CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2026-33396 OneUptime has sandbox escape in Synthetic Monitor Playwright runtime allows project members to execute arbitrary commands on Probe 26.03.2026 10
CVE-2026-4809 Unsafe Client MIME Type Handling Can Enable Arbitrary File Upload in plank/laravel-mediable 26.03.2026 9.3
CVE-2026-4484 Masteriyo LMS <= 2.1.6 - Missing Authorization to Authenticated (Student+) Privilege Escalation to Administrator 26.03.2026 9.8
CVE-2026-33526 Squid vulnerable to Denial of Service in ICP Request handling 26.03.2026 9.2
CVE-2026-33696 n8n Vulnerable to Prototype Pollution in XML & GSuiteAdmin node parameters lead to RCE 25.03.2026 9.4
CVE-2026-33660 n8n Has Multiple Remote Code Execution Vulnerabilities in Merge Node AlaSQL SQL Mode 25.03.2026 9.4
CVE-2026-26832 25.03.2026 9.8
CVE-2026-26830 25.03.2026 9.8
CVE-2025-33244 25.03.2026 9
CVE-2026-33322 MinIO: JWT Algorithm Confusion in OIDC Authentication 25.03.2026 9.2
CVE-2026-33419 MinIO: LDAP login brute-force via user enumeration and missing rate limit 25.03.2026 9.1
CVE-2026-2417 Missing Authentication for Critical Function in Pharos Controls Mosaic Show Controller 24.03.2026 9.3
CVE-2026-33340 LoLLMs WEBUI has unauthenticated Server-Side Request Forgery (SSRF) in /api/proxy endpoint 24.03.2026 9.1
CVE-2026-33309 Langflow has an Arbitrary File Write (RCE) via v2 API 25.03.2026 10
CVE-2026-33475 Langflow GitHub Actions Shell Injection 25.03.2026 9.1
CVE-2019-25628 Download Accelerator Plus DAP 10.0.6.0 SEH Buffer Overflow 24.03.2026 9.3
CVE-2019-25646 Tabs Mail Carrier 2.5.1 Buffer Overflow via MAIL FROM 24.03.2026 9.3
CVE-2026-4755 CWE-20 in MolotovCherry Android-ImageMagick7 24.03.2026 9.8
CVE-2026-4750 Out-of-bounds Read in fabiangreffrath woof 24.03.2026 9.1
CVE-2026-4753 Out-of-bounds Read in slajerek RetroDebugger 24.03.2026 9.1
CVE-2026-4283 WP DSGVO Tools (GDPR) <= 3.1.38 - Missing Authorization to Unauthenticated Account Destruction of Non-Admin Users 24.03.2026 9.1
CVE-2026-4745 Arbitrary Code Execution via Crafted Bytecode in dendibakh/perf-ninja 24.03.2026 10
CVE-2026-4746 Heap Buffer Over-Write Vulenrabilty in timeplus-io/proton 24.03.2026 10
CVE-2026-4734 Heap Buffer Overflow in yoyofr/modizer 24.03.2026 9.4
CVE-2026-4738 GDAL Bundled zlib (inftree9.c) Pointer Offset Optimization Undefined Behavior Allows Heap Corruption or Remote Code Execution 24.03.2026 9.4
CVE-2026-4739 Integer overflow vulnerabilities in InsightSoftwareConsortium/ITK 24.03.2026 9.4
CVE-2026-4744 Notepad3 Bundled Oniguruma compile_string_node() Heap Buffer Overflow via Crafted Regex Pattern Allows Arbitrary Code Execution 24.03.2026 9.3
CVE-2026-33211 Tekton Pipelines git resolver has path traversal that allows reading arbitrary files from the resolver pod 24.03.2026 9.6
CVE-2026-33286 Graphiti Affected by Arbitrary Method Execution via Unvalidated Relationship Names 24.03.2026 9.1
CVE-2026-4001 Woocommerce Custom Product Addons Pro <= 5.4.1 - Unauthenticated Remote Code Execution via Custom Pricing Formula 24.03.2026 9.8
CVE-2026-4681 Critical Remote Code Execution vulnerability reported in Windchill 24.03.2026 9.3
CVE-2026-33634 Trivy ecosystem supply chain briefly compromised 25.03.2026 9.4
CVE-2025-60949 Census CSWeb leaked configuration files 25.03.2026 9.3
CVE-2026-3055 Insufficient input validation leading to memory overread 24.03.2026 9.3
CVE-2026-30849 MantisBT SOAP API has an authentication bypass vulnerability on MySQL 24.03.2026 9.3
CVE-2026-0898 An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robot Studio developers who are automating Google Chrome and Microsoft Edge using either version 22.1 or R25. 24.03.2026 9
