Total CVEs

141,272

Critical Severity

3,795

High Severity

13,729

Last 7 Days

1,855
Quick preset (or use dates below)
Clear Filters
Showing 8,601 - 8,620 of 13,738 CVEs
CVE-2026-33627 HIGH - 6.5

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.61 and 9.6.0-alpha.55, an authenticated user calling GET /users/me receives unsanitized auth data, including sensitive credentials such as MFA TOTP secrets and recovery codes...

Vendor: parse-community
Product: parse-server
Published: Mar 24, 2026
Source: NVD
CVE-2026-33539 HIGH - 7.2

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.59 and 9.6.0-alpha.53, an attacker with master key access can execute arbitrary SQL statements on the PostgreSQL database by injecting SQL metacharacters into field name para...

Vendor: parse-community
Product: parse-server
Published: Mar 24, 2026
Source: NVD
CVE-2026-33538 HIGH - 7.5

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.58 and 9.6.0-alpha.52, an unauthenticated attacker can cause denial of service by sending authentication requests with arbitrary, unconfigured provider names. The server exec...

Vendor: parse-community
Product: parse-server
Published: Mar 24, 2026
Source: NVD
CVE-2026-30932 HIGH - 8.8

Froxlor is open source server administration software. Prior to version 2.3.5, the DomainZones.add API endpoint (accessible to customers with DNS enabled) does not validate the content field for several DNS record types (LOC, RP, SSHFP, TLSA). An attacker can inject newlines and BIND zone file direc...

Vendor: froxlor
Product: froxlor
Published: Mar 24, 2026
Source: NVD
CVE-2026-1995 HIGH - 7.8

IDrive’s id_service.exe process runs with elevated privileges and regularly reads from several files under the C:\ProgramData\IDrive\ directory. The UTF16-LE encoded contents of these files are used as arguments for starting a process, but they can be edited by any standard user logged into the syst...

Published: Mar 24, 2026
Source: NVD
CVE-2026-33399 HIGH - 7.7

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the SSRF fix applied in version 4.6.2 for CVE-2026-30839 and CVE-2026-30840 is incomplete. The validate_webhook_url_for_ssrf() protection was added to the test* notification endpoints but not to the corres...

Vendor: ellite
Product: Wallos
Published: Mar 24, 2026
Source: NVD
CVE-2026-33157 HIGH - 7.2

Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remote Code Execution (RCE) vulnerability exists in Craft CMS, it can be exploited by any authenticated user with control panel access. This is a bypass of a previous fix. The existing patches add cleanseC...

Vendor: craftcms
Product: cms
Published: Mar 24, 2026
Source: NVD
CVE-2026-32854 HIGH - 7.5

LibVNCServer versions 0.9.15 and prior (fixed in commit dc78dee) contain null pointer dereference vulnerabilities in the HTTP proxy handlers within httpProcessInput() in httpd.c that allow remote attackers to cause a denial of service by sending specially crafted HTTP requests. Attackers can exploit...

Vendor: LibVNC
Product: LibVNCServer
Published: Mar 24, 2026
Source: NVD
CVE-2026-32853 HIGH - 8.1

LibVNCServer versions 0.9.15 and prior (fixed in commit 009008e) contain a heap out-of-bounds read vulnerability in the UltraZip encoding handler that allows a malicious VNC server to cause information disclosure or application crash. Attackers can exploit improper bounds checking in the HandleUltra...

Vendor: LibVNC
Product: LibVNCServer
Published: Mar 24, 2026
Source: NVD
CVE-2026-33680 HIGH - 7.5

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.2, the `LinkSharing.ReadAll()` method allows link share authenticated users to list all link shares for a project, including their secret hashes. While `LinkSharing.CanRead()` correctly blocks link share users from ...

Vendor: go-vikunja
Product: vikunja
Published: Mar 24, 2026
Source: NVD
CVE-2026-33678 HIGH - 8.1

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, `TaskAttachment.ReadOne()` queries attachments by ID only (`WHERE id = ?`), ignoring the task ID from the URL path. The permission check in `CanRead()` validates access to the task specified in the URL, but `Read...

Vendor: go-vikunja
Product: vikunja
Published: Mar 24, 2026
Source: NVD
CVE-2026-33668 HIGH - 8.1

Vikunja is an open-source self-hosted task management platform. Starting in version 0.18.0 and prior to version 2.2.1, when a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. Three other authentication paths — API tokens, CalDAV ba...

Vendor: go-vikunja
Product: vikunja
Published: Mar 24, 2026
Source: NVD
CVE-2026-33336 HIGH - 8.8

Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper enables `nodeIntegration` in the main BrowserWindow and does not restrict same-window navigations. An attacker who can place a link in user-gene...

Vendor: go-vikunja
Product: vikunja
Published: Mar 24, 2026
Source: NVD
CVE-2026-33335 HIGH - 8.0

Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper passes URLs from `window.open()` calls directly to `shell.openExternal()` without any validation or protocol allowlisting. An attacker who can p...

Vendor: go-vikunja
Product: vikunja
Published: Mar 24, 2026
Source: NVD
CVE-2026-29839 HIGH - 8.8

DedeCMS v5.7.118 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability in /sys_task_add.php.

Vendor: dedecms
Product: dedecms
Published: Mar 24, 2026
Source: NVD
CVE-2026-4775 HIGH - 7.8

A flaw was found in the libtiff library. A remote attacker could exploit a signed integer overflow vulnerability in the putcontig8bitYCbCr44tile function by providing a specially crafted TIFF file. This flaw can lead to an out-of-bounds heap write due to incorrect memory pointer calculations, potent...

Published: Mar 24, 2026
Source: NVD
CVE-2026-33554 HIGH - 7.5

ipmi-oem in FreeIPMI before 1.16.17 has exploitable buffer overflows on response messages. The Intelligent Platform Management Interface (IPMI) specification defines a set of interfaces for platform management. It is implemented by a large number of hardware manufacturers to support system managemen...

Published: Mar 24, 2026
Source: NVD
CVE-2026-32647 HIGH - 7.8

NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted MP4 file. This issue affect...

Vendor: F5
Product: NGINX Open Source, NGINX Plus
Published: Mar 24, 2026
Source: NVD
CVE-2026-30653 HIGH - 7.5

An issue in Free5GC v.4.2.0 and before allows a remote attacker to cause a denial of service via the function HandleAuthenticationFailure of the component AMF

Vendor: free5gc
Product: free5gc
Published: Mar 24, 2026
Source: NVD
CVE-2026-27784 HIGH - 7.8

The 32-bit implementation of NGINX Open Source has a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to over-read or over-write NGINX worker memory resulting in its termination, using a specially crafted MP4 file. The issue only affects 32-bit NGINX Open Source if it i...

Vendor: F5
Product: NGINX Open Source
Published: Mar 24, 2026
Source: NVD