| CVE-2026-22561 |
|
31.03.2026 |
|
| CVE-2026-30276 |
|
31.03.2026 |
|
| CVE-2026-30281 |
|
31.03.2026 |
|
| CVE-2026-34220 |
MikroORM is vulnerable to SQL Injection via specially crafted object |
31.03.2026 |
|
| CVE-2026-34221 |
MikroORM has Prototype Pollution in Utils.merge |
31.03.2026 |
|
| CVE-2026-34227 |
Sliver One-Click Remote Access: Insecure CORS & Unauthenticated MCP Interface |
31.03.2026 |
|
| CVE-2026-34231 |
Slippers: Cross-Site Scripting (XSS) in `attrs` Template Tag |
31.03.2026 |
6.1 |
| CVE-2026-34235 |
PJSIP: Heap OOB read in VPX unpacketizer |
31.03.2026 |
|
| CVE-2026-34237 |
MCP Java SDK has a Hardcoded Wildcard CORS (Access-Control-Allow-Origin: *) |
31.03.2026 |
6.1 |
| CVE-2026-34240 |
jose vulnerable to untrusted JWK header key acceptance during signature verification |
31.03.2026 |
7.5 |
| CVE-2026-5203 |
CMS Made Simple UserGuide Module XML Import class.UserGuideImporterExporter.php _copyFilesToFolder path traversal |
31.03.2026 |
|
| CVE-2026-5204 |
Tenda CH22 Parameter webtypelibrary formWebTypeLibrary stack-based overflow |
31.03.2026 |
|
| CVE-2026-22569 |
Incorrect startup configuration in ZCC |
31.03.2026 |
5.4 |
| CVE-2026-34218 |
ClearanceKit: Managed and user-defined policy rules not enforced between opfilter start and first policy modification |
31.03.2026 |
|
| CVE-2026-34573 |
Parse Server: GraphQL complexity validator exponential fragment traversal DoS |
31.03.2026 |
|
| CVE-2026-34574 |
Parse Server: Session field immutability bypass via falsy-value guard |
31.03.2026 |
|
| CVE-2026-34595 |
Parse Server: LiveQuery protected-field guard bypass via array-like logical operator value |
31.03.2026 |
|
| CVE-2026-4818 |
Some management operations on data streams are not properly restricted when user does not have the necessary privileges |
31.03.2026 |
6.8 |
| CVE-2026-4819 |
Search Guard audit logs can contain under certain conditions user credentials |
31.03.2026 |
4.9 |
| CVE-2026-0596 |
Command Injection in mlflow/mlflow |
31.03.2026 |
|
| CVE-2026-29870 |
|
31.03.2026 |
|
| CVE-2026-30314 |
|
31.03.2026 |
|
| CVE-2026-34224 |
Parse Server: MFA single-use token bypass via concurrent authData login requests |
31.03.2026 |
|
| CVE-2026-34363 |
Parse Server: LiveQuery protected field leak via shared mutable state across concurrent subscribers |
31.03.2026 |
|
| CVE-2026-34373 |
Parse Server: GraphQL API endpoint ignores CORS origin restriction |
31.03.2026 |
|
| CVE-2026-34532 |
Parse Server: Cloud function validator bypass via prototype chain traversal |
31.03.2026 |
|
| CVE-2026-4799 |
Open redirect vulnerability in Search Guard Kibana Plugin via manipulated requests |
31.03.2026 |
4.3 |
| CVE-2026-20915 |
Stored cross-site scripting in Pending Changes sidebar |
31.03.2026 |
|
| CVE-2026-30309 |
|
31.03.2026 |
|
| CVE-2026-30311 |
|
31.03.2026 |
|
| CVE-2026-30312 |
|
31.03.2026 |
|
| CVE-2026-33276 |
XSS in Unified Search via Unescaped Host/Service Names |
31.03.2026 |
|
| CVE-2026-33576 |