CVE-2026-33716 AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php 24.03.2026 9.4
CVE-2026-33502 AVideo has Unauthenticated SSRF via plugin/Live/test.php 24.03.2026 9.3
CVE-2026-33478 AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection 23.03.2026 10
CVE-2026-33351 AVideo has Unauthenticated SSRF via `webSiteRootURL` Parameter in saveDVR.json.php, Chaining to Verification Bypass 23.03.2026 9.1
CVE-2026-33352 AVideo has an Unauthenticated SQL Injection via `doNotShowCats` Parameter (Backslash Escape Bypass) 24.03.2026 9.8
CVE-2025-41008 SQL Injection in Sinturno 23.03.2026 9.3
CVE-2025-41007 SQL Injection in Cuantis 23.03.2026 9.3
CVE-2026-32968 Unauthenticated RCE in com_mb24sysapi 23.03.2026 9.8
CVE-2026-4585 Tiandy Easy7 Integrated Management Platform Configuration ImportSystemConfiguration.jsp os command injection 23.03.2026 9.3
CVE-2026-3587 Hidden CLI Function Allows Root Access 24.03.2026 10
CVE-2026-4599 23.03.2026 9.3
CVE-2026-4600 23.03.2026 9.1
CVE-2026-4601 23.03.2026 9.4
CVE-2026-4567 Tenda A15 UploadCfg stack-based overflow 23.03.2026 9.3
CVE-2026-4606 GeoVision ERM Improper Privilege Assignment Leads to SYSTEM-Level Privilege 24.03.2026 10
CVE-2019-25614 Free Float FTP 1.0 STOR Command Remote Buffer Overflow 23.03.2026 9.3
CVE-2019-25568 Memu Play 6.0.7 Privilege Escalation via Insecure File Permissions 23.03.2026 9.3
CVE-2026-24060 Automated Logic WebCTRL Premium Server Cleartext Transmission of Sensitive Information 23.03.2026 9.1
CVE-2026-29796 IGL-Technologies eParking.fi Missing Authentication for Critical Function 23.03.2026 9.3
CVE-2026-25192 CTEK Chargeportal Missing Authentication for Critical Function 23.03.2026 9.3
CVE-2026-33186 gRPC-Go has an authorization bypass via missing leading slash in :path 24.03.2026 9.1
CVE-2026-3584 Kali Forms <= 2.4.9 - Unauthenticated Remote Code Execution via form_process 23.03.2026 9.8
CVE-2026-22898 QVR Pro 25.03.2026 9.3
CVE-2026-22172 OpenClaw < 2026.3.12 - Scope Elevation in WebSocket Shared-Auth Connections 20.03.2026 9.4
CVE-2026-33134 WeGIA has Authenticated Time-Based Blind SQL Injection in `restaurar_produto.php` via `id_produto` parameter 20.03.2026 9.3
CVE-2026-33135 WeGIA has Reflected Cross-Site Scripting (XSS) in `novo_memorandoo.php` via `sccs` parameter 20.03.2026 9.3
CVE-2026-33136 WeGIA has Reflected Cross-Site Scripting (XSS) in `listar_memorandos_ativos.php` via `sccd` parameter 20.03.2026 9.3
CVE-2026-33075 FastGPT has Arbitrary Code Execution in GitHub Actions via pull_request_target in fastgpt-preview-image.yml 20.03.2026 9.4
CVE-2026-33057 Mesop Affected by Unauthenticated Remote Code Execution via Test Suite Route /exec-py 25.03.2026 9.8
CVE-2026-33054 Mesop: Path Traversal utilizing `FileStateSessionBackend` leads to Application Denial of Service and File Write/Deletion 20.03.2026 10
CVE-2026-4478 Yi Technology YI Home Camera HTTP Firmware Update ipc signature verification 20.03.2026 9.2
CVE-2026-33017 Langflow has Unauthenticated Remote Code Execution via Public Flow Build Endpoint 26.03.2026 9.3
CVE-2026-33024 AVideo-Encoder has Unauthenticated Blind Server-Side Request Forgery via Public Thumbnail Generator 20.03.2026 9.3
CVE-2026-32938 SiYuan has an Arbitrary File Read in its Desktop Publish Service 20.03.2026 9.9
CVE-2026-32940 SiYuan has a SanitizeSVG bypass via data:text/xml in getDynamicIcon (incomplete fix for CVE-2026-29183) 20.03.2026 9.3
CVE-2026-4038 Aimogen Pro <= 2.7.5 - Unauthenticated Privilege Escalation via Arbitrary Function Call 20.03.2026 9.8
CVE-2026-21992 24.03.2026 9.8
CVE-2026-32890 Anchorr: Stored XSS in User Mapping dropdown allows unprivileged Discord users to exfiltrate all secrets via /api/config 20.03.2026 9.7
