Total CVEs

141,292

Critical Severity

3,799

High Severity

13,738

Last 7 Days

1,830
Quick preset (or use dates below)
Clear Filters
Showing 8,841 - 8,860 of 13,738 CVEs
CVE-2026-33485 HIGH - 7.5

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the RTMP `on_publish` callback at `plugin/Live/on_publish.php` is accessible without authentication. The `$_POST['name']` parameter (stream key) is interpolated directly into SQL queries in two locations โ€” ...

Vendor: composer
Product: wwbn/avideo
Published: Mar 20, 2026
Source: GitHub
CVE-2026-33484 HIGH - 7.5

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions 1.0.0 through 1.8.1, the `/api/v1/files/images/{flow_id}/{file_name}` endpoint serves image files without any authentication or ownership check. Any unauthenticated request with a known flow_id and file_name r...

Vendor: pip
Product: langflow
Published: Mar 20, 2026
Source: GitHub
CVE-2026-33483 HIGH - 7.5

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `aVideoEncoderChunk.json.php` endpoint is a completely standalone PHP script with no authentication, no framework includes, and no resource limits. An unauthenticated remote attacker can send arbitrary POST data ...

Vendor: composer
Product: wwbn/avideo
Published: Mar 20, 2026
Source: GitHub
CVE-2026-33482 HIGH - 8.1

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `sanitizeFFmpegCommand()` function in `plugin/API/standAlone/functions.php` is designed to prevent OS command injection in ffmpeg commands by stripping dangerous shell metacharacters (`&&`, `;`, `|`, `` `...

Vendor: composer
Product: wwbn/avideo
Published: Mar 20, 2026
Source: GitHub
CVE-2026-33421 HIGH - 6.5

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.53 and 9.6.0-alpha.42, Parse Server's LiveQuery WebSocket interface does not enforce Class-Level Permission (CLP) pointer permissions (readUserFields and pointerFields)....

Vendor: npm
Product: parse-server
Published: Mar 20, 2026
Source: GitHub
CVE-2026-33480 HIGH - 8.6

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `isSSRFSafeURL()` function in AVideo can be bypassed using IPv4-mapped IPv6 addresses (`::ffff:x.x.x.x`). The unauthenticated `plugin/LiveLinks/proxy.php` endpoint uses this function to validate URLs before fetch...

Vendor: composer
Product: wwbn/avideo
Published: Mar 20, 2026
Source: GitHub
CVE-2026-33479 HIGH - 8.8

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the Gallery plugin's `saveSort.json.php` endpoint passes unsanitized user input from `$_REQUEST['sections']` array values directly into PHP's `eval()` function. While the endpoint is gated behind ...

Vendor: composer
Product: wwbn/avideo
Published: Mar 20, 2026
Source: GitHub
CVE-2026-33418 HIGH - 7.5

DiceBear is an avatar library for designers and developers. Prior to version 9.4.2, the `ensureSize()` function in `@dicebear/converter` used a regex-based approach to rewrite SVG `width`/`height` attributes, capping them at 2048px to prevent denial of service. This size capping could be bypassed by...

Vendor: npm
Product: @dicebear/converter
Published: Mar 20, 2026
Source: GitHub
CVE-2026-4504 HIGH - 7.3

A flaw has been found in eosphoros-ai db-gpt up to 0.7.5. This vulnerability affects unknown code of the file /api/v1/editor/ of the component Incomplete Fix. This manipulation causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. The v...

Published: Mar 20, 2026
Source: NVD
CVE-2026-4499 HIGH - 7.3

A vulnerability was determined in D-Link DIR-820LW 2.03. Affected is the function ssdpcgi_main of the component SSDP. Executing a manipulation can lead to os command injection. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized.

Published: Mar 20, 2026
Source: NVD
CVE-2026-4437 HIGH - 7.5

Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the appli...

Published: Mar 20, 2026
Source: NVD
CVE-2026-4497 HIGH - 7.3

A vulnerability was determined in Totolink WA300 5.2cu.7112_B20190227. Affected by this issue is the function recvUpgradeNewFw of the file /cgi-bin/cstecgi.cgi. This manipulation causes os command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and m...

Published: Mar 20, 2026
Source: NVD
CVE-2026-33010 HIGH - 8.1

mcp-memory-service is an open-source memory backend for multi-agent systems. Prior to version 10.25.1, when the HTTP server is enabled (MCP_HTTP_ENABLED=true), the application configures FastAPI's CORSMiddleware with allow_origins=['*'], allow_credentials=True, allow_methods=["*&...

Vendor: doobidoo
Product: mcp-memory-service
Published: Mar 20, 2026
Source: NVD
CVE-2026-32710 HIGH - 8.5

MariaDB server is a community developed fork of MySQL server. An authenticated user can crash MariaDB versions 11.4 before 11.4.10 and 11.8 before 11.8.6 via a bug in JSON_SCHEMA_VALID() function. Under certain conditions it might be possible to turn the crash into a remote code execution. These con...

Vendor: MariaDB
Product: server
Published: Mar 20, 2026
Source: NVD
CVE-2026-32318 HIGH - 7.6

Cryptomator for IOS offers multi-platform transparent client-side encryption for files in the cloud. Prior to version 2.8.3, an integrity check vulnerability allows an attacker tamper with the vault configuration file leading to a man-in-the-middle vulnerability in Hub key loading mechanism. Before ...

Vendor: cryptomator
Product: ios
Published: Mar 20, 2026
Source: NVD
CVE-2026-32317 HIGH - 7.6

Cryptomator for Android offers multi-platform transparent client-side encryption for files in the cloud. Prior to version 1.12.3, an integrity check vulnerability allows an attacker tamper with the vault configuration file leading to a man-in-the-middle vulnerability in Hub key loading mechanism. Be...

Vendor: cryptomator
Product: android
Published: Mar 20, 2026
Source: NVD
CVE-2026-32309 HIGH - 7.5

Cryptomator encrypts data being stored on cloud infrastructure. Prior to version 1.19.1, the Hub-based unlock flow explicitly supports hub+http and consumes Hub endpoints from vault metadata without enforcing HTTPS. As a result, a vault configuration can drive OAuth and key-loading traffic over plai...

Vendor: cryptomator
Product: cryptomator
Published: Mar 20, 2026
Source: NVD
CVE-2026-4493 HIGH - 8.8

A vulnerability was determined in Tenda A18 Pro 02.03.02.28. The impacted element is the function sub_423B50 of the file /goform/setMacFilterCfg of the component MAC Filtering Configuration Endpoint. Executing a manipulation of the argument deviceList can lead to stack-based buffer overflow. The att...

Published: Mar 20, 2026
Source: NVD
CVE-2026-4492 HIGH - 8.8

A vulnerability was found in Tenda A18 Pro 02.03.02.28. The affected element is the function set_qosMib_list of the file /goform/formSetQosBand. Performing a manipulation of the argument list results in stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has b...

Published: Mar 20, 2026
Source: NVD
CVE-2026-32303 HIGH - 7.6

Cryptomator encrypts data being stored on cloud infrastructure. Prior to version 1.19.1, an integrity check vulnerability allows an attacker to tamper with the vault configuration file leading to a man-in-the-middle vulnerability in Hub key loading mechanism. Before this fix, the client trusted endp...

Vendor: cryptomator
Product: cryptomator
Published: Mar 20, 2026
Source: NVD