Total CVEs

141,249

Critical Severity

3,795

High Severity

13,708

Last 7 Days

2,216
Quick preset (or use dates below)
Clear Filters
Showing 8,161 - 8,180 of 13,708 CVEs
CVE-2026-33981 HIGH - 6.5

changedetection.io is a free open source web page change detection tool. Prior to 0.54.7, the `jq:` and `jqraw:` include filter expressions allow use of the jq `env` builtin, which reads all process environment variables and stores them as the watch snapshot. An authenticated user (or unauthenticate...

Vendor: pip
Product: changedetection.io
Published: Mar 27, 2026
Source: GitHub
CVE-2026-33980 HIGH - 8.3

Azure Data Explorer MCP Server is a Model Context Protocol (MCP) server that enables AI assistants to execute KQL queries and explore Azure Data Explorer (ADX/Kusto) databases through standardized interfaces. Versions up to and including 0.1.1 contain KQL (Kusto Query Language) injection vulnerabili...

Vendor: pip
Product: adx-mcp-server
Published: Mar 27, 2026
Source: GitHub
CVE-2026-33946 HIGH - 5.9

MCP Ruby SDK is the official Ruby SDK for Model Context Protocol servers and clients. Prior to version 0.9.2, the Ruby SDK's streamable_http_transport.rb implementation contains a session hijacking vulnerability. An attacker who obtains a valid session ID can completely hijack the victim's...

Vendor: rubygems
Product: mcp
Published: Mar 27, 2026
Source: GitHub
CVE-2026-33941 HIGH - 8.3

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the Handlebars CLI precompiler (`bin/handlebars` / `lib/precompiler.js`) concatenates user-controlled strings โ€” template file names and several CLI options โ€” directly into the JavaScript i...

Vendor: npm
Product: handlebars
Published: Mar 27, 2026
Source: GitHub
CVE-2026-33940 HIGH - 8.1

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, a crafted object placed in the template context can bypass all conditional guards in `resolvePartial()` and cause `invokePartial()` to return `undefined`. The Handlebars runtime then treat...

Vendor: npm
Product: handlebars
Published: Mar 27, 2026
Source: GitHub
CVE-2026-33939 HIGH - 7.5

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, when a Handlebars template contains decorator syntax referencing an unregistered decorator (e.g. `{{*n}}`), the compiled template calls `lookupProperty(decorators, "n")`, which r...

Vendor: npm
Product: handlebars
Published: Mar 27, 2026
Source: GitHub
CVE-2026-33938 HIGH - 8.1

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the `@partial-block` special variable is stored in the template data context and is reachable and mutable from within a template via helpers that accept arbitrary objects. When a helper ov...

Vendor: npm
Product: handlebars
Published: Mar 27, 2026
Source: GitHub
CVE-2026-4965 HIGH - 7.3

A vulnerability was detected in letta-ai letta 0.16.4. This issue affects the function resolve_type of the file letta/functions/ast_parsers.py of the component Incomplete Fix CVE-2025-6101. Performing a manipulation results in improper neutralization of directives in dynamically evaluated code. The ...

Published: Mar 27, 2026
Source: NVD
CVE-2026-33979 HIGH - 8.2

Express XSS Sanitizer is Express 4.x and 5.x middleware which sanitizes user input data (in req.body, req.query, req.headers and req.params) to prevent Cross Site Scripting (XSS) attack. A vulnerability has been identified in versions prior to 2.0.2 where restrictive sanitization configurations are ...

Vendor: npm
Product: express-xss-sanitizer
Published: Mar 27, 2026
Source: GitHub
CVE-2026-34040 HIGH - 8.8

Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows attackers to bypass authorization plugins (AuthZ). This issue has been patched in version 29.3.1.

