| CVE-2026-30302 |
|
27.03.2026 |
|
| CVE-2026-30531 |
|
27.03.2026 |
|
| CVE-2026-32983 |
SSL/TLS Renegotiation DoS in Wazuh Manager authd service |
27.03.2026 |
|
| CVE-2026-4958 |
OpenBMB XAgent WebSocket Endpoint replayer.py ReplayServer.send_data authorization |
27.03.2026 |
|
| CVE-2026-4959 |
OpenBMB XAgent ShareServer WebSocket Endpoint share.py check_user missing authentication |
27.03.2026 |
|
| CVE-2026-30532 |
|
27.03.2026 |
|
| CVE-2026-30533 |
|
27.03.2026 |
|
| CVE-2026-30534 |
|
27.03.2026 |
|
| CVE-2026-32984 |
Heap buffer overflow in wazuh-authd |
27.03.2026 |
|
| CVE-2026-29871 |
|
27.03.2026 |
|
| CVE-2026-4955 |
Shenzhen Ruiming Technology Streamax Crocus OperateStatistic.do sql injection |
27.03.2026 |
|
| CVE-2026-4956 |
Shenzhen Ruiming Technology Streamax Crocus Parameter DevicePrint.do sql injection |
27.03.2026 |
|
| CVE-2026-4957 |
OpenBMB XAgent API Key function_handler.py FunctionHandler.handle_tool_call log file |
27.03.2026 |
|
| CVE-2026-4980 |
Improper Restriction of XML External Entity Reference in Inkscape |
27.03.2026 |
6.3 |
| CVE-2026-5025 |
Langflow - Application Logs Exposed to All Authenticated Users |
27.03.2026 |
6.5 |
| CVE-2026-5026 |
Langflow - Stored XSS via Malicious SVG Upload |
27.03.2026 |
|
| CVE-2026-5027 |
Langflow - Path Traversal Arbitrary File Write via upload_user_file |
27.03.2026 |
8.8 |
| CVE-2025-61190 |
|
27.03.2026 |
|
| CVE-2025-69988 |
|
27.03.2026 |
6.5 |
| CVE-2026-27876 |
RCE on Grafana via sqlExpressions |
27.03.2026 |
9.1 |
| CVE-2026-27879 |
Query resampling can cause unbounded memory allocations |
27.03.2026 |
6.5 |
| CVE-2026-28375 |
Grafana Testdata datasource can issue unbounded memory allocations |
27.03.2026 |
6.5 |
| CVE-2026-30637 |
|
27.03.2026 |
|
| CVE-2026-33759 |
AVideo: Unauthenticated IDOR in playlistsVideos.json.php Exposes Private Playlist Contents |
27.03.2026 |
5.3 |
| CVE-2026-33761 |
AVideo: Unauthenticated Access to Scheduler Plugin Endpoints Leaks Scheduled Tasks, Email Content, and User Mappings |
27.03.2026 |
5.3 |
| CVE-2026-33763 |
AVideo has an Unauthenticated Video Password Brute-Force Vulnerability via Unrate-Limited Boolean Oracle |
27.03.2026 |
5.3 |
| CVE-2026-33764 |
AVideo: IDOR in AI Plugin Allows Stealing Other Users' AI-Generated Metadata and Transcriptions |
27.03.2026 |
4.3 |
| CVE-2026-33766 |
AVideo has SSRF Protection Bypass via HTTP Redirect in Image Download Endpoints |
27.03.2026 |
|
| CVE-2026-5010 |
Reflected Cross-Site Scripting (XSS) in Sanoma’s Clickedu |
27.03.2026 |
|
| CVE-2026-5022 |
Langflow - Missing Authorization on download_image Endpoint |
27.03.2026 |
|
| CVE-2024-11604 |
Insertion of Sensitive Information into Log File |
27.03.2026 |
|
| CVE-2025-69986 |
|
27.03.2026 |
|
| CVE-2026-1496 |
Coverity CLI Authentication Bypass |
27.03.2026 |
|
| CVE-2026-27877 |
Public dashboards discloses all direct mode datasources |
27.03.2026 |
6.5 |
| CVE-2026-27880 |
OpenFeature evaluation API reads input data with no bounds |
27.03.2026 |
7.5 |
| CVE-2026-30303 |
|
27.03.2026 |
|
| CVE-2026-30304 |
|
27.03.2026 |
|
| CVE-2026-30407 |
|
27.03.2026 |