OpenClaw < 2026.3.28 - Unauthorized Media Download via Zalo Channel |
31.03.2026 |
|
| CVE-2026-33577 |
OpenClaw < 2026.3.28 - Insufficient Scope Validation in node.pair.approve |
31.03.2026 |
|
| CVE-2026-33578 |
OpenClaw < 2026.3.28 - Sender Policy Allowlist Bypass via Policy Downgrade in Google Chat and Zalouser Extensions |
31.03.2026 |
|
| CVE-2026-33579 |
OpenClaw < 2026.3.28 - Privilege Escalation via Missing Caller Scope Validation in Device Pair Approval |
31.03.2026 |
|
| CVE-2026-33580 |
OpenClaw < 2026.3.28 - Brute Force Attack via Missing Rate Limiting on Webhook Shared Secret Authentication |
31.03.2026 |
|
| CVE-2026-33581 |
OpenClaw < 2026.3.24 - Arbitrary File Read via mediaUrl and fileUrl Parameters |
31.03.2026 |
|
| CVE-2026-33762 |
go-git: Missing validation decoding Index v4 files leads to panic |
31.03.2026 |
2.8 |
| CVE-2026-34162 |
FastGPT: Unauthenticated SSRF via httpTools Endpoint Leads to Internal API Key Theft |
31.03.2026 |
10 |
| CVE-2026-34163 |
Server-Side Request Forgery via MCP Tools Endpoint in FastGPT |
31.03.2026 |
7.7 |
| CVE-2026-34165 |
go-git: Maliciously crafted idx file can cause asymmetric memory consumption |
31.03.2026 |
5 |
| CVE-2026-34172 |
Giskard Agents have Server-side template injection via ChatWorkflow.chat() using non-sandboxed Jinja2 Environment |
31.03.2026 |
|
| CVE-2026-34200 |
Nhost CLI MCP Server: Missing Inbound Authentication on Explicitly Bound Network Port |
31.03.2026 |
|
| CVE-2026-34202 |
Zebra node crash — V5 transaction hash panic (P2P reachable) |
31.03.2026 |
|
| CVE-2026-34209 |
mppx: Tempo has a session close voucher bypass vulnerability due to settled amount equality |
31.03.2026 |
7.5 |
| CVE-2026-34210 |
mppx has Stripe charge credential replay via missing idempotency check |
31.03.2026 |
|
| CVE-2026-34214 |
Trino: Iceberg REST catalog static and vended credentials are accessible via query JSON |
31.03.2026 |
7.7 |
| CVE-2026-34377 |
Zebra has a Consensus Failure due to Improper Verification of V5 Transactions |
31.03.2026 |
|
| CVE-2026-34503 |
OpenClaw < 2026.3.28 - Incomplete WebSocket Session Termination on Device Removal and Token Revocation |
31.03.2026 |
|
| CVE-2026-34504 |
OpenClaw < 2026.3.28 - Server-Side Request Forgery via Unguarded Image Download in fal Provider |
31.03.2026 |
|
| CVE-2026-30310 |
|
31.03.2026 |
|
| CVE-2026-34155 |
RAUC: Improper Signing of Plain Bundles Exceeding 2 GiB |
31.03.2026 |
|
| CVE-2026-34156 |
NocoBase Affected by Sandbox Escape to RCE via console._stdout Prototype Chain Traversal in Workflow Script Node |
31.03.2026 |
10 |
| CVE-2026-3308 |
CVE-2026-3308 |
31.03.2026 |
|
| CVE-2026-24028 |
Out-of-bounds read when parsing DNS packets via Lua |
31.03.2026 |
5.3 |
| CVE-2026-24029 |
DNS over HTTPS ACL bypass |
31.03.2026 |
6.5 |
| CVE-2026-24030 |
Unbounded memory allocation for DoQ and DoH3 |
31.03.2026 |
5.3 |
| CVE-2026-27853 |
Out-of-bounds write when rewriting large DNS packets |
31.03.2026 |
5.9 |
| CVE-2026-27854 |