CVE-2026-32891 Anchorr Privilege Escalation: Jellyseerr User → Anchorr Admin via Stored XSS 20.03.2026 9.1
CVE-2026-32817 Admidio is Missing Authorization and CSRF Protection on Document and Folder Deletion 20.03.2026 9.1
CVE-2026-32767 SiYuan: Authorization Bypass Allows Arbitrary SQL Execution via Search API 20.03.2026 9.8
CVE-2026-32985 Xerte Online Toolkits <= 3.14 Unauthenticated Template Import Arbitrary File Upload Leading to Remote Code Execution 20.03.2026 9.3
CVE-2026-32760 File Browser Self Registration Grants Any User Admin Access When Default Permissions Include Admin 25.03.2026 10
CVE-2026-22732 Under Some Conditions Spring Security HTTP Headers Are not Written 21.03.2026 9.1
CVE-2026-29103 SuiteCRM Vulnerable to Remote Code Execution via Module Loader Package Scanner Bypass 20.03.2026 9.1
CVE-2026-32038 OpenClaw - Sandbox Network Isolation Bypass via docker.network=container Parameter 20.03.2026 9.3
CVE-2026-30872 OpenWrt Project has a Stack-based Buffer Overflow vulnerability via IPv6 reverse DNS lookup 25.03.2026 9.5
CVE-2026-30871 OpenWrt Project has Stack-based Buffer Overflow in DNS PTR Query 25.03.2026 9.5
CVE-2026-32754 FreeScout: Stored XSS via Unescaped Email Template Rendering ({!! $thread->body !!}) 20.03.2026 9.3
CVE-2026-32194 Microsoft Bing Images Remote Code Execution Vulnerability 24.03.2026 9.8
CVE-2026-26137 Microsoft 365 Copilot BizChat Elevation of Privilege Vulnerability 24.03.2026 9.9
CVE-2026-32169 Azure Cloud Shell Elevation of Privilege Vulnerability 24.03.2026 10
CVE-2026-32191 Microsoft Bing Images Remote Code Execution Vulnerability 24.03.2026 9.8
CVE-2026-30924 qui CORS Misconfiguration: Arbitrary Origins Trusted 20.03.2026 9
CVE-2026-4428 CRL Distribution Point Scope Check Logic Error in AWS-LC 25.03.2026 9.1
CVE-2026-30836 Step CA: Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18) 25.03.2026 10
CVE-2026-32238 OpenEMR has Remote Code Execution in backup functionality 20.03.2026 9.1

Latest Updates

CVE Title Updated Score
CVE-2026-26071 EVerest: OCPP 2.0.1 EVCCID Data Race Leads to Heap Use‑After‑Free 26.03.2026 4.2
CVE-2026-26072 EVerest has race-condition-induced std::map corruption in OCPP 1.6 evse_soc_map 26.03.2026 4.2
CVE-2026-29933 26.03.2026
CVE-2026-4897 Polkit: polkit: denial of service via unbounded input processing through standard input 26.03.2026
CVE-2026-22790 EVerest's unchecked SLAC payload length causes stack overflow in HomeplugMessage::setup_payload 26.03.2026 8.8
CVE-2026-23995 EVerest has stack buffer overflow in ifreq.ifr_name when interface name exceeds IFNAMSIZ 26.03.2026 8.4
CVE-2026-26008 EVerest has OOB via EVSE ID Indexing Mismatch in OCPP 2.0.1 UpdateAllowedEnergyTransferModes 26.03.2026 7.5
CVE-2026-26070 EVerest: OCPP 2.0.1 EV SoC Update Race Causes Charge Point Crash 26.03.2026 4.6
CVE-2026-29934 26.03.2026
CVE-2026-29976 26.03.2026
CVE-2026-22593 EVerest has off-by-one stack buffer overflow in IsoMux certificate filename parsing 26.03.2026 8.4
CVE-2026-27663 26.03.2026 6.5
CVE-2026-27664 26.03.2026 7.5
CVE-2026-28297 SolarWinds Observability Self-Hosted Stored Cross-Site Scripting Vulnerability 26.03.2026 6.1
CVE-2026-28298 SolarWinds Observability Self-Hosted Stored Cross-Site Scripting Vulnerability 26.03.2026 5.9
CVE-2026-30162 26.03.2026
CVE-2026-33397 Angular SSR Vulnerable to Protocol-Relative URL Injection via Single Backslash Bypass 26.03.2026
CVE-2018-25211 Allok Video Splitter 3.1.1217 Buffer Overflow via License Name 26.03.2026
CVE-2018-25212 Boxoft wav-wma Converter 1.0 Local Buffer Overflow SEH 26.03.2026
CVE-2018-25213 Nsauditor 3.0.28.0 Local SEH Buffer Overflow 26.03.2026
