	Adobe Commerce \| Incorrect Authorization (CWE-863)	11.03.2026	5.3
CVE-2026-21289	Adobe Commerce \| Incorrect Authorization (CWE-863)	11.03.2026	7.5
CVE-2026-21290	Adobe Commerce \| Cross-site Scripting (Stored XSS) (CWE-79)	11.03.2026	8.7
CVE-2026-21291	Adobe Commerce \| Cross-site Scripting (Stored XSS) (CWE-79)	11.03.2026	4.8
CVE-2026-21292	Adobe Commerce \| Cross-site Scripting (Stored XSS) (CWE-79)	11.03.2026	5.4
CVE-2026-21293	Adobe Commerce \| Server-Side Request Forgery (SSRF) (CWE-918)	11.03.2026	5.5
CVE-2026-21294	Adobe Commerce \| Server-Side Request Forgery (SSRF) (CWE-918)	11.03.2026	5.5
CVE-2026-21295	Adobe Commerce \| URL Redirection to Untrusted Site ('Open Redirect') (CWE-601)	11.03.2026	3.1
CVE-2026-21296	Adobe Commerce \| Incorrect Authorization (CWE-863)	11.03.2026	4.3
CVE-2026-21297	Adobe Commerce \| Incorrect Authorization (CWE-863)	11.03.2026	4.3
CVE-2026-21309	Adobe Commerce \| Incorrect Authorization (CWE-863)	11.03.2026	7.5
CVE-2026-21310	Adobe Commerce \| Improper Input Validation (CWE-20)	11.03.2026	5.3
CVE-2026-21311	Adobe Commerce \| Cross-site Scripting (Stored XSS) (CWE-79)	11.03.2026	8
CVE-2026-21359	Adobe Commerce \| Incorrect Authorization (CWE-863)	11.03.2026	4.7
CVE-2026-21360	Adobe Commerce \| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)	11.03.2026	6.8
CVE-2026-21361	Adobe Commerce \| Cross-site Scripting (Stored XSS) (CWE-79)	11.03.2026	8.1
CVE-2026-3453	ProfilePress <= 4.16.11 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Subscription Cancellation/Expiration	11.03.2026	8.1
CVE-2025-12473	RTMKit <= 1.6.8 - Reflected Cross-Site Scripting via 'themebuilder' Parameter	11.03.2026	6.1
CVE-2026-1781	MC4WP: Mailchimp for WordPress <= 4.11.1 - Missing Authorization to Unauthenticated Arbitrary Subscription Deletion	11.03.2026	6.5
CVE-2026-2324	LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.7 - Cross-Site Request Forgery in Booking Form Settings Update to Stored Cross-Site Scripting	11.03.2026	6.1
CVE-2026-27223	Adobe Experience Manager \| Cross-site Scripting (Stored XSS) (CWE-79)	11.03.2026	5.4
CVE-2026-27224	Adobe Experience Manager \| Cross-site Scripting (Stored XSS) (CWE-79)	11.03.2026	5.4
CVE-2026-27225	Adobe Experience Manager \| Cross-site Scripting (Stored XSS) (CWE-79)	11.03.2026	5.4
CVE-2026-27226	Adobe Experience Manager \| Cross-site Scripting (Stored XSS) (CWE-79)	11.03.2026	5.4
CVE-2026-27228	Adobe Experience Manager \| Cross-site Scripting (Stored XSS) (CWE-79)	11.03.2026	5.4
CVE-2026-27229	Adobe Experience Manager \| Cross-site Scripting (Stored XSS) (CWE-79)	11.03.2026	5.4
CVE-2026-27230	Adobe Experience Manager \| Cross-site Scripting (Stored XSS) (CWE-79)	11.03.2026	5.4
CVE-2026-27231	Adobe Experience Manager \| Cross-site Scripting (Stored XSS) (CWE-79)	11.03.2026	5.4
CVE-2026-27232	Adobe Experience Manager \| Cross-site Scripting (Stored XSS) (CWE-79)	11.03.2026	5.4
CVE-2026-27233	Adobe Experience Manager \| Cross-site Scripting (Stored XSS) (CWE-79)	11.03.2026	5.4
CVE-2026-27234	Adobe Experience Manager \| Cross-site Scripting (Stored XSS) (CWE-79)	11.03.2026	5.4
CVE-2026-27235	Adobe Experience Manager \| Cross-site Scripting (Stored XSS) (CWE-79)	11.03.2026	5.4
CVE-2026-27236	Adobe Experience Manager \| Cross-site Scripting (Stored XSS) (CWE-79)	11.03.2026	5.4