Use after free when parsing EDNS options in Lua |
31.03.2026 |
4.8 |
| CVE-2025-14213 |
Cato's Socket WebUI is vulnerable to OS Command Injection |
31.03.2026 |
|
| CVE-2026-0396 |
HTML injection in the web dashboard |
31.03.2026 |
3.1 |
| CVE-2026-0397 |
Information disclosure via CORS misconfiguration |
31.03.2026 |
3.1 |
| CVE-2024-14030 |
Sereal::Decoder versions from 4.000 through 4.009_002 for Perl is vulnerable to a buffer overwrite flaw in the Zstandard library |
31.03.2026 |
|
| CVE-2024-14031 |
Sereal::Encoder versions from 4.000 through 4.009_002 for Perl is vulnerable to a buffer overwrite flaw in the Zstandard library |
31.03.2026 |
|
| CVE-2026-32916 |
OpenClaw 2026.3.7 < 2026.3.11 - Authorization Bypass in Plugin Subagent Routes via Synthetic Admin Scopes |
31.03.2026 |
7.7 |
| CVE-2026-32917 |
OpenClaw < 2026.3.13 - Remote Command Injection via Unsanitized iMessage Attachment Paths in SCP |
31.03.2026 |
|
| CVE-2026-32920 |
OpenClaw < 2026.3.12 - Arbitrary Code Execution via Auto-Discovery of Workspace Plugins |
31.03.2026 |
|
| CVE-2026-32921 |
OpenClaw < 2026.3.8 - Script Content Modification via Mutable Operand Binding in system.run |
31.03.2026 |
6.3 |
| CVE-2026-32970 |
OpenClaw < 2026.3.11 - Credential Fallback Logic Bypass via Unavailable Local Auth SecretRefs |
31.03.2026 |
2.5 |
| CVE-2026-32971 |
OpenClaw < 2026.3.11 - Node-Host Approval UI Mismatch Allows Execution of Unintended Commands |
31.03.2026 |
7.1 |
| CVE-2026-32976 |
OpenClaw < 2026.3.11 - Account-Scoped configWrites Policy Bypass via Channel Commands |
31.03.2026 |
6.5 |
| CVE-2026-32977 |
OpenClaw < 2026.3.11 - Sandbox Boundary Bypass via Unanchored writeFile Commit Path |
31.03.2026 |
6.3 |
| CVE-2026-32982 |
OpenClaw < 2026.3.13 - Telegram Bot Token Exposure in Media Fetch Error Logs |
31.03.2026 |
|
| CVE-2026-32988 |
OpenClaw < 2026.3.11 - Sandbox Boundary Bypass via Unvalidated Temporary File Creation |
31.03.2026 |
7.5 |
| CVE-2026-34505 |
OpenClaw < 2026.3.12 - Webhook Rate Limiting Bypass via Pre-Authentication Secret Validation |
31.03.2026 |
|
| CVE-2026-34506 |
OpenClaw < 2026.3.8 - Sender Allowlist Bypass in Microsoft Teams Plugin via Route Allowlist Configuration |
31.03.2026 |
|
| CVE-2026-34508 |
OpenClaw < 2026.3.12 - Webhook Rate Limiting Bypass via Pre-Authentication Secret Validation |
31.03.2026 |
|
| CVE-2026-34509 |
OpenClaw < 2026.3.8 - Sender Allowlist Bypass in Microsoft Teams Plugin via Route Allowlist Configuration |
31.03.2026 |
|
| CVE-2026-3139 |
User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor <= 3.15.5 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Post Author Reassignment via Avatar Field |
31.03.2026 |
4.3 |
| CVE-2026-3191 |
Minify HTML <= 2.1.12 - Cross-Site Request Forgery to Plugin Settings Update |
31.03.2026 |
5.4 |
| CVE-2026-4267 |
Query Monitor <= 3.20.3 - Reflected Cross-Site Scripting via Request URI |
31.03.2026 |
7.2 |
| CVE-2026-5198 |
code-projects Student Membership System Admin Login index.php sql injection |
