Total CVEs

141,249

Critical Severity

3,795

High Severity

13,708

Last 7 Days

2,220
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 8,061 - 8,080 of 13,819 CVEs
CVE-2026-34165 MEDIUM - 5.0

go-git is an extensible git implementation library written in pure Go. From version 5.0.0 to before version 5.17.1, a vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a denial-...

Vendor: go
Product: github.com/go-git/go-git/v5
Published: Mar 30, 2026
Source: GitHub
CVE-2026-29909 MEDIUM - 5.3

MRCMS V3.1.2 contains an unauthenticated directory enumeration vulnerability in the file management module. The /admin/file/list.do endpoint lacks authentication controls and proper input validation, allowing remote attackers to enumerate directory contents on the server without any credentials.

Vendor: mrcms
Product: mrcms
Published: Mar 30, 2026
Source: NVD
CVE-2026-27508 MEDIUM - 5.4

Smoothwall Express versions prior to 3.1 Update 13 contain a reflected cross-site scripting vulnerability in the /redirect.cgi endpoint due to improper sanitation of the url parameter. Attackers can craft malicious URLs with javascript: schemes that execute arbitrary JavaScript in victims' brow...

Vendor: Smoothwall
Product: Express
Published: Mar 30, 2026
Source: NVD
CVE-2026-26352 MEDIUM - 5.4

Smoothwall Express versions prior to 3.1 Update 13 contain a stored cross-site scripting vulnerability in the /cgi-bin/vpnmain.cgi script due to improper sanitation of the VPN_IP parameter. Authenticated attackers can inject arbitrary JavaScript through VPN configuration settings that executes when ...

Vendor: Smoothwall
Product: Express
Published: Mar 30, 2026
Source: NVD
CVE-2026-33990 MEDIUM - 9.1

Docker Model Runner (DMR) is software used to manage, run, and deploy AI models using Docker. Prior to version 1.1.25, Docker Model Runner contains an SSRF vulnerability in its OCI registry token exchange flow. When pulling a model, Model Runner follows the realm URL from the registry's WWW-Aut...

Vendor: go
Product: github.com/docker/model-runner
Published: Mar 30, 2026
Source: GitHub
CVE-2026-27599 MEDIUM - 4.7

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within System Settings โ€“ Mail Settings. Several configuration fiel...

Vendor: composer
Product: ci4-cms-erp/ci4ms
Published: Mar 30, 2026
Source: GitHub
CVE-2026-5170 MEDIUM - 5.3

A user with access to the cluster with a limited set of privilege actions can trigger a crash of aย mongod process during the limited and unpredictable window when the cluster is being promoted from a replica set to a sharded cluster. This may cause a denial of service by taking down the primary of t...

Vendor: mongodb
Product: mongodb
Published: Mar 30, 2026
Source: NVD
CVE-2026-30561 MEDIUM - 5.4

A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the add_purchase.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web sc...

Vendor: ahsanriaz26gmailcom
Product: sales_and_inventory_system
Published: Mar 30, 2026
Source: NVD
CVE-2026-30560 MEDIUM - 5.4

A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the add_supplier.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web sc...

Vendor: ahsanriaz26gmailcom
Product: sales_and_inventory_system
Published: Mar 30, 2026
Source: NVD
CVE-2026-30559 MEDIUM - 5.4

A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the add_sales.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web scrip...

Vendor: ahsanriaz26gmailcom
Product: sales_and_inventory_system
Published: Mar 30, 2026
Source: NVD
CVE-2026-30558 MEDIUM - 5.4

A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the add_customer.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web sc...

Vendor: ahsanriaz26gmailcom
Product: sales_and_inventory_system
Published: Mar 30, 2026
Source: NVD
CVE-2026-30557 MEDIUM - 5.4

A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the add_category.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web sc...

Vendor: ahsanriaz26gmailcom
Product: sales_and_inventory_system
Published: Mar 30, 2026
Source: NVD
CVE-2026-30556 MEDIUM - 6.1

A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the index.php file via the "msg" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or...

Vendor: ahsanriaz26gmailcom
Product: sales_and_inventory_system
Published: Mar 30, 2026
Source: NVD
CVE-2026-29597 MEDIUM - 6.5

DDSN Interactive cm3 Acora CMS version 10.7.1 contains an improper access control vulnerability. An editor-privileged user can access sensitive configuration files by force browsing the โ€œ/Admin/file_manager/file_details.aspโ€ endpoint and manipulating the โ€œfileโ€ parameter. By referencing specific fil...

Published: Mar 30, 2026
Source: NVD
CVE-2026-21712 MEDIUM - 5.7

A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process.

Vendor: nodejs
Product: node
Published: Mar 30, 2026
Source: NVD
CVE-2026-5165 MEDIUM - 6.7

A flaw was found in virtio-win, specifically within the VirtIO Block (BLK) device. When the device undergoes a reset, it fails to properly manage memory, resulting in a use-after-free vulnerability. This issue could allow a local attacker to corrupt system memory, potentially leading to system insta...

Published: Mar 30, 2026
Source: NVD
CVE-2026-5164 MEDIUM - 6.7

A flaw was found in virtio-win. The `RhelDoUnMap()` function does not properly validate the number of descriptors provided by a user during an unmap request. A local user could exploit this input validation vulnerability by supplying an excessive number of descriptors, leading to a buffer overrun. T...

Published: Mar 30, 2026
Source: NVD
CVE-2026-30566 MEDIUM - 6.1

A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the view_customers.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary we...

Vendor: ahsanriaz26gmailcom
Product: sales_and_inventory_system
Published: Mar 30, 2026
Source: NVD
CVE-2026-30565 MEDIUM - 6.1

A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the view_supplier.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web...

Vendor: ahsanriaz26gmailcom
Product: sales_and_inventory_system
Published: Mar 30, 2026
Source: NVD
CVE-2026-30564 MEDIUM - 6.1

A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0. The vulnerability is located in the view_payments.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web...

Vendor: ahsanriaz26gmailcom
Product: sales_and_inventory_system
Published: Mar 30, 2026
Source: NVD