Total CVEs

141,249

Critical Severity

3,795

High Severity

13,708

Last 7 Days

2,254
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 8,001 - 8,020 of 13,819 CVEs
CVE-2026-32976 MEDIUM - 6.5

OpenClaw before 2026.3.11 contains an authorization bypass vulnerability allowing channel commands to mutate protected sibling-account configuration despite configWrites restrictions. Attackers with authorized access on one account can execute channel commands like /config set channels.<provider&...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 31, 2026
Source: NVD
CVE-2026-32921 MEDIUM - 6.3

OpenClaw before 2026.3.8 contains an approval bypass vulnerability in system.run where mutable script operands are not bound across approval and execution phases. Attackers can obtain approval for script execution, modify the approved script file before execution, and execute different content while...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 31, 2026
Source: NVD
CVE-2026-27854 MEDIUM - 4.8

An attacker might be able to trigger a use-after-free by sending crafted DNS queries to a DNSdist using the DNSQuestion:getEDNSOptions method in custom Lua code. In some cases DNSQuestion:getEDNSOptions might refer to a version of the DNS packet that has been modified, thus triggering a use-after-fr...

Vendor: PowerDNS
Product: DNSdist
Published: Mar 31, 2026
Source: NVD
CVE-2026-27853 MEDIUM - 5.9

An attacker might be able to trigger an out-of-bounds write by sending crafted DNS responses to a DNSdist using the DNSQuestion:changeName or DNSResponse:changeName methods in custom Lua code. In some cases the rewritten packet might become larger than the initial response and even exceed 65535 byte...

Vendor: PowerDNS
Product: DNSdist
Published: Mar 31, 2026
Source: NVD
CVE-2026-24030 MEDIUM - 5.3

An attacker might be able to trick DNSdist into allocating too much memory while processing DNS over QUIC or DNS over HTTP/3 payloads, resulting in a denial of service. In setups with a large quantity of memory available this usually results in an exception and the QUIC connection is properly closed...

Vendor: PowerDNS
Product: DNSdist
Published: Mar 31, 2026
Source: NVD
CVE-2026-24029 MEDIUM - 6.5

When the early_acl_drop (earlyACLDrop in Lua) option is disabled (default is enabled) on a DNS over HTTPs frontend using the nghttp2 provider, the ACL check is skipped, allowing all clients to send DoH queries regardless of the configured ACL.

Vendor: PowerDNS
Product: DNSdist
Published: Mar 31, 2026
Source: NVD
CVE-2026-24028 MEDIUM - 5.3

An attacker might be able to trigger an out-of-bounds read by sending a crafted DNS response packet, when custom Lua code uses newDNSPacketOverlay to parse DNS packets. The out-of-bounds read might trigger a crash, leading to a denial of service, or access unrelated memory, leading to potential info...

Vendor: PowerDNS
Product: DNSdist
Published: Mar 31, 2026
Source: NVD
CVE-2026-34887 MEDIUM - 6.5

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Extend Themes Kubio AI Page Builder allows Stored XSS.This issue affects Kubio AI Page Builder: from n/a through 2.7.0.

Vendor: Extend Themes
Product: Kubio AI Page Builder
Published: Mar 31, 2026
Source: NVD
CVE-2026-5197 MEDIUM - 6.3

A vulnerability was found in code-projects Student Membership System 1.0. The affected element is an unknown function of the file /delete_user.php. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit has been made public and could be used.

Published: Mar 31, 2026
Source: NVD
CVE-2026-5196 MEDIUM - 6.3

A vulnerability has been found in code-projects Student Membership System 1.0. Impacted is an unknown function of the file /delete_member.php. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be use...

Published: Mar 31, 2026
Source: NVD
CVE-2026-3107 MEDIUM - 5.4

Stored Cross-Site Scripting (XSS) in Teampass versions prior to 3.1.5.16, affecting the password manager's password import functionality at the endpoint 'redacted/index.php?page=items'. The application fails to properly sanitize and encode user-input data during the import process, al...

Vendor: teampass
Product: teampass
Published: Mar 31, 2026
Source: NVD
CVE-2026-3106 MEDIUM - 5.4

Blind Cross-Site Scripting (XSS) in Teampass, versions prior to 3.1.5.16, within the password manager login functionality in the 'contraseรฑa' parameter of the login form 'redacted/index.php'. During failed authentication attempts, the application does not properly clean or encode...

Vendor: teampass
Product: teampass
Published: Mar 31, 2026
Source: NVD
CVE-2025-41357 MEDIUM - 6.1

Reflected Cross-Site Scripting (XSS) vulnerability in Anon Proxy Server v0.104. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending him/her a malicious URL. This vulnerability can be exploited to steal sensitive user data, such as session cookies,...

Vendor: Anon Proxy Server
Product: Anon Proxy Server
Published: Mar 31, 2026
Source: NVD
CVE-2025-41356 MEDIUM - 6.1

Reflected Cross-Site Scripting (XSS) vulnerability in Anon Proxy Server v0.104. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending him/her a malicious URL. This vulnerability can be exploited to steal sensitive user data, such as session cookies,...

Vendor: Anon Proxy Server
Product: Anon Proxy Server
Published: Mar 31, 2026
Source: NVD
CVE-2025-41355 MEDIUM - 6.1

Reflected Cross-Site Scripting (XSS) vulnerability in Anon Proxy Server v0.104. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending him/her a malicious URL. This vulnerability can be exploited to steal sensitive user data, such as session cook...

Vendor: Anon Proxy Server
Product: Anon Proxy Server
Published: Mar 31, 2026
Source: NVD
CVE-2026-5186 MEDIUM - 5.3

A weakness has been identified in Nothings stb up to 2.30. This impacts the function stbi__load_gif_main of the file stb_image.h of the component Multi-frame GIF File Handler. This manipulation causes double free. The attack requires local access. The exploit has been made available to the public an...

Published: Mar 31, 2026
Source: NVD
CVE-2026-5185 MEDIUM - 5.3

A security flaw has been discovered in Nothings stb_image up to 2.30. This affects the function stbi__gif_load_next of the file stb_image.h of the component Multi-frame GIF File Handler. The manipulation results in heap-based buffer overflow. The attack requires a local approach. The exploit has bee...

Published: Mar 31, 2026
Source: NVD
CVE-2026-5184 MEDIUM - 6.3

A vulnerability was identified in TRENDnet TEW-713RE up to 1.02. The impacted element is an unknown function of the file /goform/setSysAdm. The manipulation of the argument admuser leads to command injection. The attack can be initiated remotely. The exploit is publicly available and might be used. ...

Published: Mar 31, 2026
Source: NVD
CVE-2026-3881 MEDIUM - 5.8

The Performance Monitor WordPress plugin through 1.0.6 does not validate a parameter before making a request to it, which could allow unauthenticated users to perform SSRF attacks

Published: Mar 31, 2026
Source: NVD
CVE-2026-5183 MEDIUM - 6.3

A vulnerability was determined in TRENDnet TEW-713RE up to 1.02. The affected element is the function sub_421494 of the file /goform/addRouting. Executing a manipulation of the argument dest can lead to command injection. It is possible to launch the attack remotely. The exploit has been publicly di...

Published: Mar 31, 2026
Source: NVD