|
| CVE-2026-30689 |
|
27.03.2026 |
|
| CVE-2026-33205 |
calibre has Server-Side Request Forgery in ebook viewer backend |
27.03.2026 |
|
| CVE-2026-33206 |
calibre has a path traversal vulnerability |
27.03.2026 |
|
| CVE-2026-33284 |
GlobalLeaks has insufficient URL validation in user support API |
27.03.2026 |
|
| CVE-2026-33433 |
Traefik Vulnerable to BasicAuth/DigestAuth Identity Spoofing via Non-Canonical headerField |
27.03.2026 |
|
| CVE-2026-33748 |
BuildKit Git URL subdir component can cause access to restricted files |
27.03.2026 |
|
| CVE-2026-33750 |
brace-expansion: Zero-step sequence causes process hang and memory exhaustion |
27.03.2026 |
6.5 |
| CVE-2026-33755 |
Authenticated SQL Injection in Contact/query addressBookIds filter |
27.03.2026 |
8.8 |
| CVE-2026-33757 |
OpenBao lacks user confirmation for OIDC direct callback mode |
27.03.2026 |
9.6 |
| CVE-2026-33758 |
OpenBao has Reflected XSS in its OIDC authentication error message |
27.03.2026 |
|
| CVE-2026-4953 |
mingSoft MCMS Editor Endpoint BaseAction.java catchImage privilege escalation |
27.03.2026 |
|
| CVE-2026-4954 |
mingSoft MCMS Web Content List Endpoint ContentAction.java list sql injection |
27.03.2026 |
|
| CVE-2026-4984 |
Botpress - Credential Disclosure via Twilio Webhook Handler |
27.03.2026 |
8.2 |
| CVE-2025-13478 |
Cache Misconfiguration Leading to Cross-User Data Exposure |
27.03.2026 |
|
| CVE-2026-32695 |
Traefik has Knative Ingress Rule Injection that Allows Host Restriction Bypass |
27.03.2026 |
|
| CVE-2026-32859 |
ByteDance DeerFlow Stored XSS via Inline Artifact Rendering |
27.03.2026 |
|
| CVE-2026-4340 |
|
27.03.2026 |
|
| CVE-2026-4982 |
Unauthorized access to chat contents |
27.03.2026 |
|
| CVE-2026-25099 |
Remote Code Execution via Unrestricted File Upload in Bludit |
27.03.2026 |
|
| CVE-2026-25100 |
Stored XSS via SVG File Upload in Bludit |
27.03.2026 |
|
| CVE-2026-25101 |
Session Fixation in Bludit |
27.03.2026 |
|
| CVE-2026-4620 |
|
27.03.2026 |
|
| CVE-2026-4621 |
|
27.03.2026 |
|
| CVE-2026-4622 |
|
27.03.2026 |
|
| CVE-2026-4309 |
|
27.03.2026 |
|
| CVE-2026-4619 |
|
27.03.2026 |
|
| CVE-2023-7339 |
Data collection for dowloading leads into buffer overflow |
27.03.2026 |
6.5 |
| CVE-2026-3457 |
Stored XSS vulnerability in Sentinel ACC |
27.03.2026 |
|
| CVE-2025-59028 |
|
27.03.2026 |
5.3 |
| CVE-2025-59031 |
|
27.03.2026 |
4.3 |
| CVE-2025-59032 |
|
27.03.2026 |
7.5 |
| CVE-2026-0394 |
|
27.03.2026 |
5.3 |
| CVE-2026-24031 |
|
27.03.2026 |
7.7 |
| CVE-2026-27855 |
|
27.03.2026 |
6.8 |
| CVE-2026-27856 |
|
27.03.2026 |
7.4 |
| CVE-2026-27857 |
|
27.03.2026 |
4.3 |
| CVE-2026-27858 |
|
27.03.2026 |
7.5 |
| CVE-2026-27859 |
|
27.03.2026 |
5.3 |
| CVE-2026-27860 |
|
27.03.2026 |
3.7 |
| CVE-2024-14028 |
Multiple implicit reads in parallel can result in a crash or denial of service |
27.03.2026 |
6.5 |
| CVE-2026-22742 |
Server-Side Request Forgery in BedrockProxyChatModel via Unvalidated Media URL Fetching |
27.03.2026 |
8.6 |
| CVE-2026-22743 |
Server-Side Request Forgery via Filter Expression Keys in Neo4jVectorStore |
27.03.2026 |
7.5 |
