| CVE-2026-3703 |
Wavlink NU516U1 login.cgi sub_401A10 out-of-bounds write |
08.03.2026 |
9.3 |
| CVE-2026-30860 |
WeKnora: Remote Code Execution via SQL Injection Bypass in AI Database Query Tool |
07.03.2026 |
10 |
| CVE-2026-30861 |
WeKnora: Remote Code Execution (RCE) via Command Injection in MCP Stdio Configuration Validation |
07.03.2026 |
10 |
| CVE-2026-30863 |
Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters |
07.03.2026 |
9.3 |
| CVE-2026-30832 |
Soft Serve: SSRF via unvalidated LFS endpoint in repo import |
07.03.2026 |
9.1 |
| CVE-2026-29191 |
ZITADEL: 1-Click Account Takeover via XSS in /saml-post Endpoint |
07.03.2026 |
9.3 |
| CVE-2026-25070 |
XikeStor SKS8310-8X PingTestSet Command Injection |
07.03.2026 |
9.3 |
| CVE-2026-29789 |
Vito: Cross-project privilege escalation in workflow site-creation actions allows unauthorized server modification |
06.03.2026 |
10 |
| CVE-2026-30847 |
Wekan Credential Leak via notificationUsers Publication Exposes Password Hashes and Session Tokens |
06.03.2026 |
9.3 |
| CVE-2026-30843 |
Wekan has Cross-Board IDOR in Custom Fields Update Endpoints |
06.03.2026 |
9.3 |
| CVE-2026-30844 |
Wekan Vulnerable to SSRF through Lack of Validation or Filtering in Attachment URL Loading |
06.03.2026 |
9.3 |
| CVE-2026-28514 |
Rocket.Chat: Users can login with any password via the EE ddp-streamer-service |
06.03.2026 |
9.3 |
| CVE-2026-26288 |
Everon api.everon.io Missing Authentication for Critical Function |
06.03.2026 |
9.3 |
| CVE-2026-26051 |
Mobiliti e-mobi.hu Missing Authentication for Critical Function |
06.03.2026 |
9.3 |
| CVE-2026-2330 |
CVE-2026-2330 |
06.03.2026 |
9.4 |
| CVE-2026-2331 |
CVE-2026-2331 |
06.03.2026 |
9.8 |
| CVE-2026-29183 |
SiYuan: Unauthenticated reflected SVG XSS in `/api/icon/getDynamicIcon` (`type=8`) enables arbitrary JavaScript execution |
06.03.2026 |
9.3 |
| CVE-2026-29058 |
AVideo: Unauthenticated OS Command Injection via base64Url in objects/getImage.php |
06.03.2026 |
9.8 |
| CVE-2026-28794 |
oRPC: Prototype Pollution in `@orpc/client` via `StandardRPCJsonSerializer` Deserialization |
06.03.2026 |
9.3 |
| CVE-2026-28508 |
Idno: Unauthenticated SSRF via URL Unfurl Endpoint |
06.03.2026 |
9.2 |
| CVE-2026-28680 |
Ghostfolio: Full-Read SSRF in Manual Asset Import |
06.03.2026 |
9.3 |
| CVE-2026-28785 |
Ghostfolio: Time-Based Blind SQL Injection in Manual Asset Import |
06.03.2026 |
9.3 |
| CVE-2025-59542 |
Chamilo: Account Takeover via Stored XSS in Course Learning Paths |
06.03.2026 |
9.1 |
| CVE-2025-59543 |
Chamilo: Account Takeover via Stored XSS in Course Description |
06.03.2026 |
9.1 |
| CVE-2026-28497 |
TinyWeb: Integer Overflow in `_Val` (HTTP Request Smuggling) |
06.03.2026 |
9.3 |
| CVE-2026-28501 |
WWBN AVideo: Unauthenticated SQL Injection via JSON Request Bypass in objects/videos.json.php |
06.03.2026 |
9.8 |
| CVE-2026-28502 |
WWBN AVideo: Authenticated Remote Code Execution via Unsafe Plugin ZIP Extraction |
06.03.2026 |
9.3 |
| CVE-2026-29046 |
TinyWeb: HTTP Header Control Character Injection into CGI Environment |
06.03.2026 |
9.2 |
| CVE-2026-22552 |
ePower epower.ie Missing Authentication for Critical Function |
05.03.2026 |
9.3 |
| CVE-2026-21536 |
Microsoft Devices Pricing Program Remote Code Execution Vulnerability |
06.03.2026 |
9.8 |
| CVE-2026-28391 |
OpenClaw < 2026.2.2 - Command Injection via cmd.exe Parsing Bypass in Allowlist Enforcement |
06.03.2026 |
9.2 |
| CVE-2026-28446 |
