| CVE-2026-5128 |
|
30.03.2026 |
10 |
| CVE-2026-4415 |
GIGABYTE|Gigabyte Control Center - Arbitrary File Write |
30.03.2026 |
9.2 |
| CVE-2025-15379 |
Command Injection in mlflow/mlflow |
30.03.2026 |
10 |
| CVE-2025-15036 |
Path Traversal Vulnerability in mlflow/mlflow |
30.03.2026 |
9.6 |
| CVE-2026-32915 |
OpenClaw < 2026.3.11 - Sandbox Boundary Bypass via Subagent Control Surface |
29.03.2026 |
9.3 |
| CVE-2026-32918 |
OpenClaw < 2026.3.11 - Session Sandbox Escape via session_status Tool |
30.03.2026 |
9.2 |
| CVE-2026-32922 |
OpenClaw < 2026.3.11 - Privilege Escalation via Unvalidated Scope in device.token.rotate |
30.03.2026 |
9.4 |
| CVE-2026-32978 |
OpenClaw < 2026.3.11 - Approval Bypass via Unrecognized Script Runners |
30.03.2026 |
9.4 |
| CVE-2026-32987 |
OpenClaw < 2026.3.13 - Bootstrap Setup Code Replay via Device Pairing |
30.03.2026 |
9.3 |
| CVE-2016-20049 |
JAD 1.5.8e-1kali1 Stack-Based Buffer Overflow Remote Code Execution |
30.03.2026 |
9.3 |
| CVE-2017-20225 |
TiEmu 2.08 Stack-Based Buffer Overflow Vulnerability |
28.03.2026 |
9.3 |
| CVE-2017-20227 |
JAD 1.5.8e-1kali1 Stack-Based Buffer Overflow |
28.03.2026 |
9.3 |
| CVE-2017-20229 |
MAWK 1.3.3-17 Stack-Based Buffer Overflow |
30.03.2026 |
9.3 |
| CVE-2018-25220 |
Bochs 2.6-5 Buffer Overflow Remote Code Execution |
30.03.2026 |
9.3 |
| CVE-2018-25221 |
EChat Server 3.1 Buffer Overflow via chat.ghp username Parameter |
28.03.2026 |
9.3 |
| CVE-2018-25223 |
Crashmail 1.6 Stack-based Buffer Overflow Remote Code Execution |
28.03.2026 |
9.3 |
| CVE-2026-33992 |
pyLoad: Server-Side Request Forgery via Download Link Submission Enables Cloud Metadata Exfiltration |
27.03.2026 |
9.3 |
| CVE-2026-33976 |
Notesnook vulnerable to RCE via stored XSS in Web Clipper rendering |
30.03.2026 |
9.7 |
| CVE-2026-33937 |
Handlebars.js has JavaScript Injection via AST Type Confusion |
27.03.2026 |
9.8 |
| CVE-2026-33875 |
Authenticator Vulnerable to Authentication Flow Hijack |
27.03.2026 |
9.3 |
| CVE-2026-33873 |
Langflow has Authenticated Code Execution in Agentic Assistant Validation |
27.03.2026 |
9.3 |
| CVE-2026-34205 |
Home Assistant: Unauthenticated App (Add-on) Endpoints Exposed to Local Network via Host Network Mode |
27.03.2026 |
9.7 |
| CVE-2026-34374 |
AVideo has SQL Injection in Live_schedule::keyExists() via Unparameterized Stream Key |
27.03.2026 |
9.1 |
| CVE-2026-33867 |
AVideo has Plaintext Video Password Storage |
27.03.2026 |
9.1 |
| CVE-2026-27876 |
RCE on Grafana via sqlExpressions |
28.03.2026 |
9.1 |
| CVE-2026-1496 |
Coverity CLI Authentication Bypass |
27.03.2026 |
9.3 |
| CVE-2026-33757 |
OpenBao lacks user confirmation for OIDC direct callback mode |
30.03.2026 |
9.6 |
| CVE-2026-33758 |
OpenBao has Reflected XSS in its OIDC authentication error message |
27.03.2026 |
9.4 |
| CVE-2026-22738 |
SpEL Injection via Unescaped Filter Key in SimpleVectorStore Leads to Remote Code Execution |
28.03.2026 |
9.8 |
| CVE-2026-33701 |
OpenTelemetry: Unsafe Deserialization in RMI Instrumentation may Lead to Remote Code Execution |
27.03.2026 |
9.3 |
| CVE-2026-33728 |
dd-trace-java: Unsafe deserialization in RMI instrumentation may lead to remote code execution |
27.03.2026 |
9.3 |
| CVE-2026-33945 |
Abitrary file write through systemd-creds option |
27.03.2026 |
10 |
| CVE-2026-33897 |
Incus vulnerable to arbitrary file read and write through pongo templates |
27.03.2026 |
10 |
| CVE-2026-33669 |
SiYuan has Arbitrary Document Reading within the Publishing Service |
27.03.2026 |
9.8 |
| CVE-2026-33670 |
SiYuan has directory traversal within its publishing service |
30.03.2026 |
9.8 |
| CVE-2026-33640 |
Outline has a rate limit bypass that allows brute force of email login OTP |
30.03.2026 |
9.1 |
| CVE-2026-33152 |
Tandoor Recipes Vulnerable to Unrestricted Brute-Force via BasicAuthentication |
26.03.2026 |
9.1 |
| CVE-2026-33494 |
Ory Oathkeeper has a path traversal authorization bypass |
27.03.2026 |
10 |
| CVE-2026-33396 |