31.03.2026 |
|
| CVE-2025-15618 |
Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl uses an insecure secret key |
31.03.2026 |
|
| CVE-2026-34887 |
WordPress Kubio AI Page Builder plugin <= 2.7.0 - Cross Site Scripting (XSS) vulnerability |
31.03.2026 |
6.5 |
| CVE-2026-4399 |
Multiple vulnerabilities in 1millionbot Millie chatbot |
31.03.2026 |
|
| CVE-2026-4400 |
Multiple vulnerabilities in 1millionbot Millie chatbot |
31.03.2026 |
|
| CVE-2026-4317 |
SQL inyection in Umami Software application |
31.03.2026 |
|
| CVE-2026-5197 |
code-projects Student Membership System delete_user.php sql injection |
31.03.2026 |
|
| CVE-2025-10553 |
Stored Cross-site Scripting (XSS) vulnerability affecting Factory Resource Management in DELMIA Factory Resource Manager from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x |
31.03.2026 |
8.7 |
| CVE-2025-10559 |
Path Traversal vulnerability affecting Factory Resource Management in DELMIA Factory Resource Manager from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x |
31.03.2026 |
7.1 |
| CVE-2025-41355 |
Reflected Cross-Site Scripting on Anon Proxy Server |
31.03.2026 |
|
| CVE-2025-41356 |
Reflected Cross-Site Scripting in Anon Proxy Server |
31.03.2026 |
|
| CVE-2025-41357 |
Reflected Cross-Site Scripting on Anon Proxy Server |
31.03.2026 |
|
| CVE-2026-3106 |
Multiple vulnerabilities in Teampass |
31.03.2026 |
|
| CVE-2026-3107 |
Multiple vulnerabilities in Teampass |
31.03.2026 |
|
| CVE-2026-5196 |
code-projects Student Membership System delete_member.php sql injection |
31.03.2026 |
|
| CVE-2025-10551 |
Stored Cross-site Scripting (XSS) vulnerability affecting Document Management in ENOVIA Collaborative Industry Innovator from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x |
31.03.2026 |
8.7 |
| CVE-2026-5201 |
Gdk-pixbuf: gdk-pixbuf: denial of service via heap-based buffer overflow when processing a specially crafted jpeg image |
31.03.2026 |
|
| CVE-2026-5195 |
code-projects Student Membership System User Registration sql injection |
31.03.2026 |
|
| CVE-2026-5186 |
Nothings stb Multi-frame GIF File stb_image.h stbi__load_gif_main double free |
31.03.2026 |
|
| CVE-2026-5184 |
TRENDnet TEW-713RE setSysAdm command injection |
31.03.2026 |
|
| CVE-2026-5185 |
Nothings stb_image Multi-frame GIF File stb_image.h stbi__gif_load_next heap-based overflow |
31.03.2026 |
|
| CVE-2026-3881 |
Performance Monitor <= 1.0.6 - Unauthenticated Blind SSRF |
31.03.2026 |
|
| CVE-2026-1834 |
Ibtana - WordPress Website Builder <= 1.2.5.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode |
31.03.2026 |
6.4 |
| CVE-2026-1877 |
Auto Post Scheduler <= 1.84 - Cross-Site Request Forgery to Stored Cross-Site Scripting via aps_options_page |
31.03.2026 |
6.1 |
| CVE-2026-34881 |
|
31.03.2026 |
5 |
| CVE-2026-5182 |
SourceCodester Teacher Record System Parameter sql injection |
31.03.2026 |
|
| CVE-2026-5183 |
TRENDnet TEW-713RE addRouting sub_421494 command injection |
31.03.2026 |
|