OpenClaw < 2026.2.1 - Inbound Allowlist Policy Bypass in voice-call Extension via Empty Caller ID and Suffix Matching |
06.03.2026 |
9.2 |
| CVE-2026-28466 |
OpenClaw < 2026.2.14 - Remote Code Execution via Node Invoke Approval Bypass |
06.03.2026 |
9.4 |
| CVE-2026-28470 |
OpenClaw < 2026.2.2 - Exec Allowlist Bypass via Command Substitution in Double Quotes |
05.03.2026 |
9.2 |
| CVE-2026-28472 |
OpenClaw < 2026.2.2 - Device Identity Check Bypass in Gateway WebSocket Connect Handshake |
06.03.2026 |
9.2 |
| CVE-2026-28474 |
OpenClaw Nextcloud Talk < 2026.2.6 - Allowlist Bypass via actor.name Display Name Spoofing |
05.03.2026 |
9.3 |
| CVE-2026-21622 |
Password Reset Tokens Do Not Expire |
05.03.2026 |
9.5 |
| CVE-2025-55208 |
Chamilo LMS has Stored Cross Site Scripting on Social Networks Uploaded Files |
06.03.2026 |
9.1 |
| CVE-2026-29188 |
File Browser: TUS Delete Endpoint Bypasses Delete Permission Check |
06.03.2026 |
9.1 |
| CVE-2026-0848 |
Arbitrary Code Execution in NLTK StanfordSegmenter via Untrusted JAR Loading |
06.03.2026 |
10 |
| CVE-2026-28353 |
Trivy Vulnerability Scanner: Unauthorized AI Agent Execution Code Included in OpenVSX Extension Release |
06.03.2026 |
10 |
| CVE-2026-25921 |
Gogs: Cross-repository LFS object overwrite via missing content hash verification |
06.03.2026 |
9.3 |
| CVE-2026-24457 |
|
06.03.2026 |
9.1 |
| CVE-2026-27944 |
Nginx UI: Unauthenticated Backup Download with Encryption Key Disclosure |
06.03.2026 |
9.8 |
| CVE-2026-30789 |
RustDesk Client Generates Auth Proof Without Client-Side Nonce, Enabling Replay Attacks |
05.03.2026 |
9.3 |
| CVE-2026-30790 |
RustDesk Server Controls All Handshake Entropy (Salt/Challenge), Enabling Offline Brute-Force |
05.03.2026 |
9.3 |
| CVE-2026-30797 |
RustDesk rustdesk://config/ URI Silently Re-homes Client to Attacker-Controlled Server |
05.03.2026 |
9.3 |
| CVE-2026-30792 |
RustDesk Client Blindly Merges Unauthenticated Strategy Payloads, Bypassing Local Security Settings |
06.03.2026 |
9.1 |
| CVE-2026-30793 |
RustDesk Flutter URI Handler Sets Permanent Password Without Privilege Check or User Confirmation |
05.03.2026 |
9.3 |
| CVE-2026-30794 |
RustDesk HTTP Client Silently Accepts Invalid TLS Certificates After Handshake Failure |
05.03.2026 |
9.1 |
| CVE-2026-2599 |
Database for Contact Form 7, WPforms, Elementor forms <= 1.4.7 - Unauthenticated PHP Object Injection via 'download_csv' |
05.03.2026 |
9.8 |
| CVE-2026-21628 |
Extension - astroidframe.work - Unauthenticated Remote Code Execution in Astroid Framework 2.0.0 - 3.3.10 for Joomla |
05.03.2026 |
10 |
| CVE-2026-28536 |
|
05.03.2026 |
9.6 |
| CVE-2026-2743 |
SEPPmail User Web Interface Arbitrary File Write to RCE |
05.03.2026 |
10 |
| CVE-2026-1678 |
dns: memory‑safety issue in the DNS name parser |
05.03.2026 |
9.4 |
| CVE-2026-29127 |
Incorrect Permission Assignment(777) on `monitor` Users Home Directory Containing SUID Root Binaries in IDC SFX2100 |
05.03.2026 |
9.2 |
| CVE-2026-2835 |
HTTP Request Smuggling via HTTP/1.0 and Transfer-Encoding Misparsing |
06.03.2026 |
9.3 |
| CVE-2026-2833 |
HTTP Request Smuggling via Premature Upgrade |
06.03.2026 |
9.3 |
| CVE-2026-29000 |
pac4j-jwt JwtAuthenticator Authentication Bypass |
07.03.2026 |
10 |
| CVE-2026-20079 |
|
05.03.2026 |
10 |
| CVE-2026-20131 |
|
05.03.2026 |
10 |
| CVE-2026-28783 |
Craft has a Twig Function Blocklist Bypass |
06.03.2026 |
9.4 |
| CVE-2026-28697 |
Craft Affected by Authenticated RCE via "craft.app.fs.write()" in Twig Templates |
06.03.2026 |
9.4 |