Vendor: go
Product: github.com/moby/moby
Published: Mar 27, 2026
Source: GitHub
CVE-2026-4962 HIGH - 7.0

A security flaw has been discovered in UltraVNC up to 1.6.4.0. Affected by this issue is some unknown functionality in the library version.dll of the component Service. The manipulation results in uncontrolled search path. The attack needs to be approached locally. This attack is characterized by hi...

Published: Mar 27, 2026
Source: NVD
CVE-2026-4961 HIGH - 8.8

A vulnerability was identified in Tenda AC6 15.03.05.16. Affected by this vulnerability is the function formQuickIndex of the file /goform/QuickIndex of the component POST Request Handler. The manipulation of the argument PPPOEPassword leads to stack-based buffer overflow. The attack is possible to ...

Vendor: tenda
Product: ac6_firmware
Published: Mar 27, 2026
Source: NVD
CVE-2026-4960 HIGH - 8.8

A vulnerability was determined in Tenda AC6 15.03.05.16. Affected is the function fromWizardHandle of the file /goform/WizardHandle of the component POST Request Handler. Executing a manipulation of the argument WANT/WANS can lead to stack-based buffer overflow. The attack can be executed remotely. ...

Vendor: tenda
Product: ac6_firmware
Published: Mar 27, 2026
Source: NVD
CVE-2026-30576 HIGH - 7.5

A Business Logic vulnerability exists in SourceCodester Pharmacy Product Management System 1.0 in the add-stock.php file. The application fails to validate the "txtprice" and "txttotalcost" parameters during stock entry, allowing negative financial values to be submitted. This le...

Vendor: senior-walter
Product: web-based_pharmacy_product_management_system
Published: Mar 27, 2026
Source: NVD
CVE-2026-30575 HIGH - 7.5

A Business Logic vulnerability exists in SourceCodester Pharmacy Product Management System 1.0 in the add-stock.php file. The application fails to validate the "txtqty" parameter during stock entry, allowing negative values to be processed. This causes the system to decrease the inventory ...

Vendor: senior-walter
Product: web-based_pharmacy_product_management_system
Published: Mar 27, 2026
Source: NVD
CVE-2026-30574 HIGH - 7.5

A Business Logic vulnerability exists in SourceCodester Pharmacy Product Management System 1.0 in the add-sales.php file. The application fails to verify if the requested sales quantity (txtqty) exceeds the available stock level. An attacker can manipulate the request to purchase a quantity that is ...

Vendor: senior-walter
Product: web-based_pharmacy_product_management_system
Published: Mar 27, 2026
Source: NVD
CVE-2026-28369 HIGH - 8.7

A flaw was found in Undertow. When Undertow receives an HTTP request where the first header line starts with one or more spaces, it incorrectly processes the request by stripping these leading spaces. This behavior, which violates HTTP standards, can be exploited by a remote attacker to perform requ...

Vendor: redhat
Product: build_of_apache_camel_-_hawtio
Published: Mar 27, 2026
Source: NVD
CVE-2026-28368 HIGH - 8.7

A flaw was found in Undertow. This vulnerability allows a remote attacker to construct specially crafted requests where header names are parsed differently by Undertow compared to upstream proxies. This discrepancy in header interpretation can be exploited to launch request smuggling attacks, potent...

Vendor: redhat
Product: build_of_apache_camel_-_hawtio
Published: Mar 27, 2026
Source: NVD
CVE-2026-28367 HIGH - 8.7

A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending `\r\r\r` as a header block terminator. This can be used for request smuggling with certain proxy servers, such as older versions of Apache Traffic Server and Google Cloud Classic Application Load Balancer, pote...

Published: Mar 27, 2026
Source: NVD
CVE-2025-15381 HIGH - 8.1

In the latest version of mlflow/mlflow, when the `basic-auth` app is enabled, tracing and assessment endpoints are not protected by permission validators. This allows any authenticated user, including those with `NO_PERMISSIONS` on the experiment, to read trace information and create assessments for...

Vendor: mlflow
Product: mlflow/mlflow
Published: Mar 27, 2026
Source: NVD