| CVE-2026-1710 |
WooPayments <= 10.5.1 - Missing Authorization to Unauthenticated Plugin Settings Update via save_upe_appearance_ajax |
31.03.2026 |
6.5 |
| CVE-2026-1797 |
Truebooker - Appointment Booking and Scheduler Plugin <= 1.1.4 - Sensitive Information Exposure via Views Files |
31.03.2026 |
5.3 |
| CVE-2026-4146 |
Loco Translate <= 2.8.2 - Reflected Cross-Site Scripting via 'update_href' Parameter |
31.03.2026 |
6.1 |
| CVE-2026-5181 |
SourceCodester Simple Doctors Appointment System ajax.php unrestricted upload |
31.03.2026 |
|
| CVE-2026-5179 |
SourceCodester Simple Doctors Appointment System login.php sql injection |
31.03.2026 |
|
| CVE-2026-5180 |
SourceCodester Simple Doctors Appointment System ajax.php sql injection |
31.03.2026 |
|
| CVE-2026-5178 |
Totolink A3300R cstecgi.cgi setIptvCfg command injection |
31.03.2026 |
|
| CVE-2026-32714 |
SciTokens vulnerable to SQL Injection in KeyCache |
31.03.2026 |
9.8 |
| CVE-2026-32716 |
SciTokens: Authorization Bypass via Incorrect Scope Path Prefix Checking |
31.03.2026 |
8.1 |
| CVE-2026-32727 |
SciTokens: Authorization Bypass via Path Traversal in Scope Validation |
31.03.2026 |
8.1 |
| CVE-2026-33997 |
Moby: Off-by-one error in plugin privilege validation |
31.03.2026 |
6.8 |
| CVE-2026-34036 |
Dolibarr Core Discloses Sensitive Data via Authenticated Local File Inclusion in selectobject.php |
31.03.2026 |
6.5 |
| CVE-2026-34040 |
Moby: AuthZ plugin bypass with oversized request body |
31.03.2026 |
8.8 |
| CVE-2026-34041 |
act: Unrestricted set-env and add-path command processing enables environment injection |
31.03.2026 |
|
| CVE-2026-34042 |
act: actions/cache server allows malicious cache injection |
31.03.2026 |
8.2 |
| CVE-2026-34043 |
Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects |
31.03.2026 |
5.9 |
| CVE-2026-34054 |
openssl on Windows built with openssldir set from the build machine (Uncontrolled Search Path Element) |
31.03.2026 |
7.8 |
| CVE-2026-34060 |
Ruby LSP has arbitrary code execution through branch setting |
31.03.2026 |
|
| CVE-2026-34070 |
LangChain Core has Path Traversal vulnerabilites in legacy `load_prompt` functions |
31.03.2026 |
7.5 |
| CVE-2026-34073 |
cryptography has incomplete DNS name constraint enforcement on peer names |
31.03.2026 |
|
| CVE-2026-5177 |
Totolink A3300R cstecgi.cgi setWiFiBasicCfg command injection |
31.03.2026 |
|
| CVE-2026-3300 |
Everest Forms Pro <= 1.9.12 - Unauthenticated Remote Code Execution via Calculation Field |
31.03.2026 |
9.8 |
| CVE-2026-4020 |
Gravity SMTP <= 2.1.4 - Unauthenticated Sensitive Information Exposure via REST API |
31.03.2026 |
7.5 |
| CVE-2026-5176 |
Totolink A3300R cstecgi.cgi setSyslogCfg command injection |
31.03.2026 |
|
| CVE-2025-32957 |
baserCMS: unsafe File Upload Leading to Remote Code Execution (RCE) |
31.03.2026 |
8.7 |
| CVE-2026-21861 |
baserCMS: OS Command Injection Leading to Remote Code Execution (RCE) |
31.03.2026 |
9.1 |
| CVE-2026-27697 |
baserCMS: SQL injection vulnerability in blog post |
