Total CVEs

141,249

Critical Severity

3,795

High Severity

13,708

Last 7 Days

2,189
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 8,221 - 8,240 of 13,819 CVEs
CVE-2026-3528 MEDIUM - 6.1

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Calculation Fields allows Cross-Site Scripting (XSS).This issue affects Calculation Fields: from 0.0.0 before 1.0.4.

Vendor: joaopaulocdev
Product: calculation_fields
Published: Mar 26, 2026
Source: NVD
CVE-2026-3527 MEDIUM - 6.5

Missing Authentication for Critical Function vulnerability in Drupal AJAX Dashboard allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AJAX Dashboard: from 0.0.0 before 3.1.0.

Vendor: ceriumsoft
Product: ajax_dashboard
Published: Mar 26, 2026
Source: NVD
CVE-2026-3526 MEDIUM - 5.3

Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0.

Vendor: geeks4change
Product: file_access_fix
Published: Mar 26, 2026
Source: NVD
CVE-2026-3525 MEDIUM - 5.3

Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0.

Vendor: geeks4change
Product: file_access_fix
Published: Mar 26, 2026
Source: NVD
CVE-2026-33742 MEDIUM - 5.4

Invoice Ninja is a source-available invoice, quote, project and time-tracking app built with Laravel. Product notes fields in Invoice Ninja v5.13.0 allow raw HTML via Markdown rendering, enabling stored XSS. The Markdown parser output was not sanitized with `purify::clean()` before being included in...

Vendor: invoiceninja
Product: invoiceninja
Published: Mar 26, 2026
Source: NVD
CVE-2026-33738 MEDIUM - 5.4

Lychee is a free, open-source photo-management tool. Prior to version 7.5.3, the photo `description` field is stored without HTML sanitization and rendered using `{!! $item->summary !!}` (Blade unescaped output) in the RSS, Atom, and JSON feed templates. The `/feed` endpoint is publicly accessibl...

Vendor: LycheeOrg
Product: Lychee
Published: Mar 26, 2026
Source: NVD
CVE-2026-33644 MEDIUM - 4.3

Lychee is a free, open-source photo-management tool. Prior to version 7.5.2, the SSRF protection in `PhotoUrlRule.php` can be bypassed using DNS rebinding. The IP validation check (line 86-89) only activates when the hostname is an IP address. When a domain name is used, `filter_var($host, FILTER_VA...

Vendor: LycheeOrg
Product: Lychee
Published: Mar 26, 2026
Source: NVD
CVE-2026-33541 MEDIUM - 6.5

TSPortal is the WikiTide Foundationโ€™s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 34, a flaw in TSPortal allowed attackers to create arbitrary user records in the database by abusing validation logic. While v...

Vendor: miraheze
Product: TSPortal
Published: Mar 26, 2026
Source: NVD
CVE-2026-33537 MEDIUM - 5.0

Lychee is a free, open-source photo-management tool. The patch introduced for GHSA-cpgw-wgf3-xc6v (SSRF via `Photo::fromUrl`) contains an incomplete IP validation check that fails to block loopback addresses and link-local addresses. Prior to version 7.5.1, an authenticated user can still reach inte...

Vendor: LycheeOrg
Product: Lychee
Published: Mar 26, 2026
Source: NVD
CVE-2026-33375 MEDIUM - 6.5

The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container.

Vendor: Grafana
Product: Grafana OSS
Published: Mar 26, 2026
Source: NVD
CVE-2026-2272 MEDIUM - 4.3

A flaw was found in GIMP. An integer overflow vulnerability exists when processing ICO image files, specifically in the `ico_read_info` and `ico_read_icon` functions. This issue arises because a size calculation for image buffers can wrap around due to a 32-bit integer evaluation, allowing oversized...

Published: Mar 26, 2026
Source: NVD
CVE-2026-2100 MEDIUM - 5.3

A flaw was found in p11-kit. A remote attacker could exploit this vulnerability by calling the C_DeriveKey function on a remote token with specific IBM kyber or IBM btc derive mechanism parameters set to NULL. This could lead to the RPC-client attempting to return an uninitialized value, potentially...

Published: Mar 26, 2026
Source: NVD
CVE-2026-21724 MEDIUM - 5.4

A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.

Vendor: Grafana
Product: Grafana OSS
Published: Mar 26, 2026
Source: NVD
CVE-2026-0966 MEDIUM - 6.5

The API function `ssh_get_hexa()` is vulnerable, when 0-lenght input is provided to this function. This function is used internally in `ssh_get_fingerprint_hash()` and `ssh_print_hexa()` (deprecated), which is vulnerable to the same input (length is provided by the calling application). The functio...

Published: Mar 26, 2026
Source: NVD
CVE-2026-0964 MEDIUM - 5.0

A malicious SCP server can send unexpected paths that could make the client application override local files outside of working directory. This could be misused to create malicious executable or configuration files and make the user execute them under specific consequences. This is the same issue a...

Published: Mar 26, 2026
Source: NVD
CVE-2026-33531 MEDIUM - 6.5

InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, a path traversal vulnerability in the report template engine allows a staff-level user to read arbitrary files from the server filesystem via crafted template tags. Affected functions: `encode_svg_image()`, `asset()`, a...

Vendor: inventree
Product: InvenTree
Published: Mar 26, 2026
Source: NVD
CVE-2026-2436 MEDIUM - 6.5

A flaw was found in libsoup's SoupServer. A remote attacker could exploit a use-after-free vulnerability where the `soup_server_disconnect()` function frees connection objects prematurely, even if a TLS handshake is still pending. If the handshake completes after the connection object has been ...

Published: Mar 26, 2026
Source: NVD
CVE-2021-4474 MEDIUM - 4.9

Ruckus Access Point products contain an arbitrary file read vulnerability in the command-line interface that allows authenticated remote attackers with administrative privileges to read arbitrary files from the underlying filesystem. Attackers can exploit this vulnerability to access sensitive infor...

Published: Mar 26, 2026
Source: NVD
CVE-2026-4923 MEDIUM - 5.9

Impact: When using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path. Unsafe examples: /*foo-*bar-:baz /*a-:b-*c-:...

Vendor: npm
Product: path-to-regexp
Published: Mar 26, 2026
Source: NVD
CVE-2026-3190 MEDIUM - 4.3

A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the `uma_protection` role check. This allows any authenticated user with a token issued for a resource server client, even without the `uma_protection` role, to enumerate a...

Vendor: redhat
Product: build_of_keycloak
Published: Mar 26, 2026
Source: NVD