Total CVEs

141,249

Critical Severity

3,795

High Severity

13,708

Last 7 Days

1,933
Quick preset (or use dates below)
Clear Filters
Showing 8,641 - 8,660 of 14,200 CVEs
CVE-2026-33517 MEDIUM - 6.1

Mantis Bug Tracker (MantisBT) is an open source issue tracker. In version 2.28.0, when deleting a Tag (tag_delete.php), improper escaping of its name when displaying the confirmation message allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript. Ver...

Vendor: mantisbt
Product: mantisbt
Published: Mar 23, 2026
Source: NVD
CVE-2026-32852 MEDIUM - 6.1

MailEnable versions prior to 10.55 contain a reflected cross-site scripting vulnerability in the webmail interface that allows remote attackers to execute arbitrary JavaScript in a victim's browser by crafting a malicious URL. Attackers can inject malicious code through the StartDate parameter ...

Vendor: MailEnable
Product: MailEnable
Published: Mar 23, 2026
Source: NVD
CVE-2026-32851 MEDIUM - 6.1

MailEnable versions prior to 10.55 contain a reflected cross-site scripting vulnerability in the webmail interface that allows remote attackers to execute arbitrary JavaScript in a victim's browser by crafting a malicious URL. Attackers can inject malicious code through the Attendees parameter ...

Vendor: MailEnable
Product: MailEnable
Published: Mar 23, 2026
Source: NVD
CVE-2026-32850 MEDIUM - 6.1

MailEnable versions prior to 10.55 contain a reflected cross-site scripting vulnerability in the webmail interface that allows remote attackers to execute arbitrary JavaScript in a victim's browser by crafting a malicious URL. Attackers can inject malicious code through the SelectedIndex parame...

Vendor: MailEnable
Product: MailEnable
Published: Mar 23, 2026
Source: NVD
CVE-2026-30886 MEDIUM - 6.5

New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.11.4-alpha.2, an Insecure Direct Object Reference (IDOR) vulnerability in the video proxy endpoint (`GET /v1/videos/:task_id/content`) allows any authenticated user to access v...

Vendor: QuantumNous
Product: new-api
Published: Mar 23, 2026
Source: NVD
CVE-2026-27131 MEDIUM - 5.5

The Sprig Plugin for Craft CMS is a reactive Twig component framework for Craft CMS. Starting in version 2.0.0 and prior to versions 2.15.2 and 3.15.2, admin users, and users with explicit permission to access the Sprig Playground, could potentially expose the security key, credentials, and other se...

Vendor: putyourlightson
Product: craft-sprig
Published: Mar 23, 2026
Source: NVD
CVE-2025-52204 MEDIUM - 6.1

A Cross-Site Scripting (XSS) vulnerability exists in Znuny::ITSM 6.5.x in the customer.pl endpoint via the OTRSCustomerInterface parameter

Published: Mar 23, 2026
Source: NVD
CVE-2024-46879 MEDIUM - 5.4

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the POST request data zipPath of tiki-admin_system.php in Tiki version 21.2. This vulnerability allows attackers to execute arbitrary JavaScript code via a crafted payload, leading to potential access to sensitive information or unauthor...

Published: Mar 23, 2026
Source: NVD
CVE-2024-46878 MEDIUM - 5.4

A Cross-Site Scripting (XSS) vulnerability exists in the page parameter of tiki-editpage.php in Tiki version 26.3 and earlier. This vulnerability allows attackers to execute arbitrary JavaScript code via a crafted payload, leading to potential access to sensitive information or unauthorized actions.

Published: Mar 23, 2026
Source: NVD
CVE-2026-32879 MEDIUM - 4.9

New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Starting in version 0.10.0, a logic flaw in the universal secure verification flow allows an authenticated user with a registered passkey to satisfy secure verification without completing a WebAu...

Vendor: go
Product: github.com/QuantumNous/new-api
Published: Mar 23, 2026
Source: GitHub
CVE-2026-33690 MEDIUM - 5.3

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `getRealIpAddr()` function in `objects/functions.php` trusts user-controlled HTTP headers to determine the client's IP address. An attacker can spoof their IP address by sending forged headers, bypassing any...

Vendor: WWBN
Product: AVideo
Published: Mar 23, 2026
Source: NVD
CVE-2026-33688 MEDIUM - 5.3

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the password recovery endpoint at `objects/userRecoverPass.php` performs user existence and account status checks before validating the captcha. This allows an unauthenticated attacker to enumerate valid usernames an...

Vendor: WWBN
Product: AVideo
Published: Mar 23, 2026
Source: NVD
CVE-2026-33685 MEDIUM - 5.3

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/AD_Server/reports.json.php` endpoint performs no authentication or authorization checks, allowing any unauthenticated attacker to extract ad campaign analytics data including video titles, user channel na...

Vendor: WWBN
Product: AVideo
Published: Mar 23, 2026
Source: NVD
CVE-2026-33683 MEDIUM - 5.4

WWBN AVideo is an open source video platform. In versions up to and including 26.0, a sanitization order-of-operations flaw in the user profile "about" field allows any registered user to inject arbitrary JavaScript that executes when other users visit their channel page. The `xss_esc()` f...

Vendor: WWBN
Product: AVideo
Published: Mar 23, 2026
Source: NVD
CVE-2026-4593 MEDIUM - 6.3

A flaw has been found in erupts erupt bis 1.13.3. Affected by this vulnerability is the function EruptDataQuery of the file erupt-ai/src/main/java/xyz/erupt/ai/call/impl/EruptDataQuery.java of the component MCP Tool Interface. This manipulation causes sql injection hibernate. It is possible to initi...

Published: Mar 23, 2026
Source: NVD
CVE-2026-30007 MEDIUM - 6.2

XnSoft NConvert 7.230 is vulnerable to Use-After-Free via a crafted .tiff file

Vendor: xnview
Product: nconvert
Published: Mar 23, 2026
Source: NVD
CVE-2026-30006 MEDIUM - 6.2

XnSoft NConvert 7.230 is vulnerable to Stack Buffer Overrun via a crafted .tiff file.

Vendor: xnview
Product: nconvert
Published: Mar 23, 2026
Source: NVD
CVE-2026-4592 MEDIUM - 5.6

A security vulnerability has been detected in kalcaddle kodbox 1.64. This impacts the function loginAfter/tfaVerify of the file /workspace/source-code/plugins/client/controller/tfa/index.class.php of the component Password Login. The manipulation leads to improper authentication. The attack is possi...

Published: Mar 23, 2026
Source: NVD
CVE-2026-4591 MEDIUM - 4.7

A weakness has been identified in kalcaddle kodbox 1.64. This affects the function checkBin of the file /workspace/source-code/plugins/fileThumb/app.php of the component fileThumb Endpoint. Executing a manipulation can lead to os command injection. The attack can be executed remotely. The exploit ha...

Published: Mar 23, 2026
Source: NVD
CVE-2024-51226 MEDIUM - 6.1

A stored cross-site scripting (XSS) vulnerability in the component /admin/search-vehicle.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Search parameter.

Vendor: phpgurukul
Product: vehicle_record_management_system
Published: Mar 23, 2026
Source: NVD