31.03.2026 |
|
| CVE-2026-30877 |
baserCMS: OS Command Injection in the baserCMS Update Functionality |
31.03.2026 |
9.1 |
| CVE-2026-30878 |
baserCMS: Mail Form Acceptance Bypass via Public API |
31.03.2026 |
5.3 |
| CVE-2026-30879 |
baserCMS: Cross-site scripting vulnerability in blog post |
31.03.2026 |
|
| CVE-2026-30880 |
baserCMS: OS command injection vulnerability in installer |
31.03.2026 |
|
| CVE-2026-30940 |
baserCMS: Path Traversal in Theme File API Leads to Arbitrary File Write and RCE |
31.03.2026 |
7.2 |
| CVE-2026-32734 |
baserCMS: Multiple vulnerabilities in baserCMS |
31.03.2026 |
7.1 |
| CVE-2026-4794 |
Multiple cross-site scripting (XSS) vulnerabilities in PaperCut NG/MF |
31.03.2026 |
|
| CVE-2026-5115 |
Session hijacking in PaperCut NG/MF embedded application for Konica Minolta devices |
31.03.2026 |
|
| CVE-2026-5156 |
Tenda CH22 Parameter QuickIndex formQuickIndex stack-based overflow |
31.03.2026 |
|
| CVE-2026-5157 |
code-projects Online Food Ordering System Order order.php cross site scripting |
30.03.2026 |
|
| CVE-2026-5154 |
Tenda CH22 Parameter setcfm fromSetCfm stack-based overflow |
31.03.2026 |
|
| CVE-2026-5155 |
Tenda CH22 Parameter AdvSetWan fromAdvSetWan stack-based overflow |
30.03.2026 |
|
| CVE-2026-5130 |
Debugger & Troubleshooter <= 1.3.2 - Unauthenticated Privilege Escalation to Administrator via Cookie Manipulation |
31.03.2026 |
8.8 |
| CVE-2026-32794 |
Apache Airflow Provider for Databricks: TLS Certificate Verification Disabled in Databricks Provider K8s Token Exchange |
31.03.2026 |
|
| CVE-2026-33952 |
FreeRDP: DoS via WINPR_ASSERT in rts_read_auth_verifier_no_checks |
30.03.2026 |
|
| CVE-2026-33977 |
FreeRDP: DoS via WINPR_ASSERT in IMA ADPCM audio decoder (dsp.c:331) |
30.03.2026 |
|
| CVE-2026-33982 |
FreeRDP: Persistent Cache Allocator Mismatch - Heap OOB Read |
31.03.2026 |
7.1 |
| CVE-2026-33983 |
FreeRDP: Progressive Codec Quant BYTE Underflow - UB + CPU DoS |
31.03.2026 |
6.5 |
| CVE-2026-33984 |
FreeRDP: ClearCodec resize_vbar_entry() Heap OOB Write |
30.03.2026 |
7.5 |
| CVE-2026-33985 |
FreeRDP: ClearCodec Glyph Cache Count Desync - Heap OOB Read |
30.03.2026 |
5.9 |
| CVE-2026-33986 |
FreeRDP: H.264 YUV Buffer Dimension Desync - Heap OOB Write |
31.03.2026 |
7.5 |
| CVE-2026-33987 |
FreeRDP: Persistent Cache bmpSize Desync - Heap OOB Write |
31.03.2026 |
7.1 |
| CVE-2026-33995 |
FreeRDP: Possible double free in kerberos_AcceptSecurityContext |
30.03.2026 |
5.3 |
| CVE-2026-4257 |
Contact Form by Supsystic <= 1.7.36 - Unauthenticated Server-Side Template Injection via Prefill Functionality |
30.03.2026 |
9.8 |
| CVE-2026-5153 |
Tenda CH22 WriteFacMac FormWriteFacMac command injection |
31.03.2026 |
|
| CVE-2026-4789 |
CVE-2026-4789 |
30.03.2026 |
|
| CVE-2026-27599 |
CI4MS: System Settings (Mail Settings) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS |
30.03.2026 |
4.7 |
| CVE-2026-28228 |
OpenOLAT: Server-Side Template Injection (SSTI) in Velocity templates allows Remote Code Execution |