CVE-2026-27237	Adobe Experience Manager \| Cross-site Scripting (Stored XSS) (CWE-79)	11.03.2026	5.4
CVE-2026-27239	Adobe Experience Manager \| Cross-site Scripting (Stored XSS) (CWE-79)	11.03.2026	5.4
CVE-2026-27240	Adobe Experience Manager \| Cross-site Scripting (Stored XSS) (CWE-79)	11.03.2026	5.4
CVE-2026-27241	Adobe Experience Manager \| Cross-site Scripting (Stored XSS) (CWE-79)	11.03.2026	5.4
CVE-2026-27242	Adobe Experience Manager \| Cross-site Scripting (Stored XSS) (CWE-79)	11.03.2026	5.4
CVE-2026-27244	Adobe Experience Manager \| Cross-site Scripting (Stored XSS) (CWE-79)	11.03.2026	5.4
CVE-2026-27247	Adobe Experience Manager \| Cross-site Scripting (DOM-based XSS) (CWE-79)	11.03.2026	5.4
CVE-2026-27248	Adobe Experience Manager \| Cross-site Scripting (Stored XSS) (CWE-79)	11.03.2026	5.4
CVE-2026-27249	Adobe Experience Manager \| Cross-site Scripting (Stored XSS) (CWE-79)	11.03.2026	5.4
CVE-2026-27250	Adobe Experience Manager \| Cross-site Scripting (Stored XSS) (CWE-79)	11.03.2026	5.4
CVE-2026-27251	Adobe Experience Manager \| Cross-site Scripting (Stored XSS) (CWE-79)	11.03.2026	5.4
CVE-2026-27252	Adobe Experience Manager \| Cross-site Scripting (Stored XSS) (CWE-79)	11.03.2026	5.4
CVE-2026-27253	Adobe Experience Manager \| Cross-site Scripting (Stored XSS) (CWE-79)	11.03.2026	5.4
CVE-2026-27254	Adobe Experience Manager \| Cross-site Scripting (Stored XSS) (CWE-79)	11.03.2026	5.4
CVE-2026-27255	Adobe Experience Manager \| Cross-site Scripting (Stored XSS) (CWE-79)	11.03.2026	5.4
CVE-2026-27256	Adobe Experience Manager \| Cross-site Scripting (Stored XSS) (CWE-79)	11.03.2026	5.4
CVE-2026-27257	Adobe Experience Manager \| Cross-site Scripting (Stored XSS) (CWE-79)	11.03.2026	5.4
CVE-2026-27259	Adobe Experience Manager \| Cross-site Scripting (Stored XSS) (CWE-79)	11.03.2026	5.4
CVE-2026-27260	Adobe Experience Manager \| Cross-site Scripting (Stored XSS) (CWE-79)	11.03.2026	5.4
CVE-2026-27261	Adobe Experience Manager \| Cross-site Scripting (Stored XSS) (CWE-79)	11.03.2026	5.4
CVE-2026-27262	Adobe Experience Manager \| Cross-site Scripting (Stored XSS) (CWE-79)	11.03.2026	5.4
CVE-2026-27263	Adobe Experience Manager \| Cross-site Scripting (Stored XSS) (CWE-79)	11.03.2026	5.4
CVE-2026-27264	Adobe Experience Manager \| Cross-site Scripting (Stored XSS) (CWE-79)	11.03.2026	5.4
CVE-2026-27265	Adobe Experience Manager \| Cross-site Scripting (Stored XSS) (CWE-79)	11.03.2026	5.4
CVE-2026-27266	Adobe Experience Manager \| Cross-site Scripting (Stored XSS) (CWE-79)	11.03.2026	5.4
CVE-2026-2569	Dear Flipbook <= 2.4.20 - Authenticated (Auhtor+) Stored Cross-Site Scripting via PDF Page Labels	11.03.2026	6.4
CVE-2026-21333	Illustrator \| Untrusted Search Path (CWE-426)	11.03.2026	8.6
CVE-2026-21362	Illustrator \| Out-of-bounds Write (CWE-787)	11.03.2026	7.8
CVE-2026-27267	Illustrator \| Stack-based Buffer Overflow (CWE-121)	11.03.2026	7.8
CVE-2026-27268	Illustrator \| Out-of-bounds Read (CWE-125)	11.03.2026	5.5
CVE-2026-27270	Illustrator \| Out-of-bounds Read (CWE-125)	11.03.2026	5.5
CVE-2026-27271	Illustrator \| Heap-based Buffer Overflow (CWE-122)	11.03.2026	7.8
CVE-2026-27272	Illustrator \| Out-of-bounds Write (CWE-787)	11.03.2026	7.8
CVE-2025-20005		11.03.2026