| CVE-2026-22744 |
|
27.03.2026 |
7.5 |
| CVE-2026-27650 |
|
27.03.2026 |
|
| CVE-2026-32669 |
|
27.03.2026 |
|
| CVE-2026-32678 |
|
27.03.2026 |
|
| CVE-2026-33280 |
|
27.03.2026 |
|
| CVE-2026-33366 |
|
27.03.2026 |
|
| CVE-2026-4948 |
Firewalld: firewalld: local unprivileged user can modify firewall state due to d-bus setter mis-authorization |
27.03.2026 |
|
| CVE-2026-22738 |
SpEL Injection via Unescaped Filter Key in SimpleVectorStore Leads to Remote Code Execution |
27.03.2026 |
9.8 |
| CVE-2026-33559 |
|
27.03.2026 |
|
| CVE-2026-34353 |
|
27.03.2026 |
5.9 |
| CVE-2026-3098 |
Smart Slider 3 <= 3.5.1.33 - Authenticated (Subscriber+) Arbitrary File Read via actionExportAll |
27.03.2026 |
6.5 |
| CVE-2026-4910 |
Shenzhen Ruiming Technology Streamax Crocus Endpoint RemoteFormat.do sql injection |
27.03.2026 |
|
| CVE-2026-4908 |
code-projects Simple Laundry System Parameter modstaffinfo.php sql injection |
27.03.2026 |
|
| CVE-2026-4909 |
code-projects Exam Form Submission update_s7.php cross site scripting |
27.03.2026 |
|
| CVE-2026-4907 |
Page-Replica Page Replica Endpoint sitemap sitemap.fetch server-side request forgery |
27.03.2026 |
|
| CVE-2026-33735 |
MyTube has an Improper Access Control that Allows Complete Application Takeover |
27.03.2026 |
|
| CVE-2026-33744 |
BentoML has Dockerfile Command Injection via system_packages in bentofile.yaml |
27.03.2026 |
7.8 |
| CVE-2026-33745 |
cpp-httplib Client Leaks Authentication Credentials to Untrusted Hosts on Cross-Origin HTTP Redirect |
27.03.2026 |
7.4 |
| CVE-2026-33747 |
BuildKit vulnerable to malicious frontend causing file escape outside of storage root |
27.03.2026 |
8.4 |
| CVE-2026-33890 |
MyTube has an Unauthenticated Admin Privilege Escalation via Passkey Registration |
27.03.2026 |
|
| CVE-2026-33935 |
MyTube has Unauthenticated Account Lockout via Shared Login Attempt State |
27.03.2026 |
|
| CVE-2026-4906 |
Tenda AC5 POST Request WizardHandle decodePwd stack-based overflow |
27.03.2026 |
|
| CVE-2026-33693 |
Lemmy's Activitypub-Federation has SSRF via 0.0.0.0 bypass in activitypub-federation-rust v4_is_invalid() |
27.03.2026 |
6.5 |
| CVE-2026-33699 |
pypdf: Possible infinite loop during recovery attempts in DictionaryObject.read_from_stream |
26.03.2026 |
|
| CVE-2026-33701 |
OpenTelemetry: Unsafe Deserialization in RMI Instrumentation may Lead to Remote Code Execution |
27.03.2026 |
|
| CVE-2026-33718 |
OpenHands is Vulnerable to Command Injection through its Git Diff Handler |
27.03.2026 |
7.6 |
| CVE-2026-33721 |
MapServer has heap buffer overflow in SLD `Categorize` Threshold parsing |
27.03.2026 |
5.3 |
| CVE-2026-33725 |
Metabase vulnerable to RCE and Arbitrary File Read via H2 JDBC INIT Injection in EE Serialization Import |
27.03.2026 |
7.2 |
| CVE-2026-33726 |
Cilium L7 proxy may bypass Kubernetes NetworkPolicy for same-node traffic |
27.03.2026 |
5.4 |
| CVE-2026-33728 |
dd-trace-java: Unsafe deserialization in RMI instrumentation may lead to remote code execution |
27.03.2026 |
|
| CVE-2026-33729 |
OpenFGA has an Authorization Bypass through cached keys |
27.03.2026 |
|
| CVE-2026-33730 |
