Total CVEs

141,249

Critical Severity

3,795

High Severity

13,708

Last 7 Days

2,157
Quick preset (or use dates below)
Clear Filters
Showing 8,241 - 8,260 of 13,708 CVEs
CVE-2026-32287 HIGH - 7.5

Boolean XPath expressions that evaluate to true can cause an infinite loop in logicalQuery.Select, leading to 100% CPU usage. This can be triggered by top-level selectors such as "1=1" or "true()".

Vendor: github.com/antchfx/xpath
Product: github.com/antchfx/xpath
Published: Mar 26, 2026
Source: NVD
CVE-2026-32286 HIGH - 7.5

The DataRow.Decode function fails to properly validate field lengths. A malicious or compromised PostgreSQL server can send a DataRow message with a negative field length, causing a slice bounds out of range panic.

Vendor: github.com/jackc/pgproto3/v2
Product: github.com/jackc/pgproto3/v2
Published: Mar 26, 2026
Source: NVD
CVE-2026-32285 HIGH - 7.5

The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack.

Vendor: github.com/buger/jsonparser
Product: github.com/buger/jsonparser
Published: Mar 26, 2026
Source: NVD
CVE-2026-32284 HIGH - 7.5

The msgpack decoder fails to properly validate the input buffer length when processing truncated fixext data (format codes 0xd4-0xd8). This can lead to an out-of-bounds read and a runtime panic, allowing a denial of service attack.

Vendor: github.com/shamaton/msgpack, github.com/shamaton/msgpack/v2, github.com/shamaton/msgpack/v3
Product: github.com/shamaton/msgpack, github.com/shamaton/msgpack/v2, github.com/shamaton/msgpack/v3
Published: Mar 26, 2026
Source: NVD
CVE-2023-7338 HIGH - 7.5

Ruckus Unleashed contains a remote code execution vulnerability in the web-based management interface that allows authenticated remote attackers to execute arbitrary code on the system when gateway mode is enabled. Attackers can exploit this vulnerability by sending specially crafted requests throug...

Published: Mar 26, 2026
Source: NVD
CVE-2026-4926 HIGH - 7.5

Impact: A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as `{a}{b}{c}:z`. The generated regex grows exponentially with the number of groups, causing denial of service. Patches: Fixed in version 8.4.0. Workarounds: Limit the ...

Vendor: npm
Product: path-to-regexp
Published: Mar 26, 2026
Source: NVD
CVE-2026-33506 HIGH - 8.8

Ory Polis, formerly known as BoxyHQ Jackson, bridges or proxies a SAML login flow to OAuth 2.0 or OpenID Connect. Versions prior to 26.2.0 contain a DOM-based Cross-Site Scripting (XSS) vulnerability in Ory Polis's login functionality. The application improperly trusts a URL parameter (`callbac...

Vendor: ory
Product: polis
Published: Mar 26, 2026
Source: NVD
CVE-2026-33491 HIGH - 7.8

Zen C is a systems programming language that compiles to human-readable GNU C/C11. Prior to version 0.4.4, a stack-based buffer overflow vulnerability in the Zen C compiler allows attackers to cause a compiler crash or potentially execute arbitrary code by providing a specially crafted Zen C source ...

Vendor: zenc-lang
Product: zenc
Published: Mar 26, 2026
Source: NVD
CVE-2026-33149 HIGH - 8.1

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Versions up to and including 2.5.3 set ALLOWED_HOSTS = '*' by default, which causes Django to accept any value in the HTTP Host header without validation. The application uses request.build...

Vendor: TandoorRecipes
Product: recipes
Published: Mar 26, 2026
Source: NVD
CVE-2026-30463 HIGH - 7.7

Daylight Studio FuelCMS v1.5.2 was discovered to contain a SQL injection vulnerability via the /controllers/Login.php component.

Vendor: thedaylightstudio
Product: fuel_cms
Published: Mar 26, 2026
Source: NVD
CVE-2026-33871 HIGH - 7.5

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of...

Vendor: maven
Product: io.netty:netty-codec-http2
Published: Mar 26, 2026
Source: GitHub
CVE-2026-33870 HIGH - 7.5

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix t...

Vendor: maven
Product: io.netty:netty-codec-http
Published: Mar 26, 2026
Source: GitHub

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, insufficient validation of Git URL fragment subdir components may allow access to files outside the checked-out Git repository root. Possible access is limi...

Vendor: go
Product: github.com/moby/buildkit
Published: Mar 26, 2026
Source: GitHub
CVE-2026-33747 HIGH - 8.4

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, when using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit state directory for the...

Vendor: go
Product: github.com/moby/buildkit
Published: Mar 26, 2026
Source: GitHub

elixir-nodejs provides an Elixir API for calling Node.js functions. A vulnerability in versions prior to 3.1.4 results in Cross-User Data Leakage or Information Disclosure due to a race condition in the worker protocol. The lack of request-response correlation creates a "stale response" vu...

Vendor: erlang
Product: nodejs
Published: Mar 26, 2026
Source: GitHub
CVE-2026-33487 HIGH - 7.5

goxmlsig provides XML Digital Signatures implemented in Go. Prior to version 1.6.0, the `validateSignature` function in `validate.go` goes through the references in the `SignedInfo` block to find one that matches the signed element's ID. In Go versions before 1.22, or when `go.mod` uses an olde...

Vendor: russellhaering
Product: goxmldsig
Published: Mar 26, 2026
Source: NVD
CVE-2026-32857 HIGH - 8.6

Firecrawl version 2.8.0 and prior contain a server-side request forgery (SSRF) protection bypass vulnerability in the Playwright scraping service where network policy validation is applied only to the initial user-supplied URL and not to subsequent redirect destinations. Attackers can supply an exte...

Vendor: Firecrawl
Product: Firecrawl
Published: Mar 26, 2026
Source: NVD
CVE-2026-33770 HIGH - 9.8

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `fixCleanTitle()` static method in `objects/category.php` constructs a SQL SELECT query by directly interpolating both `$clean_title` and `$id` into the query string without using prepared statements or parameter...

Vendor: composer
Product: wwbn/avideo
Published: Mar 26, 2026
Source: GitHub
CVE-2026-33767 HIGH - 8.8

WWBN AVideo is an open source video platform. In versions up to and including 26.0, in `objects/like.php`, the `getLike()` method constructs a SQL query using a prepared statement placeholder (`?`) for `users_id` but directly concatenates `$this->videos_id` into the query string without parameter...

Vendor: composer
Product: wwbn/avideo
Published: Mar 26, 2026
Source: GitHub
CVE-2026-4867 HIGH - 7.5

Impact: A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in path-to-regexp@0.1.12 only prevents ambiguity for two paramete...

Vendor: npm
Product: path-to-regexp
Published: Mar 26, 2026
Source: NVD