Total CVEs

141,292

Critical Severity

3,799

High Severity

13,738

Last 7 Days

1,823
Quick preset (or use dates below)
Clear Filters
Showing 8,881 - 8,900 of 13,738 CVEs
CVE-2026-33072 HIGH - 8.2

FileRise is a self-hosted web file manager / WebDAV server. In versions prior to 3.9.0, a hardcoded default encryption key (default_please_change_this_key) is used for all cryptographic operations โ€” HMAC token generation, AES config encryption, and session tokens โ€” allowing any unauthenticated attac...

Vendor: error311
Product: FileRise
Published: Mar 20, 2026
Source: NVD
CVE-2026-33069 HIGH - 7.5

PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below have a cascading out-of-bounds heap read in pjsip_multipart_parse(). After boundary string matching, curptr is advanced past the delimiter without verifying it has not reached the buffer end. This ...

Vendor: pjsip
Product: pjproject
Published: Mar 20, 2026
Source: NVD
CVE-2026-32701 HIGH - 7.5

Qwik is a performance-focused JavaScript framework. Versions prior to 1.19.2 improperly inferred arrays from dotted form field names during FormData parsing. By submitting mixed array-index and object-property keys for the same path, an attacker could cause user-controlled properties to be written o...

Vendor: QwikDev
Product: qwik
Published: Mar 20, 2026
Source: NVD
CVE-2026-27625 HIGH - 8.1

Stirling-PDF is a locally hosted web application that performs various operations on PDF files. In versions prior to 2.5.2, the /api/v1/convert/markdown/pdf endpoint extracts user-supplied ZIP entries without path checks. Any authenticated user can write files outside the intended temporary working ...

Vendor: Stirling-Tools
Product: Stirling-PDF
Published: Mar 20, 2026
Source: NVD
CVE-2026-4478 HIGH - 8.1

A vulnerability was identified in Yi Technology YI Home Camera 2 2.1.1_20171024151200. This impacts an unknown function of the file home/web/ipc of the component HTTP Firmware Update Handler. The manipulation leads to improper verification of cryptographic signature. The attack is possible to be car...

Published: Mar 20, 2026
Source: NVD
CVE-2026-4475 HIGH - 8.8

A vulnerability has been found in Yi Technology YI Home Camera 2 2.1.1_20171024151200. The affected element is an unknown function of the file home/web/ipc. Such manipulation leads to hard-coded credentials. Access to the local network is required for this attack to succeed. The exploit has been dis...

Published: Mar 20, 2026
Source: NVD
CVE-2026-33037 HIGH - 8.1

WWBN AVideo is an open source video platform. In versions 25.0 and below, the official Docker deployment files (docker-compose.yml, env.example) ship with the admin password set to "password", which is automatically used to seed the admin account during installation, meaning any instance d...

Vendor: WWBN
Product: AVideo
Published: Mar 20, 2026
Source: NVD
CVE-2026-33025 HIGH - 8.8

AVideo is a video-sharing Platform. Versions prior to 8.0 contain a SQL Injection vulnerability in the getSqlFromPost() method of Object.php. The $_POST['sort'] array keys are used directly as SQL column identifiers inside an ORDER BY clause. Although real_escape_string() was applied, it o...

Vendor: WWBN
Product: AVideo-Encoder
Published: Mar 20, 2026
Source: NVD
CVE-2026-33013 HIGH - 7.5

Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. Versions prior to both 4.10.16 and 3.10.5 do not correctly handle descending array index order during form-urlencoded body binding in theJsonBeanPropertyBinder::expandArrayTo...

Vendor: micronaut-projects
Product: micronaut-core
Published: Mar 20, 2026
Source: NVD
CVE-2026-32954 HIGH - 7.1

ERP is a free and open source Enterprise Resource Planning tool. In versions prior to 16.8.0 and 15.100.0, certain endpoints were vulnerable to time-based and boolean-based blind SQL injection due to insufficient parameter validation, allowing attackers to infer database information. This issue has ...

Vendor: frappe
Product: erpnext
Published: Mar 20, 2026
Source: NVD
CVE-2026-32950 HIGH - 8.8

SQLBot is an intelligent data query system based on a large language model and RAG. Versions prior to 1.7.0 contain a critical SQL Injection vulnerability in the /api/v1/datasource/uploadExcel endpoint that enables Remote Code Execution (RCE), allowing any authenticated user (even the lowest-privile...

Vendor: dataease
Product: SQLBot
Published: Mar 20, 2026
Source: NVD
CVE-2026-32949 HIGH - 7.5

SQLBot is an intelligent data query system based on a large language model and RAG. Versions prior to 1.7.0 contain a Server-Side Request Forgery (SSRF) vulnerability that allows an attacker to retrieve arbitrary system and application files from the server. An attacker can exploit the /api/v1/datas...

Vendor: dataease
Product: SQLBot
Published: Mar 20, 2026
Source: NVD
CVE-2026-32942 HIGH - 8.1

PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below contain a heap use-after-free vulnerability in the ICE session that occurs when there are race conditions between session destruction and the callbacks. This issue has been fixed in version 2.17.

Vendor: pjsip
Product: pjproject
Published: Mar 20, 2026
Source: NVD
CVE-2026-32939 HIGH - 8.1

DataEase is an open source data visualization analysis tool. Versions 2.10.19 and below have inconsistent Locale handling between the JDBC URL validation logic and the H2 JDBC engine's internal parsing. DataEase uses String.toUpperCase() without specifying an explicit Locale, causing its securi...

Vendor: dataease
Product: dataease
Published: Mar 20, 2026
Source: NVD
CVE-2026-32933 HIGH - 7.5

AutoMapper is a convention-based object-object mapper in .NET. Versions prior to 15.1.1 and 16.1.1 are vulnerable to a Denial of Service (DoS) attack. When mapping deeply nested object graphs, the library uses recursive method calls without enforcing a default maximum depth limit. This allows an att...

Vendor: LuckyPennySoftware
Product: AutoMapper
Published: Mar 20, 2026
Source: NVD
CVE-2026-32888 HIGH - 8.8

Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Versions contain an SQL Injection in the Items search functionality. When the custom attribute search feature is enabled (search_custom filter), user-supplied input from the search GET para...

Vendor: opensourcepos
Product: opensourcepos
Published: Mar 20, 2026
Source: NVD
CVE-2026-4464 HIGH - 8.8

Integer overflow in ANGLE in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

Vendor: google
Product: chrome
Published: Mar 20, 2026
Source: NVD
CVE-2026-4463 HIGH - 8.8

Heap buffer overflow in WebRTC in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Vendor: google
Product: chrome
Published: Mar 20, 2026
Source: NVD
CVE-2026-4462 HIGH - 8.8

Out of bounds read in Blink in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High)

Vendor: google
Product: chrome
Published: Mar 20, 2026
Source: NVD
CVE-2026-4461 HIGH - 8.8

Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Vendor: google
Product: chrome
Published: Mar 20, 2026
Source: NVD