30.03.2026 |
8.8 |
| CVE-2026-30308 |
|
30.03.2026 |
|
| CVE-2026-30313 |
|
30.03.2026 |
|
| CVE-2026-31946 |
OpenOLAT: Authentication bypass via forged JWT in OIDC implicit flow |
31.03.2026 |
9.8 |
| CVE-2026-32877 |
Botan: Heap Buffer Over-read in SM2 Decryption via Undersized C3 Hash Field |
31.03.2026 |
8.2 |
| CVE-2026-32883 |
Botan: Missing OCSP Response Signature Verification Allows MitM Certificate Revocation Bypass |
30.03.2026 |
5.9 |
| CVE-2026-32884 |
Botan: Case-Insensitive CN Values Bypass DNS excludedSubtrees Name Constraints (RFC 5280 Violation) |
30.03.2026 |
5.9 |
| CVE-2026-34557 |
CI4MS: Permissions Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS |
31.03.2026 |
9.1 |
| CVE-2026-34558 |
CI4MS: Methods Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS |
31.03.2026 |
9.1 |
| CVE-2026-5152 |
Tenda CH22 createFileName formCreateFileName stack-based overflow |
30.03.2026 |
|
| CVE-2026-25627 |
nanomq: OOB Read / Crash (DoS) via Malformed MQTT Remaining Length over WebSocket |
30.03.2026 |
6.5 |
| CVE-2026-27018 |
Gotenberg: Chromium deny-list bypass via case-insensitive URL scheme |
31.03.2026 |
|
| CVE-2026-30306 |
|
30.03.2026 |
|
| CVE-2026-32696 |
NanoMQ HTTP Auth: Missing username/password can trigger a NULL-pointer strlen() in auth_http.c:set_data(), causing a process crash — SIGSEGV, remotely triggerable |
31.03.2026 |
3.1 |
| CVE-2026-31799 |
Tautulli: SQL Injection in get_home_stats API endpoint via unsanitised filter parameters |
30.03.2026 |
4.9 |
| CVE-2026-32275 |
Tautulli: Unsanitized JSONP callback parameter allows cross-origin script injection and API key theft |
30.03.2026 |
|
| CVE-2026-5148 |
YunaiV yudao-cloud page sql injection |
30.03.2026 |
|
| CVE-2026-5150 |
code-projects Accounting System Parameter viewin_costumer.php sql injection |
31.03.2026 |
|
| CVE-2026-28505 |
Tautulli: RCE via eval() sandbox bypass using lambda nested scope to escape co_names whitelist check |
30.03.2026 |
|
| CVE-2026-30305 |
|
30.03.2026 |
|
| CVE-2026-31804 |
Tautulli: Unauthenticated pms_image_proxy endpoint proxies arbitrary HTTP requests through the Plex Media Server |
30.03.2026 |
4 |
| CVE-2026-31831 |
Tautulli: Unauthenticated Path Traversal in `/newsletter/image/images` endpoint |
30.03.2026 |
|
| CVE-2026-33026 |
nginx-ui Backup Restore Allows Tampering with Encrypted Backups |
31.03.2026 |
|
| CVE-2026-21710 |
|
31.03.2026 |
|
| CVE-2026-21711 |
|
30.03.2026 |
|
| CVE-2026-21713 |
|
30.03.2026 |
|
| CVE-2026-21714 |
|
30.03.2026 |
|
| CVE-2026-21715 |
|
30.03.2026 |
|
| CVE-2026-21716 |
|
31.03.2026 |
|
| CVE-2026-21717 |
|
30.03.2026 |
|
| CVE-2026-30307 |
|
30.03.2026 |
|
| CVE-2026-5147 |
YunaiV yudao-cloud get-by-website sql injection |
31.03.2026 |
|
| CVE-2026-29924 |
|
30.03.2026 |
|
| CVE-2026-29925 |
|
30.03.2026 |
|
| CVE-2026-34714 |
|
31.03.2026 |
9.2 |
| CVE-2026-3991 |
Elevation of Privileges in Symantec Data Loss Prevention Windows Endpoint |
31.03.2026 |
7.8 |