Total CVEs

140,426

Critical Severity

3,747

High Severity

13,550

Last 7 Days

1,488
Quick preset (or use dates below)
Clear Filters
Showing 8,001 - 8,020 of 13,946 CVEs
CVE-2026-33732 MEDIUM - 4.8

srvx is a universal server based on web standards. Prior to version 0.11.13, a pathname parsing discrepancy in srvx's `FastURL` allows middleware bypass on the Node.js adapter when a raw HTTP request uses an absolute URI with a non-standard scheme (e.g. `file://`). Starting in version 0.11.13, ...

Vendor: h3js
Product: srvx
Published: Mar 26, 2026
Source: NVD
CVE-2026-33477 MEDIUM - 4.3

FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. In versiosn 2.3.7 through 3.10.0, the file snippet endpoint `/api/file/snippet.php` allows an authenticated user with only `read_own` access to a folder to retrieve snippet content from files uplo...

Vendor: error311
Product: FileRise
Published: Mar 26, 2026
Source: NVD
CVE-2026-33766 MEDIUM - 6.5

WWBN AVideo is an open source video platform. In versions up to and including 26.0, `isSSRFSafeURL()` validates URLs against private/reserved IP ranges before fetching, but `url_get_contents()` follows HTTP redirects without re-validating the redirect target. An attacker can bypass SSRF protection b...

Vendor: composer
Product: wwbn/avideo
Published: Mar 26, 2026
Source: GitHub
CVE-2026-33764 MEDIUM - 4.3

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the AI plugin's `save.json.php` endpoint loads AI response objects using an attacker-controlled `$_REQUEST['id']` parameter without validating that the AI response belongs to the specified video. An au...

Vendor: composer
Product: wwbn/avideo
Published: Mar 26, 2026
Source: GitHub
CVE-2026-33763 MEDIUM - 5.3

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_video_password_is_correct` API endpoint allows any unauthenticated user to verify whether a given password is correct for any password-protected video. The endpoint returns a boolean `passwordIsCorrect` ...

Vendor: composer
Product: wwbn/avideo
Published: Mar 26, 2026
Source: GitHub
CVE-2026-33761 MEDIUM - 5.3

WWBN AVideo is an open source video platform. In versions up to and including 26.0, three `list.json.php` endpoints in the Scheduler plugin lack any authentication check, while every other endpoint in the same plugin directories (`add.json.php`, `delete.json.php`, `index.php`) requires `User::isAdmi...

Vendor: composer
Product: wwbn/avideo
Published: Mar 26, 2026
Source: GitHub
CVE-2026-33759 MEDIUM - 5.3

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/playlistsVideos.json.php` endpoint returns the full video contents of any playlist by ID without any authentication or authorization check. Private playlists (including `watch_later` and `favorite` types...

Vendor: composer
Product: wwbn/avideo
Published: Mar 26, 2026
Source: GitHub

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. In versions prior to 1.13.1, under specific conditions, models using conditions with caching enabled can result in two different check requests producing the same cache ke...

Vendor: go
Product: github.com/openfga/openfga
Published: Mar 26, 2026
Source: GitHub
CVE-2026-33535 MEDIUM - 4.0

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-18 and 6.9.13-43, an out-of-bounds write of a zero byte exists in the X11 `display` interaction path that could lead to a crash. Versions 7.1.2-18 and 6.9.13-43 patch the issue.

Vendor: nuget
Product: Magick.NET-Q16-AnyCPU
Published: Mar 26, 2026
Source: GitHub
CVE-2026-3116 MEDIUM - 4.9

Mattermost Plugins versions <=11.4 11.0.4 11.1.3 11.3.2 10.11.11.0 fail to validate incoming request size which allows an authenticated attacker to cause service disruption via the webhook endpoint. Mattermost Advisory ID: MMSA-2026-00589

Published: Mar 26, 2026
Source: NVD
CVE-2026-3115 MEDIUM - 4.3

Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to apply view restrictions when retrieving group member IDs, which allows authenticated guest users to enumerate user IDs outside their allowed visibility scope via the group retrieval endp...

Vendor: mattermost
Product: mattermost_server
Published: Mar 26, 2026
Source: NVD
CVE-2026-3114 MEDIUM - 6.5

Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to validate decompressed archive entry sizes during file extraction which allows authenticated users with file upload permissions to cause a denial of service via crafted zip archives conta...

Vendor: mattermost
Product: mattermost_server
Published: Mar 26, 2026
Source: NVD
CVE-2026-3113 MEDIUM - 5.0

Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to set permissions on downloaded bulk export which allows other local users on the server to be able to read contents of the bulk export.. Mattermost Advisory ID: MMSA-2026-00593

Vendor: mattermost
Product: mattermost_server
Published: Mar 26, 2026
Source: NVD
CVE-2026-3112 MEDIUM - 6.8

Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to validate Advanced Logging file target paths which allows system administrators to read arbitrary host files via malicious AdvancedLoggingJSON configuration in support packet generation. ...

Vendor: mattermost
Product: mattermost_server
Published: Mar 26, 2026
Source: NVD
CVE-2026-34071 MEDIUM - 5.4

Stirling-PDF is a locally hosted web application that allows you to perform various operations on PDF files. In version 2.7.3, the /api/v1/convert/eml/pdf endpoint with parameter downloadHtml=true returns unsanitized HTML from the email body with Content-Type: text/html. An attacker who sends a mali...

Vendor: Stirling-Tools
Product: Stirling-PDF
Published: Mar 26, 2026
Source: NVD
CVE-2026-33470 MEDIUM - 6.5

Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In version 0.17.0, a low-privilege authenticated user restricted to one camera can access snapshots from other cameras. This is possible through a chain of two authorization problems: `/api/timeline` retur...

Vendor: blakeblackshear
Product: frigate
Published: Mar 26, 2026
Source: NVD
CVE-2026-33469 MEDIUM - 6.5

Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In version 0.17.0, an authenticated non-admin user can retrieve the full raw Frigate configuration through `/api/config/raw`. This exposes sensitive values that are intentionally redacted from `/api/config...

Vendor: blakeblackshear
Product: frigate
Published: Mar 26, 2026
Source: NVD
CVE-2026-33438 MEDIUM - 6.5

Stirling-PDF is a locally hosted web application that allows you to perform various operations on PDF files. Versions starting in 2.1.5 and prior to 2.5.2 have Denial of Service (DoS) vulnerability in the Stirling-PDF watermark functionality (`/api/v1/security/add-watermark` endpoint). The vulnerabi...

Vendor: Stirling-Tools
Product: Stirling-PDF
Published: Mar 26, 2026
Source: NVD
CVE-2026-33402 MEDIUM - 6.1

Sakai is a Collaboration and Learning Environment (CLE). In versions 23.0 through 23.4 and 25.0 through 25.1, group titles and description can contain cross-site scripting scripts. The patch is included in releases 25.2 and 23.5. As a workaround, one can check the SAKAI_SITE_GROUP table for titles a...

Vendor: sakaiproject
Product: sakai
Published: Mar 26, 2026
Source: NVD
CVE-2026-33015 MEDIUM - 5.2

EVerest is an EV charging software stack. Prior to version 2026.02.0, even immediately after CSMS performs a RemoteStop (StopTransaction), the EVSE can return to `PrepareCharging` via the EV's BCB toggle, allowing session restart. This breaks the irreversibility of remote stop and can bypass op...

Vendor: EVerest
Product: everest-core
Published: Mar 26, 2026
Source: NVD