Total CVEs

141,249

Critical Severity

3,795

High Severity

13,708

Last 7 Days

2,216
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 8,141 - 8,160 of 13,819 CVEs

Fleet is open source device management software. Prior to 4.81.0, a second-order SQL injection vulnerability in Fleet's Apple MDM profile delivery pipeline could allow an attacker with a valid MDM enrollment certificate to exfiltrate or modify the contents of the Fleet database, including user ...

Vendor: fleetdm
Product: fleet
Published: Mar 27, 2026
Source: NVD
CVE-2026-34369 MEDIUM - 5.3

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_video_file` and `get_api_video` API endpoints in AVideo return full video playback sources (direct MP4 URLs, HLS manifests) for password-protected videos without verifying the video password. While the n...

Vendor: WWBN
Product: AVideo
Published: Mar 27, 2026
Source: NVD
CVE-2026-29180 MEDIUM - 8.8

Fleet is open source device management software. Prior to 4.81.1, a broken access control vulnerability in Fleet's host transfer API allows a team maintainer to transfer hosts from any team into their own team, bypassing team isolation boundaries. Once transferred, the attacker gains full contr...

Vendor: fleetdm
Product: fleet
Published: Mar 27, 2026
Source: NVD
CVE-2026-26060 MEDIUM - 8.8

Fleet is open source device management software. Prior to 4.81.0, a vulnerability in Fleet’s password management logic could allow previously issued password reset tokens to remain valid after a user changes their password. As a result, a stale password reset token could be reused to reset the accou...

Vendor: fleetdm
Product: fleet
Published: Mar 27, 2026
Source: NVD
CVE-2025-15612 MEDIUM - 4.8

Wazuh provisioning scripts and Dockerfiles contain an insecure transport vulnerability where curl is invoked with the -k/--insecure flag, disabling SSL/TLS certificate validation. Attackers with network access can perform man-in-the-middle attacks to intercept and modify downloaded dependencies or c...

Vendor: Wazuh
Product: Wazuh Provisioning Scripts (Agent Build Environment)
Published: Mar 27, 2026
Source: NVD
CVE-2026-34043 MEDIUM - 5.9

Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial of Service (DoS) vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object (an object that inherits from Array.protot...

Vendor: npm
Product: serialize-javascript
Published: Mar 27, 2026
Source: GitHub
CVE-2026-4968 MEDIUM - 4.3

A vulnerability was determined in SourceCodester Diary App 1.0. The affected element is an unknown function of the file diary.php. Executing a manipulation can lead to cross-site request forgery. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. If you...

Published: Mar 27, 2026
Source: NVD
CVE-2026-4966 MEDIUM - 6.3

A flaw has been found in itsourcecode Free Hotel Reservation System 1.0. Impacted is an unknown function of the file /admin/mod_room/index.php?view=edit. Executing a manipulation of the argument ID can lead to sql injection. The attack can be launched remotely. The exploit has been published and may...

Published: Mar 27, 2026
Source: NVD
CVE-2026-34368 MEDIUM - 5.3

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `transferBalance()` method in `plugin/YPTWallet/YPTWallet.php` contains a Time-of-Check-Time-of-Use (TOCTOU) race condition. The method reads the sender's wallet balance, checks sufficiency in PHP, then writ...

Vendor: WWBN
Product: AVideo
Published: Mar 27, 2026
Source: NVD
CVE-2026-34364 MEDIUM - 5.3

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `categories.json.php` endpoint, which serves the category listing API, fails to enforce user group-based access controls on categories. In the default request path (no `?user=` parameter), user group filtering is...

Vendor: WWBN
Product: AVideo
Published: Mar 27, 2026
Source: NVD
CVE-2026-30568 MEDIUM - 4.8

A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0 in in the view_purchase.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a craft...

Vendor: ahsanriaz26gmailcom
Product: inventory_system
Published: Mar 27, 2026
Source: NVD
CVE-2026-30567 MEDIUM - 6.1

A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0 in the view_product.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted U...

Vendor: ahsanriaz26gmailcom
Product: inventory_system
Published: Mar 27, 2026
Source: NVD
CVE-2025-15617 MEDIUM - 6.5

Wazuh version 4.12.0 contains an exposure vulnerability in GitHub Actions workflow artifacts that allows attackers to extract the GITHUB_TOKEN from uploaded artifacts. Attackers can use the exposed token within a limited time window to perform unauthorized actions such as pushing malicious commits o...

Vendor: Wazuh
Product: Wazuh (GitHub Actions)
Published: Mar 27, 2026
Source: NVD
CVE-2026-34036 MEDIUM - 6.5

Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions 22.0.4 and prior, there is a Local File Inclusion (LFI) vulnerability in the core AJAX endpoint /core/ajax/selectobject.php. By manipulating the objectdesc parameter and exploit...

Vendor: composer
Product: dolibarr/dolibarr
Published: Mar 27, 2026
Source: GitHub
CVE-2026-33994 MEDIUM - 9.8

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Starting in version 2.0.39 and prior to version 3.0.25, a prototype pollution vulnerability exists in the `parse_str` function of the npm package locutus. An attacker can pollute `Object.prototype` by overr...

Vendor: npm
Product: locutus
Published: Mar 27, 2026
Source: GitHub
CVE-2026-33993 MEDIUM - 9.8

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the `unserialize()` function in `locutus/php/var/unserialize` assigns deserialized keys to plain objects via bracket notation without filtering the `__proto__` key. When a PHP seria...

Vendor: npm
Product: locutus
Published: Mar 27, 2026
Source: GitHub
CVE-2026-33997 MEDIUM - 6.8

Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows plugins privilege validation to be bypassed during docker plugin install. Due to an error in the daemon's privilege comparison logic, the daemon may incorrectly accept a p...

Vendor: go
Product: github.com/docker/docker
Published: Mar 27, 2026
Source: GitHub
CVE-2026-4964 MEDIUM - 6.3

A security vulnerability has been detected in letta-ai letta 0.16.4. This vulnerability affects the function _convert_message_create_to_message of the file letta/helpers/message_helper.py of the component File URL Handler. Such manipulation of the argument ImageContent leads to server-side request f...

Published: Mar 27, 2026
Source: NVD
CVE-2026-4963 MEDIUM - 6.3

A weakness has been identified in huggingface smolagents 1.25.0.dev0. This affects the function evaluate_augassign/evaluate_call/evaluate_with of the file src/smolagents/local_python_executor.py of the component Incomplete Fix CVE-2025-9959. This manipulation causes code injection. It is possible to...

Published: Mar 27, 2026
Source: NVD
CVE-2026-34411 MEDIUM - 5.3

Appsmith versions prior to 1.98 expose sensitive instance management API endpoints without authentication. Unauthenticated attackers can query endpoints like /api/v1/consolidated-api/view and /api/v1/tenants/current to retrieve configuration metadata, license information, and unsalted SHA-256 hashes...

Vendor: Appsmith
Product: Appsmith
Published: Mar 27, 2026
Source: NVD