Total CVEs

141,292

Critical Severity

3,799

High Severity

13,738

Last 7 Days

1,830
Quick preset (or use dates below)
Clear Filters
Showing 8,801 - 8,820 of 13,738 CVEs
CVE-2026-32051 HIGH - 8.8

OpenClaw versions prior to 2026.3.1 contain an authorization mismatch vulnerability that allows authenticated callers with operator.write scope to invoke owner-only tool surfaces including gateway and cron through agent runs in scoped-token deployments. Attackers with write-scope access can perform ...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 21, 2026
Source: NVD
CVE-2026-32049 HIGH - 7.5

OpenClaw versions prior to 2026.2.22 fail to consistently enforce configured inbound media byte limits before buffering remote media across multiple channel ingestion paths. Remote attackers can send oversized media payloads to trigger elevated memory usage and potential process instability.

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 21, 2026
Source: NVD
CVE-2026-32048 HIGH - 7.5

OpenClaw versions prior to 2026.3.1 fail to enforce sandbox inheritance during cross-agent sessions_spawn operations, allowing sandboxed sessions to create child processes under unsandboxed agents. An attacker with a sandboxed session can exploit this to spawn child runtimes with sandbox.mode set to...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 21, 2026
Source: NVD
CVE-2026-32042 HIGH - 8.8

OpenClaw versions 2026.2.22 prior to 2026.2.25 contain a privilege escalation vulnerability allowing unpaired device identities to bypass operator pairing requirements and self-assign elevated operator scopes including operator.admin. Attackers with valid shared gateway authentication can present a ...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 21, 2026
Source: NVD
CVE-2026-3368 HIGH - 7.2

The Injection Guard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via malicious query parameter names in all versions up to and including 1.2.9. This is due to insufficient input sanitization in the sanitize_ig_data() function which only sanitizes array values but not array keys,...

Published: Mar 21, 2026
Source: NVD
CVE-2026-33427 HIGH - 7.5

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an unauthenticated attacker can cause a legitimate Discourse authorization page to display an attacker-controlled domain, facilitating social engineering attacks against users. Versions 2026...

Vendor: discourse
Product: discourse
Published: Mar 21, 2026
Source: NVD
CVE-2026-32666 HIGH - 7.5

WebCTRL systems that communicate over BACnet inherit the protocol's lack of network layer authentication. WebCTRL does not implement additional validation of BACnet traffic so an attacker with network access could spoof BACnet packets directed at either the WebCTRL server or associated Auto...

Vendor: Automated Logic
Product: WebCTRL Premium Server
Published: Mar 21, 2026
Source: NVD
CVE-2026-25086 HIGH - 7.7

Under certain conditions, an attacker could bind to the same port used by WebCTRL. This could allow the attacker to craft and send malicious packets and impersonate the WebCTRL service without requiring code injection into the WebCTRL software.

Vendor: Automated Logic
Product: WebCTRL Premium Server
Published: Mar 21, 2026
Source: NVD
CVE-2026-4508 HIGH - 7.3

A vulnerability was identified in PbootCMS up to 3.2.12. The impacted element is the function checkUsername of the file apps/home/controller/MemberController.php of the component Member Login. The manipulation of the argument Username leads to sql injection. The attack may be initiated remotely. The...

Published: Mar 20, 2026
Source: NVD
CVE-2026-33476 HIGH - 7.5

SiYuan is a personal knowledge management system. Prior to version 3.6.2, the Siyuan kernel exposes an unauthenticated file-serving endpoint under `/appearance/*filepath.` Due to improper path sanitization, attackers can perform directory traversal and read arbitrary files accessible to the server p...

Vendor: siyuan-note
Product: siyuan
Published: Mar 20, 2026
Source: NVD
CVE-2026-33243 HIGH - 8.2

barebox is a bootloader. In barebox from version 2016.03.0 to before version 2026.03.1 (and the corresponding backport to 2025.09.3), an attacker could exploit a FIT signature verification vulnerability to trick the bootloader into booting different images than those that were verified as part of a ...

Vendor: barebox
Product: barebox
Published: Mar 20, 2026
Source: NVD
CVE-2026-32663 HIGH - 7.3

The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent connecti...

Vendor: IGL-Technologies
Product: eParking.fi
Published: Mar 20, 2026
Source: NVD
CVE-2026-31904 HIGH - 7.5

The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain una...

Vendor: CTEK
Product: Chargeportal
Published: Mar 20, 2026
Source: NVD
CVE-2026-31903 HIGH - 7.5

The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain una...

Vendor: IGL-Technologies
Product: eParking.fi
Published: Mar 20, 2026
Source: NVD
CVE-2026-27649 HIGH - 7.3

The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent connecti...

Vendor: CTEK
Product: Chargeportal
Published: Mar 20, 2026
Source: NVD
CVE-2026-22163 HIGH - 7.8

Requires malware code to misuse the DDK kernel module IOCTL interface. Such code can use the interface in an unsupported way that allows subversion of the GPU to perform writes to arbitrary physical memory pages. The product utilises a shared resource in a concurrent manner but does not attempt to...

Vendor: Imagination Technologies
Product: Graphics DDK
Published: Mar 20, 2026
Source: NVD
CVE-2026-32887 HIGH - 7.4

Effect is a TypeScript framework that consists of several packages that work together to help build TypeScript applications. Prior to version 3.20.0, when using `RpcServer.toWebHandler` (or `HttpApp.toWebHandlerRuntime`) inside a Next.js App Router route handler, any Node.js `AsyncLocalStorage`-depe...

Vendor: Effect-TS
Product: effect
Published: Mar 20, 2026
Source: NVD
CVE-2026-2378 HIGH - 7.4

ArcSearch for Android versions prior to 1.12.7 could display a different domain in the address bar than the content being shown, enabling address bar spoofing after user interaction via crafted web content.

Published: Mar 20, 2026
Source: NVD
CVE-2026-23536 HIGH - 7.5

A security issue was discovered in the Feast Feature Server's `/read-document` endpoint that allows an unauthenticated remote attacker to read any file accessible to the server process. By sending a specially crafted HTTP POST request, an attacker can bypass intended access restrictions to pote...

Vendor: Red Hat
Product: Red Hat OpenShift AI (RHOAI)
Published: Mar 20, 2026
Source: NVD
CVE-2026-33509 HIGH - 7.5

pyLoad is a free and open-source download manager written in Python. From version 0.4.0 to before version 0.5.0b3.dev97, the set_config_value() API endpoint allows users with the non-admin SETTINGS permission to modify any configuration option without restriction. The reconnect.script config option ...

Vendor: pip
Product: pyload-ng
Published: Mar 20, 2026
Source: GitHub