Open Source Point of Sale has an IDOR in Password Change (Home) |
27.03.2026 |
6.5 |
| CVE-2026-27893 |
vLLM's hardcoded trust_remote_code=True in NemotronVL and KimiK25 bypasses user security opt-out |
27.03.2026 |
8.8 |
| CVE-2026-29071 |
Open WebUI's Insecure Direct Object Reference (IDOR) allows access to other users' memories |
26.03.2026 |
3.1 |
| CVE-2026-28786 |
Open WebUI vulnerable to Path Traversal in `POST /api/v1/audio/transcriptions` |
27.03.2026 |
4.3 |
| CVE-2026-28788 |
Open WebUI's process_files_batch() endpoint missing ownership check, allows unauthorized file overwrite |
26.03.2026 |
7.1 |
| CVE-2026-29070 |
Open WebUI has unauthorized deletion of knowledge files |
26.03.2026 |
5.4 |
| CVE-2026-33697 |
CoCoS attested TLS is vulnerable to relay attacks via extracted ephemeral TLS keys |
26.03.2026 |
7.5 |
| CVE-2026-33898 |
Local Incus UI web server vulnerable to nuthentication bypass |
26.03.2026 |
8.8 |
| CVE-2026-33945 |
Abitrary file write through systemd-creds option |
26.03.2026 |
10 |
| CVE-2026-4904 |
Tenda AC5 POST Request setcfm formSetCfm stack-based overflow |
26.03.2026 |
|
| CVE-2026-4905 |
Tenda AC5 POST Request WifiWpsOOB formWifiWpsOOB stack-based overflow |
27.03.2026 |
|
| CVE-2026-33542 |
Incus does not verify combined fingerprint when downloading images from simplestreams servers |
26.03.2026 |
|
| CVE-2026-33711 |
Incus vulnerable to local privilege escalation through VM screenshot path |
26.03.2026 |
|
| CVE-2026-33743 |
Incus vulnerable to denial of source through crafted bucket backup file |
27.03.2026 |
6.5 |
| CVE-2026-33897 |
Incus vulnerable to arbitrary file read and write through pongo templates |
26.03.2026 |
10 |
| CVE-2026-34352 |
|
27.03.2026 |
8.5 |
| CVE-2026-4902 |
Tenda AC5 POST Request addressNat fromAddressNat memory corruption |
27.03.2026 |
|
| CVE-2026-4903 |
Tenda AC5 POST Request QuickIndex formQuickIndex memory corruption |
26.03.2026 |
|
| CVE-2025-12805 |
Llama-stack-k8s-operator: llama stack service exposed across namespaces due to missing networkpolicy |
26.03.2026 |
|
| CVE-2026-33686 |
Sharp is Vulnerable to Path Traversal via Unsanitized Extension in FileUtil |
27.03.2026 |
8.8 |
| CVE-2026-33687 |
Sharp has Unrestricted File Upload via Client-Controlled Validation Rules |
26.03.2026 |
8.8 |
| CVE-2026-4899 |
code-projects Online Food Ordering System food.php cross site scripting |
27.03.2026 |
|
| CVE-2026-4900 |
code-projects Online Food Ordering System localhost.sql privilege escalation |
26.03.2026 |
|
| CVE-2026-28377 |
S3 SSE-C Encryption Key Exposed in Plaintext via Config Endpoint (CVE-2025-41118 Pattern) |
27.03.2026 |
7.5 |
| CVE-2026-33672 |
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching |
27.03.2026 |
5.3 |
| CVE-2026-33673 |
PrestaShop has multiple stored XSS vulnerabilities via unprotected Template variables |
26.03.2026 |
7.7 |
| CVE-2026-33674 |
PrestaShop: Improper Use of Validation Framework |
26.03.2026 |
2 |
| CVE-2026-33682 |
Streamlit on Windows has Unauthenticated SSRF Vulnerability (NTLM Credential Exposure) |
26.03.2026 |
4.7 |
| CVE-2026-0748 |