CVE-2025-20027		11.03.2026
CVE-2025-20028		11.03.2026
CVE-2025-20064		11.03.2026
CVE-2025-20068		11.03.2026
CVE-2025-20073		11.03.2026
CVE-2025-20105		11.03.2026
CVE-2025-22444		11.03.2026
CVE-2025-22850		11.03.2026
CVE-2025-20096		11.03.2026
CVE-2026-31837	Istio JWKS resolver to prevent private key material from being exposed when JWKS fetch fails.	10.03.2026
CVE-2026-31838	Istio HTTP debug endpoints on port 15014 to enforce namespace-based authorization, preventing cross-namespace proxy data access.	11.03.2026
CVE-2026-31830	sigstore-ruby verifier returns success for DSSE bundles with mismatched in-toto subject digest	10.03.2026	7.5
CVE-2026-31832	Umbraco Backoffice API Allows Unauthorized Modification of Domain Data	10.03.2026	5.4
CVE-2026-31833	Umbraco has Stored XSS in UFM Rendering Pipeline via Permissive DOMPurify Attribute Filtering	10.03.2026	6.7
CVE-2026-31834	Umbraco Affected by Vertical Privilege Escalation via Missing Authorization Checks	10.03.2026	7.2
CVE-2026-27220	Acrobat Reader \| Use After Free (CWE-416)	11.03.2026	7.8
CVE-2026-27221	Acrobat Reader \| Improper Certificate Validation (CWE-295)	11.03.2026	5.5
CVE-2026-27278	Acrobat Reader \| Use After Free (CWE-416)	11.03.2026	7.8
CVE-2026-28807	Path Traversal in wisp.serve_static allows arbitrary file read	11.03.2026
CVE-2026-31824	Sylius has a Promotion Usage Limit Bypass via Race Condition	10.03.2026	8.2
CVE-2026-31825	Sylius has a DQL Injection via API Order Filters	11.03.2026	5.3
CVE-2026-31826	pypdf: manipulated stream length values can exhaust RAM	10.03.2026
CVE-2026-31827	Alienbin: TTL Index Race Condition allows unauthorized deletion of other users data	10.03.2026
CVE-2026-31828	Parse Server has an LDAP injection via unsanitized user input in DN and group filter construction	10.03.2026
CVE-2026-31829	Flowise affected by Server-Side Request Forgery (SSRF) in HTTP Node Leading to Internal Network Access	11.03.2026	7.1
CVE-2026-28806	Improper authorization in device bulk actions and device update API allows cross-organization device control	11.03.2026
CVE-2026-31819	Sylius has an Open Redirect via Referer Header	10.03.2026
CVE-2026-31820	Sylius affected by IDOR in Cart and Checkout LiveComponents	10.03.2026
CVE-2026-31821	Sylius is Missing Authorization in API v2 Add Item Endpoint	11.03.2026
CVE-2026-31822	Sylius has a XSS vulnerability in checkout login form	10.03.2026
CVE-2026-31823	Sylius has Authenticated Stored XSS	10.03.2026	4.8
CVE-2026-31812	Quinn affected by unauthenticated remote DoS via panic in QUIC transport parameter parsing	11.03.2026
CVE-2026-31815	django-unicorn affected by component state manipulation via unvalidated attribute access	11.03.2026	5.3
CVE-2026-31817	OliveTin's unsafe parsing of UniqueTrackingId can be used to write files	11.03.2026	8.5
CVE-2026-31801	zot create-only policy allows overwrite attempts of existing latest tag (update permission not required)	10.03.2026	7.7
CVE-2026-31807	SiYuan has a SVG Sanitizer Bypass via `<animate>` Element — Unauthenticated XSS	10.03.2026
CVE-2026-31808	file-type affected by infinite loop in ASF parser on malformed input with zero-size sub-header	10.03.2026	5.3
CVE-2026-31809	SiYuan has a SVG Sanitizer Bypass via Whitespace in `javascript:` URI — Unauthenticated XSS	10.03.2026