CVE-2018-25214 MegaPing Local Buffer Overflow Denial of Service 26.03.2026
CVE-2018-25215 Excel Password Recovery Professional 8.2.0.0 Local Buffer Overflow DoS 26.03.2026
CVE-2018-25216 AnyBurn 4.3 Denial of Service Local Buffer Overflow 26.03.2026
CVE-2018-25217 PDF Explorer 1.5.66.2 Structured Exception Handler Local Code Execution 26.03.2026
CVE-2018-25218 PassFab RAR Password Recovery 9.3.2 SEH Buffer Overflow 26.03.2026
CVE-2018-25219 PassFab Excel Password Recovery 8.3.1 SEH Buffer Overflow 26.03.2026
CVE-2019-25648 MyVideoConverter Pro 3.14 Denial of Service Buffer Overflow 26.03.2026
CVE-2019-25649 River Past Audio Converter 7.7.16 Local Buffer Overflow DoS 26.03.2026
CVE-2019-25650 River Past CamDo 3.7.6 Structured Exception Handler Buffer Overflow 26.03.2026
CVE-2025-55261 HCL Aftermarket DPC is affected by Missing Functional Level Access Control 26.03.2026 8.1
CVE-2025-55262 HCL Aftermarket DPC is affected by SQL Injection 26.03.2026 8.3
CVE-2025-55263 HCL Aftermarket DPC is affected by Hardcoded Sensitive Data 26.03.2026 7.3
CVE-2025-55264 HCL Aftermarket DPC is affected by Failure to Invalidate Session on Password Change 26.03.2026 5.5
CVE-2026-1032 Conditional Menus <= 1.2.6 - Cross-Site Request Forgery to Menu Options Update 26.03.2026 4.3
CVE-2026-2231 Fluent Booking <= 2.0.01 - Unauthenticated Stored Cross-Site Scripting via Multiple Parameters 26.03.2026 7.2
CVE-2026-2389 Complianz – GDPR/CCPA Cookie Consent <= 7.4.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Content Filter 26.03.2026 4.9
CVE-2026-2511 JS Help Desk – AI-Powered Support & Ticketing System <= 3.0.4 - Unauthenticated SQL Injection via 'multiformid' Parameter 26.03.2026 7.5
CVE-2026-33343 etcd: Nested etcd transactions bypass RBAC authorization checks 26.03.2026 0
CVE-2026-33396 OneUptime has sandbox escape in Synthetic Monitor Playwright runtime allows project members to execute arbitrary commands on Probe 26.03.2026 10
CVE-2026-33413 etcd: Authorization bypasses in multiple APIs 26.03.2026
CVE-2026-4876 itsourcecode Free Hotel Reservation System index.php sql injection 26.03.2026
CVE-2026-4877 itsourcecode Payroll Management System index.php cross site scripting 26.03.2026
CVE-2025-41027 Multiple vulnerabilities in GDTaller 26.03.2026
CVE-2025-55265 HCL Aftermarket DPC is affected by File Discovery 26.03.2026 6.5
CVE-2025-55266 HCL Aftermarket DPC is affected by Session Fixation 26.03.2026 5.9
CVE-2025-55267 HCL Aftermarket DPC is affected by Unrestricted File Upload vulnerability 26.03.2026 5.7
CVE-2025-55268 HCL Aftermarket DPC is affected by Spamming Vulnerability 26.03.2026 4.3
CVE-2025-55269 HCL Aftermarket DPC is affected by Weak Password Policy vulnerability 26.03.2026 4.2
CVE-2025-55270 HCL Aftermarket DPC is affected by Improper Input Validation 26.03.2026 3.5
CVE-2025-55271 HCL Aftermarket DPC is affected by HTTP Response Splitting vulnerability 26.03.2026 3.1
CVE-2025-55272 HCL Aftermarket DPC is affected by Banner Disclosure vulnerability 26.03.2026 3.1
CVE-2025-55273 HCL Aftermarket DPC is affected by Cross Domain Script Include vulnerability 26.03.2026 4.3
CVE-2025-55274 HCL Aftermarket DPC is affected by Cross-Origin Resource Sharing vulnerability 26.03.2026 2.6
CVE-2025-55275 HCL Aftermarket DPC is affected by Admin Session Concurrency vulnerability 26.03.2026 3.7
CVE-2025-55276 HCL Aftermarket DPC is affected by Internal IP Disclosure vulnerability 26.03.2026 3.1
CVE-2025-55277 HCL Aftermarket DPC is affected by Use of Vulnerable/Outdated Versions vulnerability 26.03.2026 2.6
CVE-2026-1961 Forman: foreman: remote code execution via command injection in websocket proxy 26.03.2026
CVE-2025-41026 Multiple vulnerabilities in GDTaller 26.03.2026