Access bypass in Drupal 7 i18n_node translation UI |
27.03.2026 |
|
| CVE-2026-33671 |
Picomatch has a ReDoS vulnerability via extglob quantifiers |
26.03.2026 |
7.5 |
| CVE-2026-4346 |
Cleartext Storage of Administrative and Wi-Fi Credentials via Accessible Serial Interface in TP Link's TL-WR850N |
26.03.2026 |
|
| CVE-2026-1556 |
Information disclosure via file URI overwrite in File (Field) Paths |
26.03.2026 |
|
| CVE-2026-33653 |
Uploady Vulnerable to Stored Cross-Site Scripting (XSS) |
26.03.2026 |
4.6 |
| CVE-2026-33658 |
Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests |
26.03.2026 |
|
| CVE-2026-33661 |
WeChat Pay callback signature verification bypassed when Host header is localhost |
26.03.2026 |
8.6 |
| CVE-2026-33664 |
Kestra Vulnerable to Stored Cross-Site Scripting via Flow YAML Fields |
27.03.2026 |
7.3 |
| CVE-2026-33669 |
SiYuan has Arbitrary Document Reading within the Publishing Service |
26.03.2026 |
9.8 |
| CVE-2026-33670 |
SiYuan has directory traversal within its publishing service |
26.03.2026 |
9.8 |
| CVE-2026-3650 |
Grassroots DICOM Missing release of memory after effective lifetime |
26.03.2026 |
|
| CVE-2026-4898 |
code-projects Online Food Ordering System contact.php cross site scripting |
26.03.2026 |
|
| CVE-2026-33623 |
PinchTab: OS Command Injection via Profile Name in Windows Cleanup Routine Enables Arbitrary Command Execution |
26.03.2026 |
6.7 |
| CVE-2026-33628 |
Invoice Ninja Denylist Bypass may Lead to Stored XSS via Invoice Line Items |
27.03.2026 |
5.4 |
| CVE-2026-33638 |
Ech0 authenticated user-list exposed data via public `/api/allusers` endpoint |
26.03.2026 |
5.3 |
| CVE-2026-33640 |
Outline has a rate limit bypass that allows brute force of email login OTP |
26.03.2026 |
|
| CVE-2026-33645 |
Fireshare has Path Traversal Arbitrary File Write in `/api/uploadChunked` |
26.03.2026 |
7.1 |
| CVE-2026-33742 |
Invoice Ninja has Stored XSS via Markdown HTML Injection in Product Notes |
27.03.2026 |
5.4 |
| CVE-2026-33545 |
MobSF has SQL Injection in its SQLite Database Viewer Utils |
26.03.2026 |
5.3 |
| CVE-2026-33619 |
PinchTab has Unauthenticated Blind SSRF in Task Scheduler via Unvalidated callbackUrl |
26.03.2026 |
4.1 |
| CVE-2026-33620 |
PinchTab: API Bearer Token Exposed in URL Query Parameter via Server Logs and Intermediary Systems |
26.03.2026 |
4.3 |
| CVE-2026-33621 |
PinchTab: Unapplied Rate Limiting Middleware Allows Unbounded Brute-Force of API Token |
27.03.2026 |
4.8 |
| CVE-2026-33622 |
A PinchTab Security Policy Bypass in /wait Allows Arbitrary JavaScript Execution |
26.03.2026 |
|
| CVE-2026-33635 |
iCalendar has ICS injection via unsanitized URI property values |
26.03.2026 |
4.3 |
| CVE-2026-3622 |
Denial-of-Service Vulnerability in UPnP Component of TP Link's TL-WR841N |
26.03.2026 |
|
| CVE-2026-33541 |
TSPortal's Uncontrolled User Creation via Validation Side Effects Leads to Potential Denial of Service |
26.03.2026 |
6.5 |
| CVE-2026-33738 |
Lychee Vulnerable to Stored XSS via Photo Description in RSS/Atom/JSON Feed (No Sanitization on Public Endpoint) |
27.03.2026 |
|
| CVE-2026-0964 |
