CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2026-35216 Budibase: Unauthenticated Remote Code Execution via Webhook Trigger and Bash Automation Step 03.04.2026 9.1
CVE-2026-31818 Budibase: Server-Side Request Forgery via REST Connector with Empty Default Blacklist 03.04.2026 9.6
CVE-2026-5463 03.04.2026 9.3
CVE-2026-26135 Azure Custom Locations Resource Provider (RP) Elevation of Privilege Vulnerability 03.04.2026 9.6
CVE-2026-32211 Azure MCP Server Information Disclosure Vulnerability 03.04.2026 9.1
CVE-2026-32213 Azure AI Foundry Elevation of Privilege Vulnerability 03.04.2026 10
CVE-2026-33105 Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability 03.04.2026 10
CVE-2026-33107 Azure Databricks Elevation of Privilege Vulnerability 03.04.2026 10
CVE-2025-15620 HiOS Switch Platform Denial-of-Service via Web Interface 03.04.2026 9.2
CVE-2024-14034 Hirschmann HiEOS Authentication Bypass via HTTP Management Module 03.04.2026 9.3
CVE-2026-34838 Group-Office: Authenticated Remote Code Execution via PHP Insecure Deserialization in `AbstractSettingsCollection` 03.04.2026 10
CVE-2026-35053 OneUptime: Unauthenticated Workflow Execution via ManualAPI 03.04.2026 9.2
CVE-2026-34745 Unauthenticated Path Traversal Arbitrary File Write in /api/uploadChunked/public 02.04.2026 9.1
CVE-2026-34758 OneUptime: Missing Authentication on Notification Endpoints 02.04.2026 9.1
CVE-2026-34759 OneUptime: Unauthenticated notification API endpoints - financial abuse via phone number purchase, service disruption, and SMTP credential exposure 03.04.2026 9.2
CVE-2026-34717 OpenProject: SQL Injection in Cost Reporting =n Operator via parse_number_string 03.04.2026 9.9
CVE-2026-33950 signalk-server: Privilege Escalation by Admin Role Injection via /enableSecurity 02.04.2026 9.4
CVE-2026-33746 Convoy: JWT Signature Verification Bypass Allows Authentication as Arbitrary Users 02.04.2026 9.8
CVE-2026-32871 FastMCP OpenAPI Provider has an SSRF & Path Traversal Vulnerability 02.04.2026 10
CVE-2026-35002 Agno < 2.3.24 field_type Eval Injection Arbitrary Code Execution 02.04.2026 9.3
CVE-2026-2699 EAR vulnerability in Progress ShareFile Storage Zones Controller (SZC) 03.04.2026 9.8
CVE-2026-2701 RCE vulnerability in Progress ShareFile Storage Zones Controller (SZC) 03.04.2026 9.1
CVE-2026-33615 MB connect line mbCONNECT24 vulnerable to an unauthenticated SQL injection in the setinfo Endpoint 02.04.2026 9.1
CVE-2026-34563 CI4MS: Backup Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM Blind XSS 02.04.2026 9.1
CVE-2026-34564 CI4MS: Menu Management (Pages) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS 02.04.2026 9.1
CVE-2026-34565 CI4MS: Menu Management (Posts) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS 02.04.2026 9.1
CVE-2026-34566 CI4MS: Pages Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS 01.04.2026 9.1
CVE-2026-34567 CI4MS: Blogs Posts (Categories) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS 02.04.2026 9.1
CVE-2026-34568 CI4MS: Blogs Posts Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS 02.04.2026 9.1
CVE-2026-34569 CI4MS: Blogs Categories Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS 02.04.2026 10
CVE-2026-34570 CI4MS: Account Deletion Module Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw) 01.04.2026 10
