Total CVEs

141,272

Critical Severity

3,795

High Severity

13,729

Last 7 Days

1,863
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 8,561 - 8,580 of 13,821 CVEs
CVE-2026-21790 MEDIUM - 6.3

HCL Traveler is susceptible to a weak default HTTP header validation vulnerability, which could allow an attacker to bypass additional authentication checks.

Vendor: HCLSoftware
Product: Traveler
Published: Mar 24, 2026
Source: NVD
CVE-2025-33242 MEDIUM - 5.9

NVIDIA B300 MCU contains a vulnerability in the CX8 MCU that could allow a malicious actor to modify unsupported registries, causing a bad state. A successful exploit of this vulnerability might lead to denial of service and data tampering.

Vendor: NVIDIA
Product: HGX and DGX B300
Published: Mar 24, 2026
Source: NVD
CVE-2025-33216 MEDIUM - 6.8

NVIDIA SNAP-4 Container contains a vulnerability in the configuration interface where an attacker on a VM may cause an incorrect calculation of buffer size by sending crafted configurations. A successful exploit of this vulnerability may lead to crash of the SNAP service, causing denial of service o...

Vendor: NVIDIA
Product: SNAP-4 Container
Published: Mar 24, 2026
Source: NVD
CVE-2025-33215 MEDIUM - 6.8

NVIDIA SNAP-4 Container contains a vulnerability in the VIRTIO-BLK component where a malicious guest VM may cause use of out-of-range pointer offset by sending crafted messages. A successful exploit of this vulnerability may lead to a denial of service of the DPA and impact the availability of stora...

Vendor: NVIDIA
Product: SNAP-4 Container
Published: Mar 24, 2026
Source: NVD
CVE-2026-33628 MEDIUM - 5.4

Invoice Ninja is a source-available invoice, quote, project and time-tracking app built with Laravel. Invoice line item descriptions in Invoice Ninja v5.13.0 bypass the XSS denylist filter, allowing stored XSS payloads to execute when invoices are rendered in the PDF preview or client portal. The li...

Vendor: composer
Product: invoiceninja/invoiceninja
Published: Mar 24, 2026
Source: GitHub
CVE-2026-33249 MEDIUM - 4.3

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.11.0 and prior to versions 2.11.15 and 2.12.6, a valid client which uses message tracing headers can indicate that the trace messages can be sent to an arbitrary valid subject, inclu...

Vendor: go
Product: github.com/nats-io/nats-server/v2
Published: Mar 24, 2026
Source: GitHub
CVE-2026-33412 MEDIUM - 5.6

Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. T...

Vendor: vim
Product: vim
Published: Mar 24, 2026
Source: NVD
CVE-2026-33345 MEDIUM - 6.5

solidtime is an open-source time-tracking app. Prior to version 0.11.6, the project detail endpoint GET /api/v1/organizations/{org}/projects/{project} allows any authenticated Employee to access any project in the organization by UUID, including private projects they are not a member of. The index()...

Vendor: solidtime-io
Product: solidtime
Published: Mar 24, 2026
Source: NVD
CVE-2026-21783 MEDIUM - 4.3

HCL Traveler is affected by sensitive information disclosure.ย  The application generates some error messages that provide detailed information about errors and failures, such as internal paths, file names, sensitive tokens, credentials, error codes, or stack traces.ย  Attackers could exploit this inf...

Vendor: HCLSoftware
Product: Traveler
Published: Mar 24, 2026
Source: NVD
CVE-2026-33621 MEDIUM - 4.8

PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.7.7` through `v0.8.4` contain incomplete request-throttling protections for auth-checkable endpoints. In `v0.7.7` through `v0.8.3`, a fully implemented `RateLimitMiddleware` existed in `inter...

Vendor: go
Product: github.com/pinchtab/pinchtab
Published: Mar 24, 2026
Source: GitHub
CVE-2026-33623 MEDIUM - 6.7

PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.8.4` contains a Windows-only command injection issue in the orphaned Chrome cleanup path. When an instance is stopped, the Windows cleanup routine builds a PowerShell `-Command` string using ...

Vendor: go
Product: github.com/pinchtab/pinchtab/cmd/pinchtab
Published: Mar 24, 2026
Source: GitHub
CVE-2026-33622 MEDIUM - 8.8

PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.8.3` through `v0.8.5` allow arbitrary JavaScript execution through `POST /wait` and `POST /tabs/{id}/wait` when the request uses `fn` mode, even if `security.allowEvaluate` is disabled. `POST...

Vendor: go
Product: github.com/pinchtab/pinchtab/cmd/pinchtab
Published: Mar 24, 2026
Source: GitHub
CVE-2026-33620 MEDIUM - 4.3

PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.7.8` through `v0.8.3` accepted the API token from a `token` URL query parameter in addition to the `Authorization` header. When a valid API credential is sent in the URL, it can be exposed th...

Vendor: go
Product: github.com/pinchtab/pinchtab
Published: Mar 24, 2026
Source: GitHub
CVE-2026-33619 MEDIUM - 4.1

PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab v0.8.3 contains a server-side request forgery issue in the optional scheduler's webhook delivery path. When a task is submitted to `POST /tasks` with a user-controlled `callbackUrl`, the v0....

Vendor: go
Product: github.com/pinchtab/pinchtab
Published: Mar 24, 2026
Source: GitHub
CVE-2026-33545 MEDIUM - 5.3

MobSF is a mobile application security testing tool used. Prior to version 4.4.6, MobSF's `read_sqlite()` function in `mobsf/MobSF/utils.py` (lines 542-566) uses Python string formatting (`%`) to construct SQL queries with table names read from a SQLite database's `sqlite_master` table. Wh...

Vendor: pip
Product: mobsf
Published: Mar 24, 2026
Source: GitHub
CVE-2026-33769 MEDIUM - 5.3

Astro is a web framework. From version 2.10.10 to before version 5.18.1, this issue concerns Astro's remotePatterns path enforcement for remote URLs used by server-side fetchers such as the image optimization endpoint. The path matching logic for /* wildcards is unanchored, so a pathname that c...

Vendor: withastro
Product: astro
Published: Mar 24, 2026
Source: NVD
CVE-2026-33768 MEDIUM - 6.5

Astro is a web framework. Prior to version 10.0.2, the @astrojs/vercel serverless entrypoint reads the x-astro-path header and x_astro_path query parameter to rewrite the internal request path, with no authentication whatsoever. On deployments without Edge Middleware, this lets anyone bypass Vercel&...

Vendor: withastro
Product: astro
Published: Mar 24, 2026
Source: NVD
CVE-2026-33527 MEDIUM - 4.3

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.57 and 9.6.0-alpha.48, an authenticated user can overwrite server-generated session fields such as expiresAt and createdWith when updating their own session via the REST API....

Vendor: parse-community
Product: parse-server
Published: Mar 24, 2026
Source: NVD
CVE-2026-33417 MEDIUM - 6.5

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.2, password reset tokens in Wallos never expire. The password_resets table includes a created_at timestamp column, but the token validation logic never checks it. A password reset token remains valid indefini...

Vendor: ellite
Product: Wallos
Published: Mar 24, 2026
Source: NVD
CVE-2026-29772 MEDIUM - 5.9

Astro is a web framework. Prior to version 10.0.0, Astro's Server Islands POST handler buffers and parses the full request body as JSON without enforcing a size limit. Because JSON.parse() allocates a V8 heap object for every element in the input, a crafted payload of many small JSON objects ac...

Vendor: withastro
Product: astro
Published: Mar 24, 2026
Source: NVD