Libssh: improper sanitation of paths received from scp servers |
26.03.2026 |
|
| CVE-2026-0965 |
Libssh: libssh: denial of service via improper configuration file handling |
26.03.2026 |
|
| CVE-2026-0966 |
Libssh: buffer underflow in ssh_get_hexa() on invalid input |
26.03.2026 |
|
| CVE-2026-0967 |
Libssh: libssh: denial of service via inefficient regular expression processing |
27.03.2026 |
|
| CVE-2026-0968 |
Libssh: libssh: denial of service due to malformed sftp message |
26.03.2026 |
|
| CVE-2026-21724 |
Missing Protected-field Authorization in Provisioning Contact Points API |
27.03.2026 |
5.4 |
| CVE-2026-2100 |
P11-kit: p11-kit: null dereference via c_derivekey with specific null parameters |
26.03.2026 |
|
| CVE-2026-2239 |
Gimp: gimp: application crash (dos) via crafted psd file due to heap-buffer-overflow |
26.03.2026 |
|
| CVE-2026-2271 |
Gimp: gimp: denial of service via crafted psp image file |
26.03.2026 |
|
| CVE-2026-2272 |
Gimp: gimp: memory corruption due to integer overflow in ico file handling |
27.03.2026 |
|
| CVE-2026-33375 |
Grafana MSSQL Data Source Plugin: Restriction Bypass Leading to OOM DoS |
27.03.2026 |
6.5 |
| CVE-2026-33537 |
Lychee has SSRF bypass via incomplete IP validation in Photo::fromUrl — loopback and link-local IPs not blocked |
26.03.2026 |
|
| CVE-2026-33644 |
Lychee has SSRF bypass via DNS rebinding — PhotoUrlRule only validates IP addresses, not hostnames resolving to internal IPs |
26.03.2026 |
|
| CVE-2026-3525 |
File Access Fix (deprecated) - Moderately critical - Access bypass - SA-CONTRIB-2026-020 |
26.03.2026 |
|
| CVE-2026-3526 |
File Access Fix (deprecated) - Moderately critical - Access bypass - SA-CONTRIB-2026-021 |
26.03.2026 |
|
| CVE-2026-3527 |
AJAX Dashboard - Critical - Access bypass - SA-CONTRIB-2026-022 |
26.03.2026 |
|
| CVE-2026-3528 |
Calculation Fields - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-023 |
26.03.2026 |
|
| CVE-2026-3529 |
Google Analytics GA4 - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-024 |
26.03.2026 |
|
| CVE-2026-3530 |
OpenID Connect / OAuth client - Moderately critical - Server-side request forgery, Information disclosure - SA-CONTRIB-2026-025 |
26.03.2026 |
|
| CVE-2026-3531 |
OpenID Connect / OAuth client - Moderately critical - Access bypass - SA-CONTRIB-2026-026 |
26.03.2026 |
|
| CVE-2026-3532 |
OpenID Connect / OAuth client - Less critical - Access bypass - SA-CONTRIB-2026-027 |
27.03.2026 |
|
| CVE-2026-3573 |
AI (Artificial Intelligence) - Moderately critical - Information Disclosure - SA-CONTRIB-2026-028 |
26.03.2026 |
|
| CVE-2026-4393 |
Automated Logout - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-030 |
26.03.2026 |
|
| CVE-2026-4933 |
Unpublished Node Permissions - Critical - Access bypass - SA-CONTRIB-2026-029 |
26.03.2026 |
|
| CVE-2026-32284 |
Denial of service in github.com/shamaton/msgpack |
26.03.2026 |
|
| CVE-2026-32285 |
Denial of service in github.com/buger/jsonparser |
26.03.2026 |
|
| CVE-2026-32286 |
Denial of service in github.com/jackc/pgproto3/v2 |
26.03.2026 |
|
| CVE-2026-32287 |
Infinite loop in github.com/antchfx/xpath |
