Total CVEs

141,249

Critical Severity

3,795

High Severity

13,708

Last 7 Days

2,297
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 7,961 - 7,980 of 13,819 CVEs
CVE-2026-34396 MEDIUM - 6.1

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo admin panel renders plugin configuration values in HTML forms without applying htmlspecialchars() or any other output encoding. The jsonToFormElements() function in admin/functions.php directly interpolates user-con...

Vendor: WWBN
Product: AVideo
Published: Mar 31, 2026
Source: NVD
CVE-2026-34395 MEDIUM - 6.5

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/YPTWallet/view/users.json.php endpoint returns all platform users with their personal information and wallet balances to any authenticated user. The endpoint checks User::isLogged() but does not check User::isAdmin(...

Vendor: WWBN
Product: AVideo
Published: Mar 31, 2026
Source: NVD
CVE-2026-34384 MEDIUM - 4.5

Admidio is an open-source user management solution. Prior to version 5.0.8, the create_user, assign_member, and assign_user action modes in modules/registration.php approve pending user registrations via GET request without validating a CSRF token. Unlike the delete_user mode in the same file (which...

Vendor: Admidio
Product: admidio
Published: Mar 31, 2026
Source: NVD
CVE-2026-34383 MEDIUM - 4.3

Admidio is an open-source user management solution. Prior to version 5.0.8, the inventory module's item_save endpoint accepts a user-controllable POST parameter imported that, when set to true, completely bypasses both CSRF token validation and server-side form validation. An authenticated user...

Vendor: Admidio
Product: admidio
Published: Mar 31, 2026
Source: NVD
CVE-2026-34382 MEDIUM - 4.6

Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, the delete mode handler in mylist_function.php permanently deletes list configurations without validating a CSRF token. An attacker who can lure an authenticated user to a malicious page can silently dest...

Vendor: Admidio
Product: admidio
Published: Mar 31, 2026
Source: NVD
CVE-2026-34206 MEDIUM - 6.1

Captcha Protect is a Traefik middleware to add an anti-bot challenge to individual IPs in a subnet when traffic spikes are detected from that subnet. Prior to version 1.12.2, a reflected cross-site scripting (XSS) vulnerability exists in github.com/libops/captcha-protect. The challenge page accepted...

Vendor: libops
Product: captcha-protect
Published: Mar 31, 2026
Source: NVD
CVE-2026-30280 MEDIUM - 5.3

An arbitrary file overwrite vulnerability in RAREPROB SOLUTIONS PRIVATE LIMITED Video player Play All Videos v1.0.135 allows attackers to overwrite critical internal files via the file import process, leading to arbtrary code execution or information exposure.

Vendor: rareprob
Product: video_player
Published: Mar 31, 2026
Source: NVD
CVE-2026-2950 MEDIUM - 6.5

Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check b...

Vendor: npm
Product: lodash
Published: Mar 31, 2026
Source: NVD
CVE-2026-30521 MEDIUM - 6.5

A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to improper server-side validation. The application allows administrators to create "Loan Plans" with specific interest rates. While the frontend interface prevents users from entering negative numbers,...

Vendor: oretnom23
Product: loan_management_system
Published: Mar 31, 2026
Source: NVD
CVE-2026-5206 MEDIUM - 6.3

A security vulnerability has been detected in code-projects Simple Gym Management System 1.0. This vulnerability affects unknown code of the component Payment Handler. The manipulation of the argument Payment_id/Amount/customer_id/payment_type/customer_name leads to sql injection. Remote exploitatio...

Published: Mar 31, 2026
Source: NVD
CVE-2026-33415 MEDIUM - 4.3

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authenticated moderator-level user could retrieve post content, topic titles, and usernames from categories they were not ...

Vendor: discourse
Product: discourse
Published: Mar 31, 2026
Source: NVD
CVE-2026-33073 MEDIUM - 5.3

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, the discourse-subscriptions plugin leaks stripe API keys across sites in a multisite cluster resulting in the potential for s...

Vendor: discourse
Product: discourse
Published: Mar 31, 2026
Source: NVD
CVE-2026-32951 MEDIUM - 4.3

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authenticated user can obtain shared draft topic titles by sending an inline onebox request with a category_id parameter m...

Vendor: discourse
Product: discourse
Published: Mar 31, 2026
Source: NVD
CVE-2026-32618 MEDIUM - 4.3

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, there is possible channel membership inference from chat user search without authorization. This issue has been patched in ve...

Vendor: discourse
Product: discourse
Published: Mar 31, 2026
Source: NVD
CVE-2026-32273 MEDIUM - 5.4

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, updating a category description via API is not sanitizing the description string, which can lead to XSS attacks. This issue h...

Vendor: discourse
Product: discourse
Published: Mar 31, 2026
Source: NVD
CVE-2026-32243 MEDIUM - 6.1

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an attacker with the ability to create shared AI conversations could inject arbitrary HTML and JavaScript via crafted convers...

Vendor: discourse
Product: discourse
Published: Mar 31, 2026
Source: NVD
CVE-2026-32113 MEDIUM - 6.1

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, the enter action in StaticController reads the sso_destination_url cookie and redirects to it with allow_other_host: true wit...

Vendor: discourse
Product: discourse
Published: Mar 31, 2026
Source: NVD
CVE-2026-30520 MEDIUM - 4.8

A Blind SQL Injection vulnerability exists in SourceCodester Loan Management System v1.0. The vulnerability is located in the ajax.php file (specifically the save_loan action). The application fails to properly sanitize user input supplied to the "borrower_id" parameter in a POST request, ...

Vendor: oretnom23
Product: loan_management_system
Published: Mar 31, 2026
Source: NVD
CVE-2026-5205 MEDIUM - 6.3

A vulnerability was identified in chatwoot up to 4.11.2. Affected by this vulnerability is the function Webhooks::Trigger in the library lib/webhooks/trigger.rb of the component Webhook API. Such manipulation of the argument url leads to server-side request forgery. The attack can be launched remote...

Published: Mar 31, 2026
Source: NVD
CVE-2026-24153 MEDIUM - 5.2

NVIDIA Jetson Linux has a vulnerability in initrd, where the nvluks trusted application is not disabled. A successful exploit of this vulnerability might lead to information disclosure.

Vendor: NVIDIA
Product: Jetson Xavier Series, Jetson Orin Series and Jetson Thor
Published: Mar 31, 2026
Source: NVD