Total CVEs

141,272

Critical Severity

3,795

High Severity

13,729

Last 7 Days

1,855
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 8,581 - 8,600 of 13,821 CVEs
CVE-2026-33635 MEDIUM - 4.3

iCalendar is a Ruby library for dealing with iCalendar files in the iCalendar format defined by RFC-5545. Starting in version 2.0.0 and prior to version 2.12.2, .ics serialization does not properly sanitize URI property values, enabling ICS injection through attacker-controlled input, adding arbitra...

Vendor: rubygems
Product: icalendar
Published: Mar 24, 2026
Source: GitHub
CVE-2026-33401 MEDIUM - 6.5

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the patch introduced in commit e8a513591 (CVE-2026-30840) added SSRF protection to notification test endpoints but left three additional attack surfaces unprotected: the AI Ollama host parameter, the AI re...

Vendor: ellite
Product: Wallos
Published: Mar 24, 2026
Source: NVD
CVE-2026-33400 MEDIUM - 5.4

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, a stored cross-site scripting (XSS) vulnerability in the payment method rename endpoint allows any authenticated user to inject arbitrary JavaScript that executes when any user visits the Settings, Subscri...

Vendor: ellite
Product: Wallos
Published: Mar 24, 2026
Source: NVD
CVE-2026-33162 MEDIUM - 6.5

Craft CMS is a content management system (CMS). From version 5.3.0 to before version 5.9.14, an authenticated control panel user with only accessCp can move entries across sections via POST /actions/entries/move-to-section, even when they do not have saveEntries:{sectionUid} permission for either so...

Vendor: craftcms
Product: cms
Published: Mar 24, 2026
Source: NVD
CVE-2026-33159 MEDIUM - 6.5

Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, guest users can access Config Sync updater index, obtain signed data, and execute state-changing Config Sync actions (regenerate-yaml, apply-yaml-chang...

Vendor: craftcms
Product: cms
Published: Mar 24, 2026
Source: NVD
CVE-2026-33158 MEDIUM - 6.5

Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can read private asset content by calling assets/edit-image with an arbitrary assetId that they are not authorized ...

Vendor: craftcms
Product: cms
Published: Mar 24, 2026
Source: NVD
CVE-2026-33528 MEDIUM - 6.5

GoDoxy is a reverse proxy and container orchestrator for self-hosters. Prior to version 0.27.5, the file content API endpoint at `/api/v1/file/content` is vulnerable to path traversal. The `filename` query parameter is passed directly to `path.Join(common.ConfigBasePath, filename)` where `ConfigBase...

Vendor: go
Product: github.com/yusing/godoxy
Published: Mar 24, 2026
Source: GitHub
CVE-2026-33700 MEDIUM - 4.9

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `DELETE /api/v1/projects/:project/shares/:share` endpoint does not verify that the link share belongs to the project specified in the URL. An attacker with admin access to any project can delete link shares f...

Vendor: go-vikunja
Product: vikunja
Published: Mar 24, 2026
Source: NVD
CVE-2026-33679 MEDIUM - 6.4

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `DownloadImage` function in `pkg/utils/avatar.go` uses a bare `http.Client{}` with no SSRF protection when downloading user avatar images from the OpenID Connect `picture` claim URL. An attacker who controls ...

Vendor: go-vikunja
Product: vikunja
Published: Mar 24, 2026
Source: NVD
CVE-2026-33677 MEDIUM - 6.5

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `GET /api/v1/projects/:project/webhooks` endpoint returns webhook BasicAuth credentials (`basic_auth_user` and `basic_auth_password`) in plaintext to any user with read access to the project. While the existi...

Vendor: go-vikunja
Product: vikunja
Published: Mar 24, 2026
Source: NVD
CVE-2026-33676 MEDIUM - 6.5

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the `related_tasks` field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projec...

Vendor: go-vikunja
Product: vikunja
Published: Mar 24, 2026
Source: NVD
CVE-2026-33675 MEDIUM - 6.4

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the migration helper functions `DownloadFile` and `DownloadFileWithHeaders` in `pkg/modules/migration/helpers.go` make arbitrary HTTP GET requests without any SSRF protection. When a user triggers a Todoist or Tr...

Vendor: go-vikunja
Product: vikunja
Published: Mar 24, 2026
Source: NVD
CVE-2026-29840 MEDIUM - 5.4

JiZhiCMS v2.5.6 and before contains a Stored Cross-Site Scripting (XSS) vulnerability in the release function within app/home/c/UserController.php. The application attempts to sanitize input by filtering <script> tags but fails to recursively remove dangerous event handlers in other HTML tags ...

Vendor: jizhicms
Product: jizhicms
Published: Mar 24, 2026
Source: NVD
CVE-2026-32948 MEDIUM - 7.8

sbt is a build tool for Scala, Java, and others. From version 0.9.5 to before version 1.12.7, on Windows, sbt uses Process("cmd", "/c", ...) to run VCS commands (git, hg, svn). The URI fragment (branch, tag, revision) is user-controlled via the build definition and passed to thes...

Vendor: maven
Product: org.scala-sbt:sbt
Published: Mar 24, 2026
Source: GitHub
CVE-2026-30662 MEDIUM - 6.5

ConcreteCMS v9.4.7 contains a Denial of Service (DoS) vulnerability in the File Manager component. The 'download' method in 'concrete/controllers/backend/file.php' improperly manages memory when creating zip archives. It uses 'ZipArchive::addFromString' combined with &#...

Vendor: concretecms
Product: concrete_cms
Published: Mar 24, 2026
Source: NVD
CVE-2026-30661 MEDIUM - 6.1

iCMS v8.0.0 contains a Cross-Site Scripting (XSS) vulnerability in the User Management component, specifically within the index.html file. This allows remote attackers to execute arbitrary web script or HTML via the regip or loginip parameters.

Vendor: idreamsoft
Product: icms
Published: Mar 24, 2026
Source: NVD
CVE-2026-30655 MEDIUM - 6.5

SQL injection in Solicitante::resetaSenha() in esiclivre/esiclivre v0.2.2 and earlier allows unauthenticated remote attackers to gain unauthorized access to sensitive information via the cpfcnpj parameter in /reset/index.php

Vendor: esiclivre
Product: esiclivre
Published: Mar 24, 2026
Source: NVD
CVE-2026-28755 MEDIUM - 5.4

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_stream_ssl_module module due to the improper handling of revoked certificates when configured with the ssl_verify_client on and ssl_ocsp on directives, allowing the TLS handshake to succeed even after an OCSP check identifies the certi...

Vendor: F5
Product: NGINX Open Source, NGINX Plus
Published: Mar 24, 2026
Source: NVD
CVE-2026-4728 MEDIUM - 6.5

Spoofing issue in the Privacy: Anti-Tracking component. This vulnerability affects Firefox < 149 and Thunderbird < 149.

Vendor: mozilla
Product: firefox
Published: Mar 24, 2026
Source: NVD
CVE-2019-25645 MEDIUM - 6.2

WinAVI iPod/3GP/MP4/PSP Converter 4.4.2 contains a denial of service vulnerability that allows local attackers to crash the application by processing malformed AVI files. Attackers can create a specially crafted AVI file with an oversized buffer and load it through the Convert to iPhone function to ...

Vendor: Winavi
Product: WinAVI iPod/3GP/MP4/PSP Converter
Published: Mar 24, 2026
Source: NVD