26.03.2026 |
|
| CVE-2026-33531 |
InvenTree has Path Traversal In Report Templates |
26.03.2026 |
|
| CVE-2026-33532 |
yaml is vulnerable to Stack Overflow via deeply nested YAML collections |
26.03.2026 |
4.3 |
| CVE-2026-33535 |
ImageMagick has an Out-of-Bounds write of a zero byte in its X11 display interaction |
26.03.2026 |
4 |
| CVE-2026-33536 |
ImageMagick has an Out-of-bounds Write via InterpretImageFilename |
27.03.2026 |
5.1 |
| CVE-2021-4474 |
Ruckus AP CLI Arbitrary File Read Allows Authenticated Remote File Access |
26.03.2026 |
|
| CVE-2023-7338 |
Ruckus Unleashed Authenticated RCE in Gateway Mode |
26.03.2026 |
|
| CVE-2026-2436 |
Libsoup: libsoup: denial of service via use-after-free in soupserver during tls handshake |
26.03.2026 |
|
| CVE-2026-33525 |
Authelia: Improper Neutralization of Input During Web Page Generation Leads to Potential Cross-site Scripting |
26.03.2026 |
|
| CVE-2026-33528 |
GoDoxy has a Path Traversal Vulnerability in its File API |
27.03.2026 |
6.5 |
| CVE-2026-33529 |
Zoraxy: Authenticated Path Traversal in Config Import leads to RCE |
26.03.2026 |
3.3 |
| CVE-2026-33530 |
InvenTree Vulnerable to ORM Filter Injection |
26.03.2026 |
7.7 |
| CVE-2026-33631 |
ClearanceKit: opfilter policy bypass via non-open file operations |
26.03.2026 |
8.7 |
| CVE-2026-33632 |
ClearanceKit: opfilter policy bypass via exchangedata and clone operations |
27.03.2026 |
|
| CVE-2026-26213 |
thingino-firmware api.cgi Unauthenticated Command Injection in Captive Portal |
26.03.2026 |
|
| CVE-2026-28503 |
Tandoor Recipes has Cross-Space IDOR in SyncViewSet.query_synced_folder: missing space scoping on get_object_or_404 |
27.03.2026 |
|
| CVE-2026-29055 |
Tandoor Recipes: WebP and GIF Image Uploads Bypass EXIF/Metadata Stripping, Leaking GPS Coordinates and PII |
26.03.2026 |
5.3 |
| CVE-2026-29969 |
|
26.03.2026 |
|
| CVE-2026-30463 |
|
26.03.2026 |
|
| CVE-2026-33148 |
URL Parameter Injection in FDC Food Search API Causes Server Crash and Exposes Internal API Key |
26.03.2026 |
6.5 |
| CVE-2026-33149 |
Tandoor Recipes Vulnerable to Host Header Injection |
26.03.2026 |
8.1 |
| CVE-2026-33152 |
Tandoor Recipes Vulnerable to Unrestricted Brute-Force via BasicAuthentication |
26.03.2026 |
9.1 |
| CVE-2026-33153 |
Tandoor Recipes's Unauthenticated Debug Parameter Leaks Full Raw SQL Queries Including Schema, Table Names, and Access Control Logic |
26.03.2026 |
|
| CVE-2026-33506 |
DOM-Based XSS in Ory Polis Login Page |
26.03.2026 |
8.8 |
| CVE-2026-3121 |
Keycloak: org.keycloak/keycloak-services: keycloak: privilege escalation via manage-clients permission |
26.03.2026 |
|
| CVE-2026-3190 |
Keycloak: keycloak: information disclosure via improper role enforcement in uma 2.0 protection api |
27.03.2026 |
|
| CVE-2026-4923 |
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards |
27.03.2026 |
5.9 |
| CVE-2026-4926 |
path-to-regexp vulnerable to Denial of Service via sequential optional groups |
26.03.2026 |
7.5 |
| CVE-2026-30457 |
|
26.03.2026 |
|
| CVE-2026-33491 |
Zen-C has Stack-Based Buffer Overflow in Identifier Mangling |
27.03.2026 |
7.8 |