Total CVEs

141,292

Critical Severity

3,799

High Severity

13,738

Last 7 Days

1,848
Quick preset (or use dates below)
Clear Filters
Showing 8,701 - 8,720 of 13,738 CVEs
CVE-2026-4612 HIGH - 7.3

A vulnerability has been found in itsourcecode Free Hotel Reservation System 1.0. This affects an unknown part of the file /hotel/admin/mod_users/index.php?view=edit&id=8 of the component Parameter Handler. The manipulation of the argument account_id leads to sql injection. Remote exploitation o...

Published: Mar 23, 2026
Source: NVD
CVE-2026-4611 HIGH - 7.2

A flaw has been found in TOTOLINK X6000R 9.4.0cu.1360_B20241207/9.4.0cu.1498_B20250826. Affected by this issue is the function setLanCfg of the file /usr/sbin/shttpd. Executing a manipulation of the argument Hostname can lead to os command injection. The attack may be launched remotely.

Published: Mar 23, 2026
Source: NVD
CVE-2026-32300 HIGH - 8.1

Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, an improper authorization issue in the My Page profile update feature may allow modification of arbitrary user information. Versions 1.41.1 ...

Vendor: opensource-workshop
Product: connect-cms
Published: Mar 23, 2026
Source: NVD
CVE-2026-32299 HIGH - 7.5

Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, an improper authorization issue in the page content retrieval feature may allow retrieval of non-public information. Versions 1.41.1 and 2.4...

Vendor: opensource-workshop
Product: connect-cms
Published: Mar 23, 2026
Source: NVD
CVE-2026-32278 HIGH - 8.2

Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, a Stored Cross-site Scripting (XSS) issue exists in the file field of the Form Plugin. Versions 1.41.1 and 2.41.1 contain a patch.

Vendor: opensource-workshop
Product: connect-cms
Published: Mar 23, 2026
Source: NVD
CVE-2026-32277 HIGH - 8.7

Connect-CMS is a content management system. In versions 1.35.0 through 1.41.0 and 2.35.0 through 2.41.0, a DOM-based Cross-Site Scripting (XSS) issue exists in the Cabinet Plugin list view. Versions 1.41.1 and 2.41.1 contain a patch.

Vendor: opensource-workshop
Product: connect-cms
Published: Mar 23, 2026
Source: NVD
CVE-2026-32276 HIGH - 8.8

Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, an authenticated user may be able to execute arbitrary code in the Code Study Plugin. Versions 1.41.1 and 2.41.1 contain a patch.

Vendor: opensource-workshop
Product: connect-cms
Published: Mar 23, 2026
Source: NVD
CVE-2025-60947 HIGH - 8.8

Census CSWeb 8.0.1 allows arbitrary file upload. A remote, authenticated attacker could upload a malicious file, possibly leading to remote code execution. Fixed in 8.1.0 alpha.

Vendor: Census
Product: CSWeb
Published: Mar 23, 2026
Source: NVD
CVE-2025-60946 HIGH - 8.8

Census CSWeb 8.0.1 allows arbitrary file path input. A remote, authenticated attacker could access unintended file directories. Fixed in 8.1.0 alpha.

Vendor: Census
Product: CSWeb
Published: Mar 23, 2026
Source: NVD
CVE-2026-33430 HIGH - 7.3

Briefcase is a tool for converting a Python project into a standalone native application. Starting in version 0.3.0 and prior to version 0.3.26, if a developer uses Briefcase to produce an Windows MSI installer for a project, and that project is installed for All Users (i.e., per-machine scope), the...

Vendor: pip
Product: briefcase
Published: Mar 23, 2026
Source: GitHub
CVE-2026-33195 HIGH - 9.8

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Storage's `DiskService#path_for` does not validate that the resolved filesystem path remains within the storage root directory. If a blob key containing pat...

Vendor: rubygems
Product: activestorage
Published: Mar 23, 2026
Source: GitHub
CVE-2026-23882 HIGH - 7.2

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the MCP (Model Context Protocol) server creation function allows specifying arbitrary commands and arguments, which are executed when testing the connection. This issue has been patched in version 1.8.4.

Vendor: blinkospace
Product: blinko
Published: Mar 23, 2026
Source: NVD
CVE-2026-23482 HIGH - 7.5

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the file server endpoint does not perform permission checks on the temp/ path and does not filter path traversal sequences, allowing unauthorized attackers to read arbitrary files on the server. When scheduled backup tasks are...

Vendor: blinkospace
Product: blinko
Published: Mar 23, 2026
Source: NVD
CVE-2026-23480 HIGH - 8.8

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is a privilege escalation vulnerability. The upsertUser endpoint has 3 issues: it is missing superAdminAuthMiddleware, any logged-in user can call it; the originalPassword is an optional parameter and if not provided pas...

Vendor: blinkospace
Product: blinko
Published: Mar 23, 2026
Source: NVD
CVE-2026-33723 HIGH - 7.1

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `Subscribe::save()` method in `objects/subscribe.php` concatenates the `$this->users_id` property directly into an INSERT SQL query without sanitization or parameterized binding. This property originates from ...

Vendor: WWBN
Product: AVideo
Published: Mar 23, 2026
Source: NVD
CVE-2026-33719 HIGH - 8.6

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the CDN plugin endpoints `plugin/CDN/status.json.php` and `plugin/CDN/disable.json.php` use key-based authentication with an empty string default key. When the CDN plugin is enabled but the key has not been configure...

Vendor: WWBN
Product: AVideo
Published: Mar 23, 2026
Source: NVD
CVE-2026-33717 HIGH - 8.8

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `downloadVideoFromDownloadURL()` function in `objects/aVideoEncoder.json.php` saves remote content to a web-accessible temporary directory using the original URL's filename and extension (including `.php`). ...

Vendor: WWBN
Product: AVideo
Published: Mar 23, 2026
Source: NVD
CVE-2026-33681 HIGH - 7.2

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/pluginRunDatabaseScript.json.php` endpoint accepts a `name` parameter via POST and passes it to `Plugin::getDatabaseFileName()` without any path traversal sanitization. This allows an authenticated admin...

Vendor: WWBN
Product: AVideo
Published: Mar 23, 2026
Source: NVD
CVE-2026-33651 HIGH - 8.1

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `remindMe.json.php` endpoint passes `$_REQUEST['live_schedule_id']` through multiple functions without sanitization until it reaches `Scheduler_commands::getAllActiveOrToRepeat()`, which directly concat...

Vendor: WWBN
Product: AVideo
Published: Mar 23, 2026
Source: NVD
CVE-2026-33650 HIGH - 7.6

WWBN AVideo is an open source video platform. In versions up to and including 26.0, a user with the "Videos Moderator" permission can escalate privileges to perform full video management operations โ€” including ownership transfer and deletion of any video โ€” despite the permission being docu...

Vendor: WWBN
Product: AVideo
Published: Mar 23, 2026
Source: NVD