CVE-2026-34571 CI4MS: Stored Cross‑Site Scripting (Stored XSS) in Backend User Management Allows Session Hijacking and Full Administrative Account Compromise 02.04.2026 10
CVE-2026-34559 CI4MS: Blogs Tags Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS 02.04.2026 9.1
CVE-2026-34560 CI4MS: Logs Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS 02.04.2026 9.1
CVE-2026-34456 Reviactyl: OAuth account takeover via auto-linking 02.04.2026 9.1
CVE-2026-34751 Payload has Unvalidated Input in Password Recovery Endpoints 01.04.2026 9.1
CVE-2026-34159 llama.cpp: Unauthenticated RCE via GRAPH_COMPUTE buffer=0 bypass in llama.cpp RPC backend 02.04.2026 9.8
CVE-2026-20093 Cisco Integrated Management Controller Authentication Bypass Vulnerability 02.04.2026 9.8
CVE-2026-20160 Cisco Smart Software Manager On-Prem Arbitrary Command Execution Vulnerability 02.04.2026 9.8
CVE-2026-29014 MetInfo CMS Unauthenticated PHP Code Injection RCE 03.04.2026 9.3
CVE-2026-4370 Improper TLS Client/Server authentication and certificate verification on Database Cluster 01.04.2026 10
CVE-2025-71279 XenForo Passkey Security Bypass 01.04.2026 9.3
CVE-2026-34448 SiYuan: Stored XSS in Attribute View gallery/kanban cover rendering allows arbitrary command execution in the desktop client 31.03.2026 9.1
CVE-2026-34449 SiYuan: Cross-Origin RCE via Permissive CORS Policy and JavaScript Snippet Injection 01.04.2026 9.7
CVE-2026-34406 APTRS: Privilege Escalation via Mass Assignment of is_superuser in User Edit Endpoint 31.03.2026 9.4
CVE-2026-1579 PX4 Autopilot Missing authentication for critical function 31.03.2026 9.3
CVE-2026-3356 Missing Authentication for Critical Function vulnerability in Anritsu Remote Spectrum Monitor 01.04.2026 9.3
CVE-2026-34361 HAPI FHIR: Unauthenticated SSRF via /loadIG Chains with startsWith() Credential Leak for Authentication Token Theft 31.03.2026 9.3
CVE-2026-34243 wenxian: Command Injection in GitHub Actions Workflow via `issue_comment.body` 02.04.2026 9.8
CVE-2026-34220 MikroORM is vulnerable to SQL Injection via specially crafted object 02.04.2026 9.3
CVE-2026-0596 Command Injection in mlflow/mlflow 01.04.2026 9.6
CVE-2026-34532 Parse Server: Cloud function validator bypass via prototype chain traversal 31.03.2026 9.1
CVE-2026-34162 FastGPT: Unauthenticated SSRF via httpTools Endpoint Leads to Internal API Key Theft 31.03.2026 10
CVE-2026-34202 Zebra node crash — V5 transaction hash panic (P2P reachable) 31.03.2026 9.2
CVE-2026-34156 NocoBase Affected by Sandbox Escape to RCE via console._stdout Prototype Chain Traversal in Workflow Script Node 02.04.2026 10
CVE-2026-32916 OpenClaw 2026.3.7 < 2026.3.11 - Authorization Bypass in Plugin Subagent Routes via Synthetic Admin Scopes 31.03.2026 9.2
CVE-2026-32917 OpenClaw < 2026.3.13 - Remote Command Injection via Unsanitized iMessage Attachment Paths in SCP 31.03.2026 9.2
CVE-2026-4317 SQL inyection in Umami Software application 31.03.2026 9.3
CVE-2026-3106 Multiple vulnerabilities in Teampass 31.03.2026 9.3
CVE-2026-3107 Multiple vulnerabilities in Teampass 31.03.2026 9.3
CVE-2026-32714 SciTokens vulnerable to SQL Injection in KeyCache 31.03.2026 9.8
CVE-2026-3300 Everest Forms Pro <= 1.9.12 - Unauthenticated Remote Code Execution via Calculation Field 31.03.2026 9.8
CVE-2026-21861 baserCMS: OS Command Injection Leading to Remote Code Execution (RCE) 31.03.2026 9.1
