Total CVEs

140,426

Critical Severity

3,747

High Severity

13,550

Last 7 Days

1,486
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 7,801 - 7,820 of 13,565 CVEs
CVE-2026-33027 MEDIUM - 6.5

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui configuration improperly handles URL-encoded traversal sequences. When specially crafted paths are supplied, the backend resolves them to the base Nginx configuration directory and executes the operation ...

Vendor: 0xJacky
Product: nginx-ui
Published: Mar 30, 2026
Source: NVD
CVE-2026-34373 MEDIUM - 8.8

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.66 and 9.7.0-alpha.10, the GraphQL API endpoint does not respect the allowOrigin server option and unconditionally allows cross-origin requests from any website. This bypasse...

Vendor: npm
Product: parse-server
Published: Mar 30, 2026
Source: GitHub

Sulu is an open-source PHP content management system based on the Symfony framework. From versions 1.0.0 to before 2.6.22, and 3.0.0 to before 3.0.5, a user which has permission for the Sulu Admin via at least one role could have access to the sub-entities of contacts via the admin API without even ...

Vendor: composer
Product: sulu/sulu
Published: Mar 30, 2026
Source: GitHub
CVE-2026-34237 MEDIUM - 6.1

MCP Java SDK is the official Java SDK for Model Context Protocol servers and clients. Prior to versions 1.0.1 and 1.1.1, there is a hardcoded wildcard CORS vulnerability. This issue has been patched in versions 1.0.1 and 1.1.1.

Vendor: maven
Product: io.modelcontextprotocol.sdk:mcp-core
Published: Mar 30, 2026
Source: GitHub
CVE-2026-34360 MEDIUM - 5.8

HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.4, the /loadIG HTTP endpoint in the FHIR Validator HTTP service accepts a user-supplied URL via JSON body and makes server-side HTTP requests to it without any hostname, sche...

Vendor: maven
Product: ca.uhn.hapi.fhir:org.hl7.fhir.core
Published: Mar 30, 2026
Source: GitHub
CVE-2026-34231 MEDIUM - 6.1

Slippers is a UI component framework for Django. Prior to version 0.6.3, a Cross-Site Scripting (XSS) vulnerability exists in the {% attrs %} template tag of the slippers Django package. When a context variable containing untrusted data is passed to {% attrs %}, the value is interpolated into an HTM...

Vendor: pip
Product: slippers
Published: Mar 30, 2026
Source: GitHub
CVE-2026-34165 MEDIUM - 5.0

go-git is an extensible git implementation library written in pure Go. From version 5.0.0 to before version 5.17.1, a vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a denial-...

Vendor: go
Product: github.com/go-git/go-git/v5
Published: Mar 30, 2026
Source: GitHub
CVE-2026-29909 MEDIUM - 5.3

MRCMS V3.1.2 contains an unauthenticated directory enumeration vulnerability in the file management module. The /admin/file/list.do endpoint lacks authentication controls and proper input validation, allowing remote attackers to enumerate directory contents on the server without any credentials.

Vendor: mrcms
Product: mrcms
Published: Mar 30, 2026
Source: NVD
CVE-2026-27508 MEDIUM - 5.4

Smoothwall Express versions prior to 3.1 Update 13 contain a reflected cross-site scripting vulnerability in the /redirect.cgi endpoint due to improper sanitation of the url parameter. Attackers can craft malicious URLs with javascript: schemes that execute arbitrary JavaScript in victims' brow...

Vendor: Smoothwall
Product: Express
Published: Mar 30, 2026
Source: NVD
CVE-2026-26352 MEDIUM - 5.4

Smoothwall Express versions prior to 3.1 Update 13 contain a stored cross-site scripting vulnerability in the /cgi-bin/vpnmain.cgi script due to improper sanitation of the VPN_IP parameter. Authenticated attackers can inject arbitrary JavaScript through VPN configuration settings that executes when ...

Vendor: Smoothwall
Product: Express
Published: Mar 30, 2026
Source: NVD
CVE-2026-33990 MEDIUM - 9.1

Docker Model Runner (DMR) is software used to manage, run, and deploy AI models using Docker. Prior to version 1.1.25, Docker Model Runner contains an SSRF vulnerability in its OCI registry token exchange flow. When pulling a model, Model Runner follows the realm URL from the registry's WWW-Aut...

Vendor: go
Product: github.com/docker/model-runner
Published: Mar 30, 2026
Source: GitHub
CVE-2026-27599 MEDIUM - 4.7

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within System Settings โ€“ Mail Settings. Several configuration fiel...

Vendor: composer
Product: ci4-cms-erp/ci4ms
Published: Mar 30, 2026
Source: GitHub
CVE-2026-5170 MEDIUM - 5.3

A user with access to the cluster with a limited set of privilege actions can trigger a crash of aย mongod process during the limited and unpredictable window when the cluster is being promoted from a replica set to a sharded cluster. This may cause a denial of service by taking down the primary of t...

Vendor: mongodb
Product: mongodb
Published: Mar 30, 2026
Source: NVD
CVE-2026-30561 MEDIUM - 5.4

A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the add_purchase.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web sc...

Vendor: ahsanriaz26gmailcom
Product: sales_and_inventory_system
Published: Mar 30, 2026
Source: NVD
CVE-2026-30560 MEDIUM - 5.4

A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the add_supplier.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web sc...

Vendor: ahsanriaz26gmailcom
Product: sales_and_inventory_system
Published: Mar 30, 2026
Source: NVD
CVE-2026-30559 MEDIUM - 5.4

A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the add_sales.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web scrip...

Vendor: ahsanriaz26gmailcom
Product: sales_and_inventory_system
Published: Mar 30, 2026
Source: NVD
CVE-2026-30558 MEDIUM - 5.4

A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the add_customer.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web sc...

Vendor: ahsanriaz26gmailcom
Product: sales_and_inventory_system
Published: Mar 30, 2026
Source: NVD
CVE-2026-30557 MEDIUM - 5.4

A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the add_category.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web sc...

Vendor: ahsanriaz26gmailcom
Product: sales_and_inventory_system
Published: Mar 30, 2026
Source: NVD
CVE-2026-30556 MEDIUM - 6.1

A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the index.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or...

Vendor: ahsanriaz26gmailcom
Product: sales_and_inventory_system
Published: Mar 30, 2026
Source: NVD
CVE-2026-29597 MEDIUM - 6.5

DDSN Interactive cm3 Acora CMS version 10.7.1 contains an improper access control vulnerability. An editor-privileged user can access sensitive configuration files by force browsing the โ€œ/Admin/file_manager/file_details.aspโ€ endpoint and manipulating the โ€œfileโ€ parameter. By referencing specific fil...

Published: Mar 30, 2026
Source: NVD