CVE-2025-36920		11.03.2026
CVE-2026-0107		11.03.2026
CVE-2026-0108		11.03.2026
CVE-2026-0109		11.03.2026
CVE-2026-0110		11.03.2026
CVE-2026-0111		11.03.2026
CVE-2026-0112		11.03.2026
CVE-2026-0113		11.03.2026
CVE-2026-0114		11.03.2026
CVE-2026-0115		11.03.2026
CVE-2026-0116		11.03.2026
CVE-2026-0117		11.03.2026
CVE-2026-0118		11.03.2026
CVE-2026-0119		11.03.2026
CVE-2026-0120		11.03.2026
CVE-2026-0121		10.03.2026
CVE-2026-0122		11.03.2026
CVE-2026-0123		11.03.2026
CVE-2026-0124		11.03.2026
CVE-2026-30954	LinkAce has a Cross-User Tag/List Attachment IDOR in processTaxonomy()	11.03.2026
CVE-2026-30962	Parse Server has a protected fields bypass via logical query operators	11.03.2026
CVE-2026-30965	Parse Server session token exfiltration via `redirectClassNameForKey` query parameter	11.03.2026
CVE-2026-30966	Parse Server role escalation and CLP bypass via direct `_Join` table write	11.03.2026	10
CVE-2026-30967	Parse Server OAuth2 authentication adapter account takeover via identity spoofing	11.03.2026
CVE-2026-30972	Parse Server has a rate limit bypass via batch request endpoint	10.03.2026
CVE-2026-31800	Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes	10.03.2026
CVE-2025-66413	Git for Windows leaks NTLM hash when cloning from an attacker-controlled server	11.03.2026	7.4
CVE-2025-70798		10.03.2026
CVE-2025-70802		10.03.2026
CVE-2026-30951	Sequelize v6 Vulnerable to SQL Injection via JSON Column Cast Type	11.03.2026	7.5
CVE-2026-30952	liquidjs has a path traversal fallback vulnerability	11.03.2026
CVE-2026-30953	LinkAce affected by SSRF via link creation: NoPrivateIpRule not applied to LinkStoreRequest	11.03.2026	7.7
CVE-2025-13213	Multiple vulnerabilities in IBM Aspera Orchestrator	11.03.2026	5.4
CVE-2025-70244		10.03.2026
CVE-2026-30837	Elysia has a string URL format redos	11.03.2026	7.5
CVE-2026-30946	Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API	11.03.2026
CVE-2026-30947	Parse Server ha a bypass of class-level permissions in LiveQuery	11.03.2026
CVE-2026-30948	Parse Server has stored cross-site scripting (XSS) via SVG file upload	10.03.2026
CVE-2026-30949	Parse Server is missing audience validation in Keycloak authentication adapter	10.03.2026
CVE-2025-13219	Multiple vulnerabilities in IBM Aspera Orchestrator	11.03.2026	5.9
CVE-2025-70242		10.03.2026
CVE-2026-29792	Feathersjs has an OAuth Callback Account Takeover	11.03.2026
CVE-2026-29793	NoSQL Injection via WebSocket id Parameter in MongoDB Adapter	11.03.2026
CVE-2025-36226	Multiple vulnerabilities in IBM Aspera Faspex	10.03.2026	5.4
CVE-2025-36227	Multiple vulnerabilities in IBM Aspera Faspex	10.03.2026	5.4
CVE-2025-70227		10.03.2026
CVE-2026-29172	Craft Commerce has a SQL Injection in Commerce Purchasables Table Sorting	11.03.2026
CVE-2026-29173	Craft Commerce has Stored XSS while updating Order Status from Orders Table	10.03.2026
CVE-2026-29174	Craft Commerce has a SQL Injection in Commerce Inventory Table Sorting	10.03.2026
CVE-2026-29175	Multiple Stored XSS in Commerce Inventory Page Leading to Session Hijacking	11.03.2026
CVE-2026-29176	Craft Commerce has Stored XSS in Inventory Location Name	10.03.2026
CVE-2026-29177	Craft Commerce has Stored XSS in Craft Commerce Order Details Slideout	10.03.2026