CVE-2026-30877 baserCMS: OS Command Injection in the baserCMS Update Functionality 02.04.2026 9.1
CVE-2026-30880 baserCMS: OS command injection vulnerability in installer 31.03.2026 9.2
CVE-2026-4257 Contact Form by Supsystic <= 1.7.36 - Unauthenticated Server-Side Template Injection via Prefill Functionality 31.03.2026 9.8
CVE-2026-31946 OpenOLAT: Authentication bypass via forged JWT in OIDC implicit flow 31.03.2026 9.8
CVE-2026-34557 CI4MS: Permissions Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS 31.03.2026 9.1
CVE-2026-34558 CI4MS: Methods Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS 31.03.2026 9.1
CVE-2026-33026 nginx-ui Backup Restore Allows Tampering with Encrypted Backups 31.03.2026 9.4
CVE-2026-34714 03.04.2026 9.2
CVE-2026-33032 Nginx UI: Unauthenticated MCP Endpoint Allows Remote Nginx Takeover 30.03.2026 9.8
CVE-2026-4415 GIGABYTE|Gigabyte Control Center - Arbitrary File Write 31.03.2026 9.2
CVE-2025-15379 Command Injection in mlflow/mlflow 31.03.2026 10
CVE-2025-15036 Path Traversal Vulnerability in mlflow/mlflow 31.03.2026 9.6
CVE-2026-32915 OpenClaw < 2026.3.11 - Sandbox Boundary Bypass via Subagent Control Surface 30.03.2026 9.3
CVE-2026-32918 OpenClaw < 2026.3.11 - Session Sandbox Escape via session_status Tool 30.03.2026 9.2
CVE-2026-32922 OpenClaw < 2026.3.11 - Privilege Escalation via Unvalidated Scope in device.token.rotate 30.03.2026 9.4
CVE-2026-32978 OpenClaw < 2026.3.11 - Approval Bypass via Unrecognized Script Runners 30.03.2026 9.4
CVE-2026-32987 OpenClaw < 2026.3.13 - Bootstrap Setup Code Replay via Device Pairing 30.03.2026 9.3
CVE-2016-20049 JAD 1.5.8e-1kali1 Stack-Based Buffer Overflow Remote Code Execution 30.03.2026 9.3
CVE-2017-20225 TiEmu 2.08 Stack-Based Buffer Overflow Vulnerability 30.03.2026 9.3
CVE-2017-20227 JAD 1.5.8e-1kali1 Stack-Based Buffer Overflow 01.04.2026 9.3
CVE-2017-20229 MAWK 1.3.3-17 Stack-Based Buffer Overflow 30.03.2026 9.3
CVE-2018-25220 Bochs 2.6-5 Buffer Overflow Remote Code Execution 30.03.2026 9.3
CVE-2018-25221 EChat Server 3.1 Buffer Overflow via chat.ghp username Parameter 30.03.2026 9.3
CVE-2018-25223 Crashmail 1.6 Stack-based Buffer Overflow Remote Code Execution 01.04.2026 9.3
CVE-2026-33992 pyLoad: Server-Side Request Forgery via Download Link Submission Enables Cloud Metadata Exfiltration 30.03.2026 9.3
CVE-2026-33976 Notesnook vulnerable to RCE via stored XSS in Web Clipper rendering 03.04.2026 9.7
CVE-2026-33937 Handlebars.js has JavaScript Injection via AST Type Confusion 01.04.2026 9.8
CVE-2026-33875 Authenticator Vulnerable to Authentication Flow Hijack 03.04.2026 9.3
CVE-2026-33873 Langflow has Authenticated Code Execution in Agentic Assistant Validation 02.04.2026 9.3
CVE-2026-34205 Home Assistant: Unauthenticated App (Add-on) Endpoints Exposed to Local Network via Host Network Mode 01.04.2026 9.7

Latest Updates

CVE Title Updated Score
CVE-2026-25118 immich-server: Insecure Transmission of Authentication Credentials via Password Parameter in HTTP Request Query String When Accessing Shared Albums 03.04.2026
CVE-2026-35214 Budibase: Path traversal in plugin file upload enables arbitrary directory deletion and file write 03.04.2026 8.7
CVE-2026-35216 Budibase: Unauthenticated Remote Code Execution via Webhook Trigger and Bash Automation Step 03.04.2026 9.1
