Total CVEs

141,249

Critical Severity

3,795

High Severity

13,708

Last 7 Days

2,221
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 8,021 - 8,040 of 13,819 CVEs
CVE-2026-34881 MEDIUM - 5.0

OpenStack Glance before 29.1.1, 30.x before 30.1.1, and 31.0.0 is affected by Server-Side Request Forgery (SSRF). By use of HTTP redirects, an authenticated user can bypass URL validation checks and redirect to internal services. Only glance image import functionality is affected. In particular, the...

Vendor: OpenStack
Product: Glance
Published: Mar 31, 2026
Source: NVD
CVE-2026-1877 MEDIUM - 6.1

The Auto Post Scheduler plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.84. This is due to missing nonce validation on the 'aps_options_page' function. This makes it possible for unauthenticated attackers to update settings and injec...

Published: Mar 31, 2026
Source: NVD
CVE-2026-1834 MEDIUM - 6.4

The Ibtana – WordPress Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ive' shortcode in all versions up to, and including, 1.2.5.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

Published: Mar 31, 2026
Source: NVD
CVE-2026-5181 MEDIUM - 6.3

A vulnerability has been found in SourceCodester Simple Doctors Appointment System up to 1.0. This issue affects some unknown processing of the file /doctors_appointment/admin/ajax.php?action=save_category. Such manipulation of the argument img leads to unrestricted upload. The attack may be perform...

Published: Mar 31, 2026
Source: NVD
CVE-2026-4146 MEDIUM - 6.1

The Loco Translate plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘update_href’ parameter in all versions up to, and including, 2.8.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

Published: Mar 31, 2026
Source: NVD
CVE-2026-1797 MEDIUM - 5.3

The Appointment Booking and Scheduler Plugin – Truebooker plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.4 through views php files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained...

Published: Mar 31, 2026
Source: NVD
CVE-2026-1710 MEDIUM - 6.5

The WooPayments: Integrated WooCommerce Payments plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_upe_appearance_ajax' function in all versions up to, and including, 10.5.1. This makes it possible for unauthenticated att...

Published: Mar 31, 2026
Source: NVD
CVE-2026-5178 MEDIUM - 6.3

A security vulnerability has been detected in Totolink A3300R 17.0.0cu.557_b20221024. Affected by this issue is the function setIptvCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument vlanPriLan3 leads to command injection. Remote exploitation of the attack is possible. The exploi...

Vendor: totolink
Product: a3300r_firmware
Published: Mar 31, 2026
Source: NVD
CVE-2026-5177 MEDIUM - 6.3

A weakness has been identified in Totolink A3300R 17.0.0cu.557_b20221024. Affected by this vulnerability is the function setWiFiBasicCfg of the file /cgi-bin/cstecgi.cgi. Executing a manipulation of the argument rxRate can lead to command injection. The attack may be launched remotely. The exploit h...

Vendor: totolink
Product: a3300r_firmware
Published: Mar 31, 2026
Source: NVD
CVE-2026-4794 MEDIUM - 4.8

Multiple cross-site scripting (XSS) vulnerabilities in PaperCut NG/MF before 25.0.10 allow authenticated administrator users to inject arbitrary web script or HTML code via different UI fields. This could be used to compromise other admininistrator's sessions or perform unauthorized actions via...

Vendor: papercut
Product: papercut_mf
Published: Mar 31, 2026
Source: NVD
CVE-2026-30879 MEDIUM - 6.1

baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has a cross-site scripting vulnerability in blog posts. This issue has been patched in version 5.2.3.

Vendor: baserproject
Product: basercms
Published: Mar 31, 2026
Source: NVD
CVE-2026-30878 MEDIUM - 5.3

baserCMS is a website development framework. Prior to version 5.2.3, a public mail submission API allows unauthenticated users to submit mail form entries even when the corresponding form is not accepting submissions. This bypasses administrative controls intended to stop form intake and enables spa...

Vendor: baserproject
Product: basercms
Published: Mar 31, 2026
Source: NVD
CVE-2026-27697 MEDIUM - 9.8

baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has a SQL injection vulnerability in blog posts. This issue has been patched in version 5.2.3.

Vendor: baserproject
Product: basercms
Published: Mar 31, 2026
Source: NVD
CVE-2026-5157 MEDIUM - 4.3

A vulnerability was identified in code-projects Online Food Ordering System 1.0. Affected is an unknown function of the file /form/order.php of the component Order Module. Such manipulation of the argument cust_id leads to cross site scripting. The attack may be performed from remote. The exploit is...

Published: Mar 31, 2026
Source: NVD
CVE-2026-5153 MEDIUM - 6.3

A flaw has been found in Tenda CH22 1.0.0.1. The affected element is the function FormWriteFacMac of the file /goform/WriteFacMac. Executing a manipulation of the argument mac can lead to command injection. The attack may be launched remotely. The exploit has been published and may be used.

Vendor: tenda
Product: ch22_firmware
Published: Mar 30, 2026
Source: NVD
CVE-2026-33995 MEDIUM - 5.3

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, a double-free vulnerability in kerberos_AcceptSecurityContext() and kerberos_InitializeSecurityContextA() (WinPR, winpr/libwinpr/sspi/Kerberos/kerberos.c) can cause a crash in any FreeRDP clients on systems whe...

Vendor: FreeRDP
Product: FreeRDP
Published: Mar 30, 2026
Source: NVD
CVE-2026-33985 MEDIUM - 5.9

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, pixel data from adjacent heap memory is rendered to screen, potentially leaking sensitive data to the attacker. This issue has been patched in version 3.24.2.

Vendor: FreeRDP
Product: FreeRDP
Published: Mar 30, 2026
Source: NVD
CVE-2026-33983 MEDIUM - 6.5

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, progressive_decompress_tile_upgrade() detects a mismatch via progressive_rfx_quant_cmp_equal() but only emits WLog_WARN, execution continues. The wrapped value (247) is used as a shift exponent, causing undefin...

Vendor: FreeRDP
Product: FreeRDP
Published: Mar 30, 2026
Source: NVD
CVE-2026-33977 MEDIUM - 6.5

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, a malicious RDP server can crash the FreeRDP client by sending audio data in IMA ADPCM format with an invalid initial step index value (>= 89). The unvalidated step index is read directly from the network an...

Vendor: FreeRDP
Product: FreeRDP
Published: Mar 30, 2026
Source: NVD
CVE-2026-33952 MEDIUM - 6.5

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, an unvalidated auth_length field read from the network triggers a WINPR_ASSERT() failure in rts_read_auth_verifier_no_checks(), causing any FreeRDP client connecting through a malicious RDP Gateway to crash wit...

Vendor: FreeRDP
Product: FreeRDP
Published: Mar 30, 2026
Source: NVD