| CVE-2026-27441 |
PDF Password CMDi |
04.03.2026 |
9.5 |
| CVE-2026-27442 |
zip_attachments Path Traversal |
04.03.2026 |
9.3 |
| CVE-2026-27446 |
Apache Artemis, Apache ActiveMQ Artemis: Auth bypass for Core downstream federation |
05.03.2026 |
9.3 |
| CVE-2026-29120 |
Insecure, Hardcoded Root Password Stored in Anaconda Configuration File On IDC SFX2100 Satellite Receiver |
05.03.2026 |
9.2 |
| CVE-2026-28777 |
Hardcoded and Insecure Credentials for "User" Local Account with SSH Access On IDC SFX2100 Satellite Receiver |
05.03.2026 |
9.2 |
| CVE-2026-28773 |
Authenticated OS Command Injection via Ping Utility Leading to RCE as Root |
05.03.2026 |
9.3 |
| CVE-2026-28774 |
Authenticated OS Command Injection via Traceroute Utility leads to Root RCE |
05.03.2026 |
9.3 |
| CVE-2026-28775 |
Unauthenticated RCE via SNMP Default Writable Community String |
05.03.2026 |
10 |
| CVE-2026-27971 |
Qwik affected by unauthenticated RCE via server$ Deserialization |
04.03.2026 |
9.2 |
| CVE-2026-28289 |
FreeScout 1.8.206 Patch Bypass for CVE-2026-27636 via Zero-Width Space Character Leads to Remote Code Execution |
05.03.2026 |
10 |
| CVE-2026-26279 |
Froxlor Admin-to-Root Privilege Escalation via Input Validation Bypass + OS Command Injection |
04.03.2026 |
9.1 |
| CVE-2026-26266 |
AliasVault affected by Cross-Site Scripting (XSS) via Email HTML Rendering |
04.03.2026 |
9.3 |
| CVE-2026-24898 |
OpenEMR has an Unauthenticated MedEx Token Disclosure |
04.03.2026 |
10 |
| CVE-2026-25146 |
OpenEMR's payments gateway_api_key secret rendered into client JS code |
04.03.2026 |
9.6 |
| CVE-2026-27012 |
Unauthenticated privilege escalation in OpenSTAManager via modules/utenti/actions.php |
04.03.2026 |
9.8 |
| CVE-2026-3485 |
D-Link DIR-868L SSDP Service sub_1BF84 os command injection |
03.03.2026 |
9.3 |
| CVE-2026-3437 |
Improper Restriction of Operations within the Bounds of a Memory Buffer in Portwell Engineering Toolkits |
03.03.2026 |
9.3 |
| CVE-2026-22891 |
|
03.03.2026 |
9.8 |
| CVE-2026-22886 |
|
03.03.2026 |
9.8 |
| CVE-2026-1492 |
User Registration & Membership <= 5.1.2 - Unauthenticated Privilege Escalation via Membership Registration |
03.03.2026 |
9.8 |
| CVE-2026-2628 |
All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login <= 2.2.5 - Authentication Bypass |
03.03.2026 |
9.8 |
| CVE-2025-50187 |
Chamilo: Evaluation of untrusted user input leads to Remote Code Execution |
02.03.2026 |
9.8 |
| CVE-2026-23600 |
|
03.03.2026 |
10 |
| CVE-2025-12462 |
Blind SQL Injection in DobryCMS |
02.03.2026 |
9.3 |
| CVE-2025-14532 |
Remote Code Execution via Unrestricted File Upload in DobryCMS |
02.03.2026 |
9.3 |
| CVE-2026-3431 |
Sim Studio AI - MongoDB SSRF and Arbitrary Document Deletion |
02.03.2026 |
9.8 |
| CVE-2026-3432 |
Sim Studio AI - Unauthenticated OAuth Token Theft |
02.03.2026 |
9.3 |
| CVE-2025-30035 |
Lack of API authentication allowing session generation for any user |
02.03.2026 |
9 |
| CVE-2025-30042 |
Session generation possible with certificate number only |
02.03.2026 |
9 |
| CVE-2025-30044 |
RCE on uhcapache user permissions |
02.03.2026 |
9.4 |
| CVE-2026-2584 |
SQL Injection in Ciser System SL firmware |
02.03.2026 |
9.3 |
| CVE-2026-2999 |
Changing|IDExpert Windows Logon Agent - Remote Code Execution |
02.03.2026 |
9.3 |
| CVE-2026-3000 |
Changing|IDExpert Windows Logon Agent - Remote Code Execution |
02.03.2026 |
9.3 |
| CVE-2026-3422 |
e-Excellence|U-Office Force - Insecure Deserialization |
02.03.2026 |
9.3 |