CVE-2026-35218 Budibase: Stored XSS via unsanitized entity names rendered with {@html} in Builder Command Palette 03.04.2026 8.7
CVE-2026-5471 Investory Toy Planet Trouble App app.investory.toyfactory google-services-desktop.json hard-coded key 03.04.2026
CVE-2025-68152 Juju: Read All Controller Logs From Compromised Workload 03.04.2026
CVE-2025-68153 Juju: Resource poisoning 03.04.2026
CVE-2026-25043 Budibase: Unauthenticated Password Reset Endpoint Lacks Rate Limiting, Enabling Email Flooding 03.04.2026 5.3
CVE-2026-25044 Budibase: Command Injection in Bash Automation Step 03.04.2026
CVE-2026-31818 Budibase: Server-Side Request Forgery via REST Connector with Empty Default Blacklist 03.04.2026 9.6
CVE-2026-5470 mixelpixx Google-Research-MCP Model Context Protocol content-extractor.service.ts extractContent server-side request forgery 03.04.2026
CVE-2025-64340 FastMCP has a Command Injection vulnerability - Gemini CLI 03.04.2026 6.7
CVE-2026-23427 ksmbd: fix use-after-free in durable v2 replay of active file handles 03.04.2026
CVE-2026-23428 ksmbd: fix use-after-free of share_conf in compound request 03.04.2026
CVE-2026-23429 iommu/sva: Fix crash in iommu_sva_unbind_device() 03.04.2026
CVE-2026-23430 drm/vmwgfx: Don't overwrite KMS surface dirty tracker 03.04.2026
CVE-2026-23431 spi: amlogic-spisg: Fix memory leak in aml_spisg_probe() 03.04.2026
CVE-2026-23432 mshv: Fix use-after-free in mshv_map_user_memory error path 03.04.2026
CVE-2026-23433 arm_mpam: Fix null pointer dereference when restoring bandwidth counters 03.04.2026
CVE-2026-23434 mtd: rawnand: serialize lock/unlock against other NAND operations 03.04.2026
CVE-2026-23435 perf/x86: Move event pointer setup earlier in x86_pmu_enable() 03.04.2026
CVE-2026-23436 net: shaper: protect from late creation of hierarchy 03.04.2026
CVE-2026-23437 net: shaper: protect late read accesses to the hierarchy 03.04.2026
CVE-2026-23438 net: mvpp2: guard flow control update with global_tx_fc in buffer switching 03.04.2026
CVE-2026-23439 udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n 03.04.2026
CVE-2026-23440 net/mlx5e: Fix race condition during IPSec ESN update 03.04.2026
CVE-2026-23441 net/mlx5e: Prevent concurrent access to IPSec ASO context 03.04.2026
CVE-2026-23442 ipv6: add NULL checks for idev in SRv6 paths 03.04.2026
CVE-2026-23443 ACPI: processor: Fix previous acpi_processor_errata_piix4() fix 03.04.2026
CVE-2026-23444 wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure 03.04.2026
CVE-2026-23445 igc: fix page fault in XDP TX timestamps handling 03.04.2026
CVE-2026-23446 net: usb: aqc111: Do not perform PM inside suspend callback 03.04.2026
CVE-2026-23447 net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check 03.04.2026
CVE-2026-23448 net: usb: cdc_ncm: add ndpoffset to NDP16 nframes bounds check 03.04.2026
CVE-2026-23449 net/sched: teql: Fix double-free in teql_master_xmit 03.04.2026
CVE-2026-23450 net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock() 03.04.2026
CVE-2026-23451 bonding: prevent potential infinite loop in bond_header_parse() 03.04.2026
CVE-2026-23452 PM: runtime: Fix a race condition related to device removal 03.04.2026
CVE-2026-23453 net: ti: icssg-prueth: Fix memory leak in XDP_DROP for non-zero-copy mode 03.04.2026
CVE-2026-23454 net: mana: fix use-after-free in mana_hwc_destroy_channel() by reordering teardown 03.04.2026