CVE-2025-41359 Multiple vulnerabilities in Small HTTP server by Smallsrv 26.03.2026
CVE-2026-4875 itsourcecode Free Hotel Reservation System index.php unrestricted upload 26.03.2026
CVE-2026-4887 Gimp: gimp:memory disclosure and denial of service via specially crafted pcx image 26.03.2026
CVE-2018-25183 Shipping System CMS 1.0 SQL Injection via admin login 26.03.2026
CVE-2018-25185 Wecodex Restaurant CMS 1.0 SQL Injection via Login 26.03.2026
CVE-2018-25195 Wecodex Hotel CMS 1.0 SQL Injection via Admin Login 26.03.2026
CVE-2018-25201 School Management System CMS 1.0 Admin Login SQL Injection 26.03.2026
CVE-2018-25202 SAT CFDI 3.3 SQL Injection via signIn endpoint 26.03.2026
CVE-2018-25203 Online Store System CMS 1.0 SQL Injection via clientaccess 26.03.2026
CVE-2018-25204 Library CMS 1.0 SQL Injection via admin login 26.03.2026
CVE-2018-25205 ASP.NET jVideo Kit 1.0 SQL Injection via query Parameter 26.03.2026
CVE-2018-25206 KomSeo Cart 1.3 SQL Injection via edit.php 26.03.2026
CVE-2018-25207 Online Quiz Maker 1.0 SQL Injection via catid Parameter 26.03.2026
CVE-2018-25208 qdPM 9.1 SQL Injection via filter_by Parameters 26.03.2026
CVE-2018-25209 OpenBiz Cubi Lite 3.0.8 SQL Injection via username Parameter 26.03.2026
CVE-2018-25210 WebOfisi E-Ticaret 4.0 SQL Injection via urun Parameter 26.03.2026
CVE-2025-41368 Multiple vulnerabilities in Small HTTP server by Smallsrv 26.03.2026
CVE-2026-24068 Missing XPC Client & NSXPC endpoint validation leads to privilege escalation in Vienna Assistant (MacOS) - Vienna Symphonic Library 26.03.2026
CVE-2026-4809 Unsafe Client MIME Type Handling Can Enable Arbitrary File Upload in plank/laravel-mediable 26.03.2026
CVE-2026-4274 Insufficient authorization in shared channel membership sync grants team-level access instead of channel-level access 26.03.2026 5.4
CVE-2026-23396 wifi: mac80211: fix NULL deref in mesh_matches_local() 26.03.2026
CVE-2026-23397 nfnetlink_osf: validate individual option lengths in fingerprints 26.03.2026
CVE-2026-23398 icmp: fix NULL pointer dereference in icmp_tag_validation() 26.03.2026
CVE-2026-4262 Incorrect authorization in HiJiffy Chatbot 26.03.2026
CVE-2026-4263 Incorrect authorization in HiJiffy Chatbot 26.03.2026
CVE-2026-4862 UTT HiPER 1250GW Parameter formConfigDnsFilterGlobal strcpy buffer overflow 26.03.2026
CVE-2026-4860 648540858 wvp-GB28181-pro API Endpoint RedisTemplateConfig.java GenericFastJsonRedisSerializer deserialization 26.03.2026
CVE-2026-4861 Wavlink WL-NU516U1 nas.cgi ftext stack-based overflow 26.03.2026
CVE-2026-4849 code-projects Simple Laundry System Parameter modify.php cross site scripting 26.03.2026
CVE-2026-4850 code-projects Simple Laundry System Parameter checkregisitem.php sql injection 26.03.2026
CVE-2026-4874 Org.keycloak.protocol.oidc.grants: org.keycloak.services.managers: keycloak: server-side request forgery via oidc token endpoint manipulation 26.03.2026
CVE-2026-28760 26.03.2026
CVE-2026-32680 26.03.2026
CVE-2026-4848 dameng100 muucmf list.html cross site scripting 26.03.2026
CVE-2026-4747 Remote code execution via RPCSEC_GSS packet validation 26.03.2026
CVE-2026-4847 dameng100 muucmf list.html cross site scripting 26.03.2026
CVE-2025-15433 Shared Files < 1.7.58 - Contributor+ Arbitrary File Download 26.03.2026
CVE-2025-15488 Responsive Plus < 3.4.3 - Unauthenticated Arbitrary Shortcode Execution 26.03.2026
CVE-2026-1430 WP Lightbox 2 < 3.0.7 - Admin+ Stored XSS 26.03.2026
CVE-2026-1890 LeadConnector < 3.0.22 - Unauthenticated Rest Call 26.03.2026
CVE-2026-4247 TCP: remotely exploitable DoS vector (mbuf leak) 26.03.2026
CVE-2026-4652 Remote denial of service via null pointer dereference 26.03.2026
