Total CVEs

140,426

Critical Severity

3,747

High Severity

13,550

Last 7 Days

1,488
Quick preset (or use dates below)
Clear Filters
Showing 7,981 - 8,000 of 13,946 CVEs
CVE-2026-0964 MEDIUM - 5.0

A malicious SCP server can send unexpected paths that could make the client application override local files outside of working directory. This could be misused to create malicious executable or configuration files and make the user execute them under specific consequences. This is the same issue a...

Published: Mar 26, 2026
Source: NVD
CVE-2026-33531 MEDIUM - 6.5

InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, a path traversal vulnerability in the report template engine allows a staff-level user to read arbitrary files from the server filesystem via crafted template tags. Affected functions: `encode_svg_image()`, `asset()`, a...

Vendor: inventree
Product: InvenTree
Published: Mar 26, 2026
Source: NVD
CVE-2026-2436 MEDIUM - 6.5

A flaw was found in libsoup's SoupServer. A remote attacker could exploit a use-after-free vulnerability where the `soup_server_disconnect()` function frees connection objects prematurely, even if a TLS handshake is still pending. If the handshake completes after the connection object has been ...

Published: Mar 26, 2026
Source: NVD
CVE-2021-4474 MEDIUM - 4.9

Ruckus Access Point products contain an arbitrary file read vulnerability in the command-line interface that allows authenticated remote attackers with administrative privileges to read arbitrary files from the underlying filesystem. Attackers can exploit this vulnerability to access sensitive infor...

Published: Mar 26, 2026
Source: NVD
CVE-2026-4923 MEDIUM - 5.9

Impact: When using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path. Unsafe examples: /*foo-*bar-:baz /*a-:b-*c-:...

Vendor: npm
Product: path-to-regexp
Published: Mar 26, 2026
Source: NVD
CVE-2026-3190 MEDIUM - 4.3

A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the `uma_protection` role check. This allows any authenticated user with a token issued for a resource server client, even without the `uma_protection` role, to enumerate a...

Vendor: redhat
Product: build_of_keycloak
Published: Mar 26, 2026
Source: NVD
CVE-2026-3121 MEDIUM - 6.5

A flaw was found in Keycloak. An administrator with `manage-clients` permission can exploit a misconfiguration where this permission is equivalent to `manage-permissions`. This allows the administrator to escalate privileges and gain control over roles, users, or other administrative functions withi...

Vendor: redhat
Product: build_of_keycloak
Published: Mar 26, 2026
Source: NVD
CVE-2026-33153 MEDIUM - 6.5

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the Recipe API endpoint exposes a hidden `?debug=true` query parameter that returns the complete raw SQL query being executed, including all table names, column names, JOI...

Vendor: TandoorRecipes
Product: recipes
Published: Mar 26, 2026
Source: NVD
CVE-2026-33148 MEDIUM - 6.5

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the FDC (USDA FoodData Central) search endpoint constructs an upstream API URL by directly interpolating the user-supplied `query` parameter into the URL string without UR...

Vendor: TandoorRecipes
Product: recipes
Published: Mar 26, 2026
Source: NVD
CVE-2026-29969 MEDIUM - 6.1

A cross-site scripting (XSS) vulnerability in the wff_cols_pref.css.aspx endpoint of staffwiki v7.0.1.19219 allows attackers to execute arbitrary Javascript in the context of the user's browser via a crafted HTTP request.

Published: Mar 26, 2026
Source: NVD
CVE-2026-29055 MEDIUM - 5.3

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the image processing pipeline in Tandoor Recipes explicitly skips EXIF metadata stripping, image rescaling, and size validation for WebP and GIF image formats. A developer...

Vendor: TandoorRecipes
Product: recipes
Published: Mar 26, 2026
Source: NVD
CVE-2026-28503 MEDIUM - 6.5

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the `SyncViewSet.query_synced_folder()` action in `cookbook/views/api.py` (line 903) fetches a Sync object using `get_object_or_404(Sync, pk=pk)` without including `space=...

Vendor: TandoorRecipes
Product: recipes
Published: Mar 26, 2026
Source: NVD
CVE-2026-33536 MEDIUM - 5.1

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-18 and 6.9.13-43, due to an incorrect return value on certain platforms a pointer is incremented past the end of a buffer that is on the stack and that could result in an out of bounds write...

Vendor: nuget
Product: Magick.NET-Q16-AnyCPU
Published: Mar 26, 2026
Source: GitHub
CVE-2026-33887 MEDIUM - 5.4

Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, authenticated Control Panel users could view entry revisions for any collection with revisions enabled, regardless of whether they had the required collection permissions. This bypasses the au...

Vendor: composer
Product: statamic/cms
Published: Mar 26, 2026
Source: GitHub
CVE-2026-33886 MEDIUM - 6.5

Statamic is a Laravel and Git powered content management system (CMS). Starting in version 5.7.12 and prior to versions 5.73.16 and 6.7.2, a control panel user with access to Antlers-enabled fields could access sensitive application configuration values by inserting config variables into their conte...

Vendor: composer
Product: statamic/cms
Published: Mar 26, 2026
Source: GitHub
CVE-2026-33885 MEDIUM - 6.1

Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the external URL detection used for redirect validation on unauthenticated endpoints could be bypassed, allowing users to be redirected to external URLs after actions like form submissions and...

Vendor: composer
Product: statamic/cms
Published: Mar 26, 2026
Source: GitHub
CVE-2026-33884 MEDIUM - 4.3

Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, an authenticated Control Panel user with access to live preview could use a live preview token to access restricted content that the token was not intended for. This has been fixed in 5.73.16 ...

Vendor: composer
Product: statamic/cms
Published: Mar 26, 2026
Source: GitHub
CVE-2026-33883 MEDIUM - 6.1

Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the `user:reset_password_form` tag could render user-input directly into HTML without escaping, allowing an attacker to craft a URL that executes arbitrary JavaScript in the victim's brow...

Vendor: composer
Product: statamic/cms
Published: Mar 26, 2026
Source: GitHub
CVE-2026-33882 MEDIUM - 6.5

Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.16 and 6.7.2, the markdown preview endpoint could be manipulated to return augmented data from arbitrary fieldtypes. With the users fieldtype specifically, an authenticated control panel user could retrieve...

Vendor: composer
Product: statamic/cms
Published: Mar 26, 2026
Source: GitHub
CVE-2026-33750 MEDIUM - 6.5

The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the process hang for seconds an...

Vendor: npm
Product: brace-expansion
Published: Mar 26, 2026
Source: GitHub