CVE-2026-23455 netfilter: nf_conntrack_h323: check for zero length in DecodeQ931() 03.04.2026
CVE-2026-23456 netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case 03.04.2026
CVE-2026-23457 netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp() 03.04.2026
CVE-2026-23458 netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct() 03.04.2026
CVE-2026-23459 ip_tunnel: adapt iptunnel_xmit_stats() to NETDEV_PCPU_STAT_DSTATS 03.04.2026
CVE-2026-23460 net/rose: fix NULL pointer dereference in rose_transmit_link on reconnect 03.04.2026
CVE-2026-23461 Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user 03.04.2026
CVE-2026-23462 Bluetooth: HIDP: Fix possible UAF 03.04.2026
CVE-2026-23463 soc: fsl: qbman: fix race condition in qman_destroy_fq 03.04.2026
CVE-2026-23464 soc: microchip: mpfs: Fix memory leak in mpfs_sys_controller_probe() 03.04.2026
CVE-2026-23465 btrfs: log new dentries when logging parent dir of a conflicting inode 03.04.2026
CVE-2026-23466 drm/xe: Open-code GGTT MMIO access protection 03.04.2026
CVE-2026-23467 drm/i915/dmc: Fix an unlikely NULL pointer deference at probe 03.04.2026
CVE-2026-23468 drm/amdgpu: Limit BO list entry count to prevent resource exhaustion 03.04.2026
CVE-2026-23469 drm/imagination: Synchronize interrupts before suspending the GPU 03.04.2026
CVE-2026-23470 drm/imagination: Fix deadlock in soft reset sequence 03.04.2026
CVE-2026-23471 drm: Fix use-after-free on framebuffers and property blobs when calling drm_dev_unplug 03.04.2026
CVE-2026-23472 serial: core: fix infinite loop in handle_tx() for PORT_UNKNOWN 03.04.2026
CVE-2026-23473 io_uring/poll: fix multishot recv missing EOF on wakeup race 03.04.2026
CVE-2026-23474 mtd: Avoid boot crash in RedBoot partition table parser 03.04.2026
CVE-2026-23475 spi: fix statistics allocation 03.04.2026
CVE-2026-27124 FastMCP: Missing Consent Verification in OAuth Proxy Callback Facilitates Confused Deputy Vulnerabilities 03.04.2026
CVE-2026-31389 spi: fix use-after-free on controller registration failure 03.04.2026
CVE-2026-31390 drm/xe: Fix memory leak in xe_vm_madvise_ioctl 03.04.2026
CVE-2026-31391 crypto: atmel-sha204a - Fix OOM ->tfm_count leak 03.04.2026
CVE-2026-31392 smb: client: fix krb5 mount with username option 03.04.2026
CVE-2026-31393 Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access 03.04.2026
CVE-2026-31394 mac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations 03.04.2026
CVE-2026-31395 bnxt_en: fix OOB access in DBG_BUF_PRODUCER async event handler 03.04.2026
CVE-2026-31396 net: macb: fix use-after-free access to PTP clock 03.04.2026
CVE-2026-31397 mm/huge_memory: fix use of NULL folio in move_pages_huge_pmd() 03.04.2026
CVE-2026-31398 mm/rmap: fix incorrect pte restoration for lazyfree folios 03.04.2026
CVE-2026-31399 nvdimm/bus: Fix potential use after free in asynchronous initialization 03.04.2026
CVE-2026-31400 sunrpc: fix cache_request leak in cache_release 03.04.2026
CVE-2026-31401 HID: bpf: prevent buffer overflow in hid_hw_request 03.04.2026
CVE-2026-31402 nfsd: fix heap overflow in NFSv4.0 LOCK replay cache 03.04.2026
CVE-2026-31403 NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd 03.04.2026
CVE-2026-31404 NFSD: Defer sub-object cleanup in export put callbacks 03.04.2026
CVE-2025-59709 03.04.2026
CVE-2025-59710 03.04.2026