CVE-2026-1206 Elementor Website Builder <= 3.35.7 - Incorrect Authorization to Authenticated (Contributor+) Sensitive Information Exposure via Elementor Template 26.03.2026 4.3
CVE-2026-4845 dameng100 muucmf index.html cross site scripting 26.03.2026
CVE-2026-4846 dameng100 muucmf autoReply.html cross site scripting 26.03.2026
CVE-2026-4389 DSGVO snippet for Leaflet Map and its Extensions <= 3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'unset' Attribute 26.03.2026 6.4
CVE-2026-4842 itsourcecode Online Enrollment System Parameter index.php sql injection 26.03.2026
CVE-2026-4844 code-projects Online Food Ordering System Admin Login admin.php sql injection 26.03.2026
CVE-2026-2931 Amelia Booking <= 9.1.2 - Authenticated (Customer+) Insecure Direct Object Reference to Arbitrary User Password Change 26.03.2026 8.8
CVE-2026-33201 26.03.2026
CVE-2026-4278 Simple Download Counter <= 2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'text' Shortcode Attribute 26.03.2026 6.4
CVE-2026-4281 FormLift for Infusionsoft Web Forms <= 7.5.21 - Missing Authorization to Unauthenticated Infusionsoft Connection Hijack via OAuth Connection Flow 26.03.2026 5.3
CVE-2026-4329 Blackhole for Bad Bots <= 3.8 - Unauthenticated Stored Cross-Site Scripting via User-Agent HTTP Header 26.03.2026 7.2
CVE-2026-4331 Blog2Social: Social Media Auto Post & Scheduler <= 8.8.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Meta Deletion via 'b2s_reset_social_meta_tags' AJAX Action 26.03.2026 4.3
CVE-2026-4840 Netcore Power 15AX Diagnostic Tool netis.cgi setTools os command injection 26.03.2026
CVE-2026-4841 code-projects Online Food Ordering System Shopping Cart cart.php sql injection 26.03.2026
CVE-2026-1986 FloristPress for Woo <= 7.8.2 - Reflected Cross-Site Scripting via 'noresults' Parameter 26.03.2026 6.1
CVE-2026-3328 Frontend Admin by DynamiApps <= 3.28.31 - Authenticated (Editor+) PHP Object Injection via 'post_content' of Admin Form Posts 26.03.2026 7.2
CVE-2026-4075 BWL Advanced FAQ Manager Lite <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'sbox_id' Shortcode Attribute 26.03.2026 6.4
CVE-2026-4335 ShortPixel Image Optimizer <= 6.4.3 - Authenticated (Author+) Stored Cross-Site Scripting via Attachment Title 26.03.2026 5.4
CVE-2026-4838 SourceCodester Malawi Online Market display.php sql injection 26.03.2026
CVE-2026-4839 SourceCodester Food Ordering System Parameter purchase.php sql injection 26.03.2026
CVE-2014-125112 Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution 26.03.2026
CVE-2025-15101 26.03.2026
CVE-2026-4835 code-projects Accounting System Web Application add_costumer.php cross site scripting 26.03.2026
CVE-2026-4836 code-projects Accounting System delete.php sql injection 26.03.2026
CVE-2026-4484 Masteriyo LMS <= 2.1.6 - Missing Authorization to Authenticated (Student+) Privilege Escalation to Administrator 26.03.2026 9.8
CVE-2026-4831 kalcaddle kodbox Password-protected Share auth.class.php can improper authentication 26.03.2026
CVE-2026-4833 Orc discount Markdown markdown.c compile recursion 26.03.2026
CVE-2026-32748 Squid has Denial of Service in ICP Response handling 26.03.2026
CVE-2026-33182 Saloon is vulnerable to SSRF and credential leakage via absolute URL in endpoint overriding base URL 26.03.2026
CVE-2026-33183 Saloon has a Fixture Name Path Traversal Vulnerability 26.03.2026
CVE-2026-33285 LiquidJS: memoryLimit Bypass through Negative Range Values Leads to Process Crash 26.03.2026 7.5
CVE-2026-33287 LiquidJS has Exponential Memory Amplification through its replace_first Filter $& Pattern 26.03.2026 7.5
CVE-2026-33515 Squid has issues in ICP message handling 26.03.2026
