Total CVEs

141,249

Critical Severity

3,795

High Severity

13,708

Last 7 Days

2,254
Quick preset (or use dates below)
Clear Filters
Showing 8,001 - 8,020 of 13,708 CVEs
CVE-2026-34509 HIGH - 7.5

OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthorized senders to bypass intended authorization checks. When a team/channel route allowlist is configured with an empty groupAllowFrom parameter, the message handler synthesizes ...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 31, 2026
Source: NVD
CVE-2026-34506 HIGH - 7.5

OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthorized senders to bypass intended authorization checks. When a team/channel route allowlist is configured with an empty groupAllowFrom parameter, the message handler synthesizes ...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 31, 2026
Source: NVD
CVE-2026-32988 HIGH - 7.5

OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability in fs-bridge staged writes where temporary file creation and population are not pinned to a verified parent directory. Attackers can exploit a race condition in parent-path alias changes to write attacker-controlled bytes out...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 31, 2026
Source: NVD
CVE-2026-32982 HIGH - 7.5

OpenClaw before 2026.3.13 contains an information disclosure vulnerability in the fetchRemoteMedia function that exposes Telegram bot tokens in error messages. When media downloads fail, the original Telegram file URLs containing bot tokens are embedded in MediaFetchError strings and leaked to logs ...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 31, 2026
Source: NVD
CVE-2026-32971 HIGH - 7.1

OpenClaw before 2026.3.11 contains an approval-integrity vulnerability in node-host system.run approvals that displays extracted shell payloads instead of the executed argv. Attackers can place wrapper binaries and induce wrapper-shaped commands to execute local code after operators approve misleadi...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 31, 2026
Source: NVD
CVE-2026-32916 HIGH - 7.7

OpenClaw versions 2026.3.7 before 2026.3.11 contain an authorization bypass vulnerability where plugin subagent routes execute gateway methods through a synthetic operator client with broad administrative scopes. Remote unauthenticated requests to plugin-owned routes can invoke runtime.subagent meth...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 31, 2026
Source: NVD
CVE-2024-14031 HIGH - 8.1

Sereal::Encoder versions from 4.000 through 4.009_002 for Perl is vulnerable to a buffer overwrite flaw in the Zstandard library. Sereal::Encoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922. This is a race condition in the one-pass compression functions of...

Vendor: YVES
Product: Sereal::Encoder
Published: Mar 31, 2026
Source: NVD
CVE-2024-14030 HIGH - 8.1

Sereal::Decoder versions from 4.000 through 4.009_002 for Perl is vulnerable to a buffer overwrite flaw in the Zstandard library. Sereal::Decoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922. This is a race condition in the one-pass compression functions of...

Vendor: YVES
Product: Sereal::Decoder
Published: Mar 31, 2026
Source: NVD
CVE-2026-5201 HIGH - 7.5

A flaw was found in the gdk-pixbuf library. This heap-based buffer overflow vulnerability occurs in the JPEG image loader due to improper validation of color component counts when processing a specially crafted JPEG image. A remote attacker can exploit this flaw without user interaction, for example...

Published: Mar 31, 2026
Source: NVD
CVE-2026-5195 HIGH - 7.3

A flaw has been found in code-projects Student Membership System 1.0. This issue affects some unknown processing of the component User Registration Handler. Executing a manipulation can lead to sql injection. The attack can be launched remotely.

Published: Mar 31, 2026
Source: NVD
CVE-2025-10559 HIGH - 7.1

A Path Traversal vulnerability affecting Factory Resource Management in DELMIA Factory Resource Manager from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows an attacker to read or write files in specific directories on the server.

Vendor: Dassault Systèmes
Product: DELMIA Factory Resource Manager
Published: Mar 31, 2026
Source: NVD
CVE-2025-10553 HIGH - 8.7

A Stored Cross-site Scripting (XSS) vulnerability affecting Factory Resource Management in DELMIA Factory Resource Manager from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session.

Vendor: Dassault Systèmes
Product: DELMIA Factory Resource Manager
Published: Mar 31, 2026
Source: NVD
CVE-2025-10551 HIGH - 8.7

A Stored Cross-site Scripting (XSS) vulnerability affecting Document Management in ENOVIA Collaborative Industry Innovator from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session.

Vendor: Dassault Systèmes
Product: ENOVIA Collaborative Industry Innovator
Published: Mar 31, 2026
Source: NVD
CVE-2026-5182 HIGH - 7.3

A vulnerability was found in SourceCodester Teacher Record System 1.0. Impacted is an unknown function of the file Teacher Record System of the component Parameter Handler. Performing a manipulation of the argument searchteacher results in sql injection. It is possible to initiate the attack remotel...

Published: Mar 31, 2026
Source: NVD
CVE-2026-5180 HIGH - 7.3

A flaw has been found in SourceCodester Simple Doctors Appointment System 1.0. This vulnerability affects unknown code of the file /admin/ajax.php?action=login2. This manipulation of the argument email causes sql injection. The attack is possible to be carried out remotely. The exploit has been publ...

Published: Mar 31, 2026
Source: NVD
CVE-2026-5179 HIGH - 7.3

A vulnerability was detected in SourceCodester Simple Doctors Appointment System 1.0. This affects an unknown part of the file /admin/login.php. The manipulation of the argument Username results in sql injection. The attack can be executed remotely. The exploit is now public and may be used.

Published: Mar 31, 2026
Source: NVD
CVE-2026-34054 HIGH - 7.8

vcpkg is a free and open-source C/C++ package manager. Prior to version 3.6.1#3, vcpkg's Windows builds of OpenSSL set openssldir to a path on the build machine, making that path be attackable later on customer machines. This issue has been patched in version 3.6.1#3.

Vendor: microsoft
Product: vcpkg
Published: Mar 31, 2026
Source: NVD
CVE-2026-32727 HIGH - 8.1

SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.7, the Enforcer is vulnerable to a path traversal attack where an attacker can use dot-dot (..) in the scope claim of a token to escape the intended directory restriction. This occurs because the library normal...

Vendor: scitokens
Product: scitokens
Published: Mar 31, 2026
Source: NVD
CVE-2026-32716 HIGH - 8.1

SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.6, the Enforcer incorrectly validates scope paths by using a simple prefix match (startswith). This allows a token with access to a specific path (e.g., /john) to also access sibling paths that start with the s...

Vendor: scitokens
Product: scitokens
Published: Mar 31, 2026
Source: NVD
CVE-2026-5176 HIGH - 7.3

A security flaw has been discovered in Totolink A3300R 17.0.0cu.557_b20221024. Affected is the function setSyslogCfg of the file /cgi-bin/cstecgi.cgi. Performing a manipulation of the argument provided results in command injection. The attack may be initiated remotely. The exploit has been released ...

Vendor: totolink
Product: a3300r_firmware
Published: Mar 31, 2026
Source: NVD