CVE-2025-59711 03.04.2026
CVE-2026-26477 03.04.2026
CVE-2026-5469 Casdoor Webhook URL server-side request forgery 03.04.2026
CVE-2026-23418 drm/xe/reg_sr: Fix leak on xa_store failure 03.04.2026
CVE-2026-23419 net/rds: Fix circular locking dependency in rds_tcp_tune 03.04.2026
CVE-2026-23420 wifi: wlcore: Fix a locking bug 03.04.2026
CVE-2026-23421 drm/xe/configfs: Free ctx_restore_mid_bb in release 03.04.2026
CVE-2026-23422 dpaa2-switch: Fix interrupt storm after receiving bad if_id in IRQ handler 03.04.2026
CVE-2026-23423 btrfs: free pages on error in btrfs_uring_read_extent() 03.04.2026
CVE-2026-23424 accel/amdxdna: Validate command buffer payload count 03.04.2026
CVE-2026-23425 KVM: arm64: Fix ID register initialization for non-protected pKVM guests 03.04.2026
CVE-2026-23426 drm/logicvc: Fix device node reference leak in logicvc_drm_config_parse() 03.04.2026
CVE-2026-25773 Focalboard Second-Order SQL Injection in category reorder endpoint allows data exfiltration (unsupported product, no fix) 03.04.2026 8.1
CVE-2026-28736 Focalboard IDOR in file content endpoint allows cross-user file access (unsupported product, no fix) 03.04.2026 4.3
CVE-2026-5468 Casdoor dangerouslySetInnerHTML cross site scripting 03.04.2026
CVE-2026-27655 Stored XSS Vulnerability 03.04.2026 7.3
CVE-2026-4108 Stored XSS Vulnerability 03.04.2026 7.3
CVE-2026-28703 Stored XSS Vulnerability 03.04.2026 7.3
CVE-2026-3879 Stored XSS Vulnerability 03.04.2026 7.3
CVE-2026-3880 Stored XSS Vulnerability 03.04.2026 7.3
CVE-2026-4107 Stored XSS Vulnerability 03.04.2026 7.3
CVE-2026-5467 Casdoor OAuth Authorization Request redirect 03.04.2026
CVE-2026-28756 Stored XSS Vulnerability 03.04.2026 7.3
CVE-2026-28754 Stored XSS Vulnerability 03.04.2026 7.3
CVE-2025-7024 Local privilege escalation in Windows Server OS through installed Tetra Connectivity Server (TCS) 03.04.2026
CVE-2026-4350 Perfmatters <= 2.5.9.1 - Authenticated (Subscriber+) Arbitrary File Deletion via 'delete' Parameter 03.04.2026 8.1
CVE-2026-5462 Wahoo Fitness SYSTM App com.WahooFitness.SYSTM BuildConfig.java hard-coded key 03.04.2026
CVE-2026-5458 Noelse Individuals & Pro App com.afone.noelse BuildConfig.java hard-coded key 03.04.2026
CVE-2026-5457 PropertyGuru AgentNet Singapore App com.allproperty.android.agentnet BuildConfig.java hard-coded key 03.04.2026
CVE-2026-5455 Dialogue App ca.diagram.dialogue config.json hard-coded key 03.04.2026
CVE-2026-5456 Align Technology My Invisalign App com.aligntech.myinvisalign.emea BuildConfig.java hard-coded key 03.04.2026
CVE-2026-35549 03.04.2026 6.5
CVE-2026-5453 Rico só vantagem pra investir App br.com.rico.mobile SegmentSettingsModule.java hard-coded key 03.04.2026
CVE-2026-5454 GRID Organiser App co.gridapp.organiser app.json hard-coded key 03.04.2026
CVE-2026-5463 03.04.2026
CVE-2026-35538 03.04.2026 3.1
CVE-2026-35539 03.04.2026 6.1
CVE-2026-35540 03.04.2026 5.4
CVE-2026-35541 03.04.2026 4.2
CVE-2026-35542 03.04.2026 5.3
CVE-2026-35543 03.04.2026 5.3
CVE-2026-35544 03.04.2026 5.3
CVE-2026-35545 03.04.2026 5.3
CVE-2026-35536 03.04.2026 7.2
CVE-2026-35537 03.04.2026 3.7
CVE-2026-5452 UCC CampusConnect App campusconnect.ucc BuildConfig.java hard-coded key 03.04.2026
CVE-2026-28815 03.04.2026
CVE-2026-35535 03.04.2026 7.4
CVE-2026-35507 03.04.2026 6.4
CVE-2026-35508 03.04.2026 5.4