CVE-2026-33526 Squid vulnerable to Denial of Service in ICP Request handling 26.03.2026
CVE-2026-33942 Saloon has insecure deserialization in AccessTokenAuthenticator (object injection / RCE) 26.03.2026
CVE-2026-4830 kalcaddle kodbox Public Share userShare.class.php add privilege escalation 26.03.2026
CVE-2026-30892 Crun incorrectly parses `crun exec` option `-u`, leading to privilege escalation 25.03.2026 0
CVE-2026-34056 OpenEMR has a Privilege Escalation that Allows a Low-Level User to View Admin-Only Data 25.03.2026 7.7
CVE-2026-33932 OpenEMR has Stored XSS in CCDA Preview via Unsanitized linkHtml Attributes 25.03.2026 7.6
CVE-2026-33933 Reflected XSS via Unescaped contextName Parameter in Custom Template Editor 26.03.2026 6.1
CVE-2026-33934 OpenEMR's Missing Authorization in show-signature.php Allows Portal Patients to Read Staff Signatures 25.03.2026 4.3
CVE-2026-34051 OpenEMR has Improper ACL On Import/Export Popup 25.03.2026 5.4
CVE-2026-34053 OpenEMR Missing Authorization in Procedure Order AJAX Deletion Handler 26.03.2026 7.1
CVE-2026-34055 OpenEMR has IDOR in Patient Notes Web UI allows unauthorized note access/modification 26.03.2026 8.1
CVE-2026-33915 OpenEMR Missing ACL Checks on Insurance Company API Routes 26.03.2026 5.4
CVE-2026-33917 OpenEMR has SQL Injection in CAMOS Form 26.03.2026 8.8
CVE-2026-33918 OpenEMR Missing Authorization on Claim File Download Endpoint 25.03.2026 7.6
CVE-2026-33931 OpenEMR has IDOR in Portal Payment Page that Allows Cross-Patient Record Access 25.03.2026 6.5
CVE-2026-4758 WP Job Portal <= 2.4.9 - Authenticated (Subscriber+) Arbitrary File Deletion via Resume Custom File Field 25.03.2026 8.8
CVE-2026-4826 SourceCodester Sales and Inventory System HTTP GET Parameter update_stock.php sql injection 25.03.2026
CVE-2026-33914 OpenEMR has SQL Injection in PostCalendar Category Delete 25.03.2026 7.2
CVE-2026-33910 OpenEMR has a SQL Injection Vulnerability in patient selection 25.03.2026 7.2
CVE-2026-33911 OpenEMR vulnerable to reflected XSS in graphs.php via title parameter 26.03.2026 5.4
CVE-2026-33912 OpenEMR has reflected XSS in ajax_download.php via reportID parameter 26.03.2026 5.4
CVE-2026-33913 OpenEMR: XInclude Injection in CCDA Import Allows Reading Arbitrary Server Files 25.03.2026 7.7
CVE-2026-29187 OpenEMR Vulnerable to Authenticated Blind Boolean-Based SQL Injection in new_search_popup.php 25.03.2026 8.1
CVE-2026-32120 OpenEMR has IDOR in Fee Sheet Product Save 26.03.2026 6.5
CVE-2026-33348 OpenEMR has Stored XSS in patient encounter Eye Exam form $CHRONIC2 and $CHRONIC3 26.03.2026 8.7
CVE-2026-33909 OpenEMR Vulnerable to SQL Injection via Unsanitized Variables in MedEx Recall/Reminder Processing 25.03.2026 5.9
CVE-2026-4825 SourceCodester Sales and Inventory System HTTP GET Parameter update_sales.php sql injection 25.03.2026
CVE-2025-2535 25.03.2026
CVE-2026-4823 Enter Software Iperius Backup NTLM2 information disclosure 26.03.2026
CVE-2026-4824 Enter Software Iperius Backup Backup Job Configuration File privileges management 26.03.2026
CVE-2025-14684 IBM Maximo Application Suite - Monitor Component uses Log Forging which is vulnerable to . 25.03.2026 4
CVE-2025-36187 Multiple Security vulnerabilities affecting IBM Knowledge Catalog Standard Cartridge 25.03.2026 4.4
CVE-2026-30975 Sonarr Authentication Bypass vulnerability 26.03.2026 8.1
CVE-2026-30976 Sonarr Path Traversal vulnerability 25.03.2026 8.6
CVE-2025-14807 IBM InfoSphere Information Server is vulnerable to HTTP header injection 26.03.2026 6.5
CVE-2026-1015 IBM InfoSphere Information Server is vulnerable to server-side request forgery 25.03.2026 5.4
CVE-2025-36258 IBM InfoSphere Information Server is vulnerable due to plaintext storage of a password 25.03.2026 7.1
