Total CVEs

141,249

Critical Severity

3,795

High Severity

13,708

Last 7 Days

2,254
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 7,981 - 8,000 of 13,819 CVEs
CVE-2026-5203 MEDIUM - 4.7

A vulnerability was found in CMS Made Simple up to 2.2.22. This impacts the function _copyFilesToFolder in the library modules/UserGuide/lib/class.UserGuideImporterExporter.php of the component UserGuide Module XML Import. The manipulation results in path traversal. It is possible to launch the atta...

Published: Mar 31, 2026
Source: NVD
CVE-2026-4819 MEDIUM - 4.9

In Search Guard FLX versions from 1.0.0 up to 4.0.1, the audit logging feature might log user credentials from users logging into Kibana.

Vendor: search-guard
Product: flx
Published: Mar 31, 2026
Source: NVD
CVE-2026-4818 MEDIUM - 6.8

In Search Guard FLX versions from 3.0.0 up to 4.0.1, there exists an issue which allows users without the necessary privileges to execute some management operations against data streams.

Vendor: search-guard
Product: flx
Published: Mar 31, 2026
Source: NVD
CVE-2026-34595 MEDIUM - 4.3

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.70 and 9.7.0-alpha.18, an authenticated user with find class-level permission can bypass the protectedFields class-level permission setting on LiveQuery subscriptions. By sen...

Vendor: parse-community
Product: parse-server
Published: Mar 31, 2026
Source: NVD
CVE-2026-34574 MEDIUM - 5.4

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.69 and 9.7.0-alpha.14, an authenticated user can bypass the immutability guard on session fields (expiresAt, createdWith) by sending a null value in a PUT request to the sess...

Vendor: parse-community
Product: parse-server
Published: Mar 31, 2026
Source: NVD
CVE-2026-34227 MEDIUM - 8.8

Sliver is a command and control framework that uses a custom Wireguard netstack. Prior to version 1.7.4, a single click on a malicious link gives an unauthenticated attacker immediate, silent control over every active C2 session or beacon, capable of exfiltrating all collected target data (e.g. SSH ...

Vendor: BishopFox
Product: sliver
Published: Mar 31, 2026
Source: NVD
CVE-2026-34218 MEDIUM - 5.5

ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to version 4.2.14, two related startup defects created a window during which only the single compile-time baseline rule was enforced by opfilter. All managed (MDM-delivered) and user-defined fi...

Vendor: craigjbass
Product: clearancekit
Published: Mar 31, 2026
Source: NVD
CVE-2026-22569 MEDIUM - 5.4

An incorrect startup configuration of affected versions of Zscaler Client Connector on Windows may cause a limited amount of traffic from being inspected under rare circumstances.

Vendor: Zscaler
Product: Zscaler Client Connector
Published: Mar 31, 2026
Source: NVD
CVE-2026-4799 MEDIUM - 4.3

In Search Guard FLX up to version 4.0.1, it is possible to use specially crafted requests to redirect the user to an untrusted URL.

Vendor: search-guard
Product: flx
Published: Mar 31, 2026
Source: NVD
CVE-2026-33581 MEDIUM - 6.5

OpenClaw before 2026.3.24 contains a sandbox bypass vulnerability in the message tool that allows attackers to read arbitrary local files by using mediaUrl and fileUrl alias parameters that bypass localRoots validation. Remote attackers can exploit this by routing file requests through unvalidated a...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 31, 2026
Source: NVD
CVE-2026-33580 MEDIUM - 6.5

OpenClaw before 2026.3.28 contains a missing rate limiting vulnerability in the Nextcloud Talk webhook authentication that allows attackers to brute-force weak shared secrets. Attackers who can reach the webhook endpoint can exploit this to forge inbound webhook events by repeatedly attempting authe...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 31, 2026
Source: NVD
CVE-2026-33578 MEDIUM - 4.3

OpenClaw before 2026.3.28 contains a sender policy bypass vulnerability in the Google Chat and Zalouser extensions where route-level group allowlist policies silently downgrade to open policy. Attackers can exploit this policy resolution flaw to bypass sender restrictions and interact with bots desp...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 31, 2026
Source: NVD
CVE-2026-33576 MEDIUM - 6.5

OpenClaw before 2026.3.28 downloads and stores inbound media from Zalo channels before validating sender authorization. Unauthorized senders can force network fetches and disk writes to the media store by sending messages that are subsequently rejected.

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 31, 2026
Source: NVD
CVE-2026-33276 MEDIUM - 5.4

Stored cross-site scripting (XSS) in Checkmk 2.5.0 (beta) before 2.5.0b2 allows authenticated users with permission to create hosts or services to execute arbitrary JavaScript in the browsers of other users performing searches in the Unified Search feature.

Vendor: Checkmk GmbH
Product: Checkmk
Published: Mar 31, 2026
Source: NVD
CVE-2026-20915 MEDIUM - 5.4

Stored cross-site scripting (XSS) in Checkmk version 2.5.0 (beta) before 2.5.0b2 allows authenticated users with permission to create pending changes to inject malicious JavaScript into the Pending Changes sidebar, which will execute in the browsers of other users viewing the sidebar.

Vendor: Checkmk GmbH
Product: Checkmk
Published: Mar 31, 2026
Source: NVD
CVE-2026-34155 MEDIUM - 5.3

RAUC controls the update process on embedded Linux systems. Prior to version 1.15.2, RAUC bundles using the 'plain' format exceeding a payload size of 2 GiB cause an integer overflow which results in a signature which covers only the first few bytes of the payload. Given such a bundle with...

Vendor: rauc
Product: rauc
Published: Mar 31, 2026
Source: NVD
CVE-2026-3191 MEDIUM - 5.4

The Minify HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.12. This is due to missing or incorrect nonce validation on the 'minify_html_menu_options' function. This makes it possible for unauthenticated attackers to update plu...

Published: Mar 31, 2026
Source: NVD
CVE-2026-3139 MEDIUM - 4.3

The User Profile Builder โ€“ Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.15.5 via the wppb_save_avatar_value() function due to missing validation on a user controlled ...

Published: Mar 31, 2026
Source: NVD
CVE-2026-34508 MEDIUM - 6.5

OpenClaw before 2026.3.12 applies rate limiting only after webhook authentication succeeds, allowing attackers to bypass rate limits and brute-force webhook secrets without triggering 429 responses. Attackers can repeatedly guess invalid secrets to discover valid credentials and subsequently submit ...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 31, 2026
Source: NVD
CVE-2026-32977 MEDIUM - 6.3

OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability in the fs-bridge writeFile commit step that uses an unanchored container path during the final move operation. An attacker can exploit a time-of-check-time-of-use race condition by modifying parent paths inside the sandbox to...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 31, 2026
Source: NVD