CVE-2026-2713	IBM Trusteer Rapport installer affected by uncontrolled search path element vulnerability	10.03.2026	7.4
CVE-2025-48611		11.03.2026	10
CVE-2025-70247		10.03.2026
CVE-2025-70251		10.03.2026
CVE-2026-29113	Craft has a potential information disclosure vulnerability in preview tokens	10.03.2026
CVE-2026-26330	Envoy global rate limit may crash when the response phase limit is enabled and the response phase request is failed directly	10.03.2026	5.3
CVE-2026-28495	GetSimple CMS has CSRF to Remote Code Execution via Arbitrary PHP Write in gsconfig.php	10.03.2026	9.7
CVE-2025-70128		10.03.2026
CVE-2025-70129		11.03.2026
CVE-2025-70246		10.03.2026
CVE-2025-70249		10.03.2026
CVE-2026-23868		11.03.2026
CVE-2026-26123	Microsoft Authenticator Information Disclosure Vulnerability	11.03.2026	5.5
CVE-2026-26308	Envoy has an RBAC Header Validation Bypass via Multi-Value Header Concatenation	10.03.2026	7.5
CVE-2026-26309	Envoy has an off-by-one write in JsonEscaper::escapeString()	10.03.2026	5.3
CVE-2026-26310	Crash for scoped ip address in Envoy during DNS	10.03.2026	5.9
CVE-2026-26311	Envoy HTTP: filter chain execution on reset streams causing UAF crash	10.03.2026	5.9
CVE-2026-27825	MCP Atlassian has an arbitrary file write leading to arbitrary code execution via unconstrained download_path in confluence_download_attachment	10.03.2026	9.1
CVE-2026-2266	Improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed cross-site scripting via task list content and enabled arbitrary HTML injection	11.03.2026
CVE-2026-3582	Incorrect Authorization in GitHub Enterprise Server allows access to issue and commit search results without repo scope	11.03.2026
CVE-2026-21363	Substance3D - Painter \| NULL Pointer Dereference (CWE-476)	10.03.2026	5.5
CVE-2026-21364	Substance3D - Painter \| NULL Pointer Dereference (CWE-476)	10.03.2026	5.5
CVE-2026-21365	Substance3D - Painter \| Out-of-bounds Read (CWE-125)	10.03.2026	5.5
CVE-2026-26741		11.03.2026
CVE-2026-26742		11.03.2026
CVE-2026-27214	Substance3D - Painter \| NULL Pointer Dereference (CWE-476)	10.03.2026	5.5
CVE-2026-27215	Substance3D - Painter \| NULL Pointer Dereference (CWE-476)	10.03.2026	5.5
CVE-2026-27216	Substance3D - Painter \| Out-of-bounds Read (CWE-125)	10.03.2026	5.5
CVE-2026-27217	Substance3D - Painter \| NULL Pointer Dereference (CWE-476)	10.03.2026	5.5
CVE-2026-27218	Substance3D - Painter \| NULL Pointer Dereference (CWE-476)	10.03.2026	5.5
CVE-2026-27219	Substance3D - Painter \| Out-of-bounds Read (CWE-125)	10.03.2026	5.5
CVE-2026-27269	Premiere Pro \| Out-of-bounds Read (CWE-125)	11.03.2026	7.8
CVE-2026-27273	Substance3D - Stager \| Out-of-bounds Write (CWE-787)	11.03.2026	7.8
CVE-2026-27274	Substance3D - Stager \| Out-of-bounds Write (CWE-787)	11.03.2026	7.8
CVE-2026-27275	Substance3D - Stager \| Out-of-bounds Write (CWE-787)	11.03.2026	7.8
CVE-2026-27276	Substance3D - Stager \| Use After Free (CWE-416)	11.03.2026	7.8
CVE-2026-27277	Substance3D - Stager \| Use After Free (CWE-416)	11.03.2026	7.8
CVE-2026-27279	Substance3D - Stager \| Out-of-bounds Write (CWE-787)	11.03.2026	7.8
CVE-2026-27826	MCP Atlassian has SSRF via unvalidated X-Atlassian-Jira-Url / X-Atlassian-Confluence-Url headers	10.03.2026	8.2
CVE-2026-28292	simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE	11.03.2026	9.8