CVE-2025-36422 IBM InfoSphere Information Server is vulnerable to cross-site request forgery 25.03.2026 4.3
CVE-2025-36438 Multiple Vulnerabilities in IBM Concert Software 26.03.2026 5.1
CVE-2025-36440 Multiple Vulnerabilities in IBM Concert Software 25.03.2026 5.1
CVE-2025-64646 Multiple Vulnerabilities in IBM Concert Software 25.03.2026 6.2
CVE-2025-64647 Multiple Vulnerabilities in IBM Concert Software 25.03.2026 5.9
CVE-2025-64648 Multiple Vulnerabilities in IBM Concert Software 26.03.2026 5.9
CVE-2026-1014 IBM InfoSphere Information Server is vulnerable due to disclosure of sensitive information 25.03.2026 6.5
CVE-2026-2483 IBM InfoSphere Information Server Cross-Site Scripting 25.03.2026 5.4
CVE-2026-2484 IBM InfoSphere Information Server Information Disclosure 25.03.2026 4.3
CVE-2026-4822 Enter Software Iperius Backup Backup Service Local Privilege Escalation 25.03.2026
CVE-2025-14808 IBM InfoSphere Information Server is vulnerable due to disclosure of sensitive information 25.03.2026 3.1
CVE-2025-14810 IBM InfoSphere Information Server is vulnerable due to insufficient session expiration 25.03.2026 6.3
CVE-2025-14912 IBM InfoSphere Information Server is vulnerable to server-side request forgery 25.03.2026 5.4
CVE-2025-14915 IBM WebSphere Application Server Liberty is affected by a privilege escalation vulnerability 26.03.2026 6.5
CVE-2025-14917 IBM WebSphere Application Server Liberty could provide weaker than expected security 25.03.2026 6.7
CVE-2025-14974 IBM InfoSphere Information Server is vulnerable due to Insecure Direct Object Reference 25.03.2026 5.7
CVE-2026-1262 IBM InfoSphere Information Server Information Disclosure 25.03.2026 4.3
CVE-2026-1561 IBM WebSphere Application Server Liberty Server-Side Request Forgery 26.03.2026 5.4
CVE-2026-2485 IBM InfoSphere Information Server Cross-Site Scripting 25.03.2026 4.8
CVE-2026-33222 NATS JetStream has an authorization bypass through its Management API 26.03.2026 4.9
CVE-2026-33223 NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing 25.03.2026 6.4
CVE-2026-33248 NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching 25.03.2026 4.2
CVE-2026-33249 NATS: Message tracing can be redirected to arbitrary subject 25.03.2026 4.3
CVE-2025-12708 Multiple Vulnerabilities in IBM Concert Software 25.03.2026 6.2
CVE-2025-14790 IBM InfoSphere Information Server is vulnerable to disclosure of sensitive information 26.03.2026 6.5
CVE-2026-33247 NATS credentials are exposed in monitoring port via command-line argv 25.03.2026 7.4
CVE-2026-29785 NATS Server panic via malicious compression on leafnode port 25.03.2026 7.5
CVE-2026-33216 NATS has MQTT plaintext password disclosure 25.03.2026 8.6
CVE-2026-33217 NATS allows MQTT clients to bypass ACL checks 25.03.2026 7.1
CVE-2026-33218 NATS has pre-auth server panic via leafnode handling 26.03.2026 7.5
CVE-2026-33219 NATS is vulnerable to pre-auth DoS through WebSockets client service 25.03.2026 5.3
CVE-2026-33246 NATS: Leafnode connections allow spoofing of Nats-Request-Info identity headers 25.03.2026 6.4
CVE-2026-27889 NATS: Pre-auth remote server crash via WebSocket frame length overflow in wsRead 25.03.2026 7.5
CVE-2025-70888 25.03.2026
CVE-2025-70887 25.03.2026
CVE-2026-27602 Modoboa has an OS Command Injection 26.03.2026 7.2
CVE-2026-33749 n8n Vulnerable to XSS via Binary Data Inline HTML Rendering 25.03.2026
CVE-2026-33751 n8n Vulnerable to LDAP Filter Injection in LDAP Node 25.03.2026
CVE-2025-70952 25.03.2026
CVE-2026-33724 n8n's Source Control SSH Configuration Uses StrictHostKeyChecking=no 25.03.2026
CVE-2026-33809 OOM from malicious IFD offset in golang.org/x/image/tiff 25.03.2026