OneUptime has sandbox escape in Synthetic Monitor Playwright runtime allows project members to execute arbitrary commands on Probe |
26.03.2026 |
10 |
| CVE-2026-4809 |
Unsafe Client MIME Type Handling Can Enable Arbitrary File Upload in plank/laravel-mediable |
26.03.2026 |
9.3 |
| CVE-2026-4484 |
Masteriyo LMS <= 2.1.6 - Missing Authorization to Authenticated (Student+) Privilege Escalation to Administrator |
26.03.2026 |
9.8 |
| CVE-2026-33526 |
Squid vulnerable to Denial of Service in ICP Request handling |
26.03.2026 |
9.2 |
| CVE-2026-33696 |
n8n Vulnerable to Prototype Pollution in XML & GSuiteAdmin node parameters lead to RCE |
25.03.2026 |
9.4 |
| CVE-2026-33660 |
n8n Has Multiple Remote Code Execution Vulnerabilities in Merge Node AlaSQL SQL Mode |
28.03.2026 |
9.4 |
| CVE-2026-26832 |
|
25.03.2026 |
9.8 |
| CVE-2026-26830 |
|
27.03.2026 |
9.8 |
| CVE-2025-33244 |
|
25.03.2026 |
9 |
| CVE-2026-33322 |
MinIO: JWT Algorithm Confusion in OIDC Authentication |
25.03.2026 |
9.2 |
| CVE-2026-33419 |
MinIO: LDAP login brute-force via user enumeration and missing rate limit |
25.03.2026 |
9.1 |
| CVE-2026-2417 |
Missing Authentication for Critical Function in Pharos Controls Mosaic Show Controller |
24.03.2026 |
9.3 |
| CVE-2026-33340 |
LoLLMs WEBUI has unauthenticated Server-Side Request Forgery (SSRF) in /api/proxy endpoint |
24.03.2026 |
9.1 |
| CVE-2026-33309 |
Langflow has an Arbitrary File Write (RCE) via v2 API |
25.03.2026 |
10 |
| CVE-2026-33475 |
Langflow GitHub Actions Shell Injection |
25.03.2026 |
9.1 |
| CVE-2019-25628 |
Download Accelerator Plus DAP 10.0.6.0 SEH Buffer Overflow |
24.03.2026 |
9.3 |
| CVE-2019-25646 |
Tabs Mail Carrier 2.5.1 Buffer Overflow via MAIL FROM |
24.03.2026 |
9.3 |
| CVE-2026-4755 |
CWE-20 in MolotovCherry Android-ImageMagick7 |
24.03.2026 |
9.8 |
| CVE-2026-4750 |
Out-of-bounds Read in fabiangreffrath woof |
24.03.2026 |
9.1 |
| CVE-2026-4753 |
Out-of-bounds Read in slajerek RetroDebugger |
24.03.2026 |
9.1 |
| CVE-2026-4283 |
WP DSGVO Tools (GDPR) <= 3.1.38 - Missing Authorization to Unauthenticated Account Destruction of Non-Admin Users |
24.03.2026 |
9.1 |
| CVE-2026-4745 |
Arbitrary Code Execution via Crafted Bytecode in dendibakh/perf-ninja |
24.03.2026 |
10 |
| CVE-2026-4746 |
Heap Buffer Over-Write Vulenrabilty in timeplus-io/proton |
24.03.2026 |
10 |
| CVE-2026-4734 |
Heap Buffer Overflow in yoyofr/modizer |
24.03.2026 |
9.4 |
| CVE-2026-4738 |
GDAL Bundled zlib (inftree9.c) Pointer Offset Optimization Undefined Behavior Allows Heap Corruption or Remote Code Execution |
24.03.2026 |
9.4 |
| CVE-2026-4739 |
Integer overflow vulnerabilities in InsightSoftwareConsortium/ITK |
24.03.2026 |
9.4 |
| CVE-2026-4744 |
Notepad3 Bundled Oniguruma compile_string_node() Heap Buffer Overflow via Crafted Regex Pattern Allows Arbitrary Code Execution |
24.03.2026 |
9.3 |
| CVE-2026-33211 |
Tekton Pipelines git resolver has path traversal that allows reading arbitrary files from the resolver pod |
24.03.2026 |
9.6 |
| CVE-2026-33286 |
Graphiti Affected by Arbitrary Method Execution via Unvalidated Relationship Names |
24.03.2026 |
9.1 |
| CVE-2026-4001 |
Woocommerce Custom Product Addons Pro <= 5.4.1 - Unauthenticated Remote Code Execution via Custom Pricing Formula |
24.03.2026 |
9.8 |
| CVE-2026-4681 |
Critical Remote Code Execution vulnerability reported in Windchill |
24.03.2026 |
9.3 |
| CVE-2026-33634 |
Trivy ecosystem supply chain briefly compromised |
30.03.2026 |
9.4 |
| CVE-2025-60949 |
Census CSWeb leaked configuration files |
25.03.2026 |
9.3 |
| CVE-2026-3055 |
Insufficient input validation leading to memory overread |
24.03.2026 |
9.3 |
| CVE-2026-30849 |
MantisBT SOAP API has an authentication bypass vulnerability on MySQL |
24.03.2026 |
9.3 |
| CVE-2026-0898 |
An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robot Studio developers who are automating Google Chrome and Microsoft Edge using either version 22.1 or R25. |
24.03.2026 |
9 |
| CVE-2026-33716 |
AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php |
24.03.2026 |
9.4 |