CVE-2026-26135 Azure Custom Locations Resource Provider (RP) Elevation of Privilege Vulnerability 03.04.2026 9.6
CVE-2026-32173 Azure SRE Agent Information Disclosure Vulnerability 03.04.2026 8.6
CVE-2026-32211 Azure MCP Server Information Disclosure Vulnerability 03.04.2026 9.1
CVE-2026-32213 Azure AI Foundry Elevation of Privilege Vulnerability 03.04.2026 10
CVE-2026-33105 Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability 03.04.2026 10
CVE-2026-33107 Azure Databricks Elevation of Privilege Vulnerability 03.04.2026 10
CVE-2022-4986 Hirschmann EagleSDV Denial of Service via TLS 03.04.2026 7.5
CVE-2024-14033 Hirschmann EagleSDV Denial of Service via TLS 03.04.2026 7.5
CVE-2025-15620 HiOS Switch Platform Denial-of-Service via Web Interface 03.04.2026 9.3
CVE-2026-30251 03.04.2026
CVE-2026-30252 03.04.2026
CVE-2026-35466 Stored XSS via unsanitized input from remote service 03.04.2026
CVE-2026-35467 Private Key stored as extractable in browser IndexeDB 03.04.2026
CVE-2023-7343 Belden Industrial HiVision Arbitrary Code Execution via Malicious Project File 02.04.2026 7.8
CVE-2024-14034 Hirschmann HiEOS Authentication Bypass via HTTP Management Module 03.04.2026 9.8
CVE-2026-34847 hoppscotch: Open redirect via `/enter?redirect=` 03.04.2026 4.7
CVE-2026-34848 hoppscotch: Stored XSS in team member overflow tooltip via display name 03.04.2026 5.4
CVE-2026-34931 hoppscotch: Improper loopback redirect_uri validation in device-login flow 03.04.2026
CVE-2026-34932 hoppscotch: Stored XSS via mock server responses on backend origin 03.04.2026
CVE-2026-34760 vLLM: Downmix Implementation Differences as Attack Vectors Against Audio AI Models 03.04.2026 5.9
CVE-2026-34761 Ella Core Panics Upon NGAP handover failure 03.04.2026 5.8
CVE-2026-34762 Ella Core Has Audit Log Falsification via Path/Body IMSI Mismatch in UpdateSubscriber 03.04.2026 2.7
CVE-2026-34825 NocoBase Has SQL Injection via template variable substitution in workflow SQL node 03.04.2026
CVE-2026-34832 Scoold: Cross-Account Feedback Deletion (IDOR) 03.04.2026 6.5
CVE-2026-34833 Bulwark Webmail: Information Exposure: password returned in /api/auth/session 03.04.2026
CVE-2026-34834 Bulwark Webmail: Authentication Bypass in verifyIdentity() due to missing cookie validation 02.04.2026
CVE-2026-34838 Group-Office: Authenticated Remote Code Execution via PHP Insecure Deserialization in `AbstractSettingsCollection` 03.04.2026 10
CVE-2026-34840 OneUptime SSO: Multi-Assertion Identity Injection via Decoupled Signature Verification 02.04.2026 8.1
CVE-2026-35053 OneUptime: Unauthenticated Workflow Execution via ManualAPI 03.04.2026
CVE-2026-35383 Bentley Systems iTwin Platform exposed access token 02.04.2026 6.5
CVE-2026-5420 Shinrays Games Goods Triple App cats.goods.sort.sorting.games jRwTX.java hard-coded key 03.04.2026
CVE-2026-34745 Unauthenticated Path Traversal Arbitrary File Write in /api/uploadChunked/public 02.04.2026 9.1
CVE-2026-34752 Haraka affected by DoS via `__proto__` email header 03.04.2026
CVE-2026-34758 OneUptime: Missing Authentication on Notification Endpoints 02.04.2026 9.1
CVE-2026-34759 OneUptime: Unauthenticated notification API endpoints - financial abuse via phone number purchase, service disruption, and SMTP credential exposure 03.04.2026
CVE-2026-5429 Kiro IDE Webview Cross-Site Scripting via Workspace Color Theme 02.04.2026 7.8