Total CVEs

141,292

Critical Severity

3,799

High Severity

13,738

Last 7 Days

1,855
Quick preset (or use dates below)
Clear Filters
Showing 8,881 - 8,900 of 14,211 CVEs
CVE-2026-33423 MEDIUM - 4.3

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, staff can modify any user's group notification level. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.

Vendor: discourse
Product: discourse
Published: Mar 20, 2026
Source: NVD
CVE-2026-33411 MEDIUM - 5.4

Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a potential stored XSS in topic titles for the solved posts stream. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, ensure that the Content Security ...

Vendor: discourse
Product: discourse
Published: Mar 20, 2026
Source: NVD
CVE-2026-33291 MEDIUM - 5.4

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, moderators can create Zendesk tickets for topics they do not have access to view. This affects all forums that use the Zendesk plugin. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 cont...

Vendor: discourse
Product: discourse
Published: Mar 20, 2026
Source: NVD
CVE-2026-33251 MEDIUM - 5.4

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an authorization bypass vulnerability in hidden Solved topics may allow unauthorized users to accept or unaccept solutions. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch...

Vendor: discourse
Product: discourse
Published: Mar 20, 2026
Source: NVD
CVE-2026-32810 MEDIUM - 5.5

Halloy is an IRC application written in Rust. In versions on \*nix and macOS prior to commit f180e41061db393acf65bc99f5c5e7397586d9cb, halloy creates its config directory and files using default umask permissions, which typically results in `0644` on files and `0755` on directories. This allows any ...

Vendor: squidowl
Product: halloy
Published: Mar 20, 2026
Source: NVD
CVE-2026-32733 MEDIUM - 6.5

Halloy is an IRC application written in Rust. Prior to commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6, the DCC receive flow did not sanitize filenames from incoming `DCC SEND` requests. A remote IRC user could send a filename with path traversal sequences like `../../.ssh/authorized_keys` and the f...

Vendor: squidowl
Product: halloy
Published: Mar 20, 2026
Source: NVD
CVE-2026-31926 MEDIUM - 6.5

Charging station authentication identifiers are publicly accessible via web-based mapping platforms.

Vendor: IGL-Technologies
Product: eParking.fi
Published: Mar 20, 2026
Source: NVD
CVE-2026-28204 MEDIUM - 6.5

Charging station authentication identifiers are publicly accessible via web-based mapping platforms.

Vendor: CTEK
Product: Chargeportal
Published: Mar 20, 2026
Source: NVD
CVE-2026-4507 MEDIUM - 6.3

A vulnerability was determined in Mindinventory MindSQL up to 0.2.1. The affected element is the function ask_db of the file mindsql/core/mindsql_core.py. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utili...

Published: Mar 20, 2026
Source: NVD
CVE-2026-4506 MEDIUM - 6.3

A vulnerability was found in Mindinventory MindSQL up to 0.2.1. Impacted is the function ask_db of the file mindsql/core/mindsql_core.py. Performing a manipulation results in code injection. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was cont...

Vendor: pip
Product: mindsql
Published: Mar 20, 2026
Source: NVD
CVE-2026-33179 MEDIUM - 5.5

libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a NULL pointer dereference and memory leak in fuse_uring_init_queue allows a local user to crash the FUSE daemon or cause resource exhaustion. When numa_alloc_local fails during io_uring queue en...

Vendor: libfuse
Product: libfuse
Published: Mar 20, 2026
Source: NVD
CVE-2026-33165 MEDIUM - 5.5

libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.17, a crafted HEVC bitstream causes an out-of-bounds heap write confirmed by AddressSanitizer. The trigger is a stale ctb_info.log2unitSize after an SPS change where PicWidthInCtbsY and PicHeightInCtbsY stay con...

Vendor: strukturag
Product: libde265
Published: Mar 20, 2026
Source: NVD
CVE-2026-33144 MEDIUM - 5.8

GPAC is an open-source multimedia framework. Prior to commit 86b0e36, a heap-based buffer overflow (write) vulnerability was discovered in GPAC MP4Box. The vulnerability exists in the gf_xml_parse_bit_sequence_bs function in utils/xml_bin_custom.c when processing a crafted NHML file containing malic...

Vendor: gpac
Product: gpac
Published: Mar 20, 2026
Source: NVD
CVE-2026-33501 MEDIUM - 5.3

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the endpoint `plugin/Permissions/View/Users_groups_permissions/list.json.php` lacks any authentication or authorization check, allowing unauthenticated users to retrieve the complete permission matrix mapping user gr...

Vendor: composer
Product: wwbn/avideo
Published: Mar 20, 2026
Source: GitHub
CVE-2026-33500 MEDIUM - 5.4

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the fix for CVE-2026-27568 (GHSA-rcqw-6466-3mv7) introduced a custom `ParsedownSafeWithLinks` class that sanitizes raw HTML `<a>` and `<img>` tags in comments, but explicitly disables Parsedown's `sa...

Vendor: composer
Product: wwbn/avideo
Published: Mar 20, 2026
Source: GitHub
CVE-2026-33499 MEDIUM - 6.1

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `view/forbiddenPage.php` and `view/warningPage.php` templates reflect the `$_REQUEST['unlockPassword']` parameter directly into an HTML `<input>` tag's attributes without any output encoding ...

Vendor: composer
Product: wwbn/avideo
Published: Mar 20, 2026
Source: GitHub
CVE-2026-33495 MEDIUM - 6.5

ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Ory Oathkeeper is often deployed behind other components like CDNs, WAFs, or reverse proxies. Depending on the setup, another component might forward th...

Vendor: go
Product: github.com/ory/oathkeeper
Published: Mar 20, 2026
Source: GitHub
CVE-2026-33481 MEDIUM - 5.3

Syft is a a CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems. Syft versions before v1.42.3 would not properly cleanup temporary storage if the temporary storage was exhausted during a scan. When scanning archives Syft will unpack those ...

Vendor: go
Product: github.com/anchore/syft
Published: Mar 20, 2026
Source: GitHub
CVE-2026-33429 MEDIUM - 5.3

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.54 and 9.6.0-alpha.43, an attacker can subscribe to LiveQuery with a watch parameter targeting a protected field. Although the protected field value is properly stripped from...

Vendor: npm
Product: parse-server
Published: Mar 20, 2026
Source: GitHub
CVE-2026-33474 MEDIUM - 6.5

Vikunja is an open-source self-hosted task management platform. Starting in version 1.0.0-rc0 and prior to version 2.2.0, unbounded image decoding and resizing during preview generation lets an attacker exhaust CPU and memory with highly compressed but extremely large-dimension images. Version 2.2.0...

Vendor: go
Product: code.vikunja.io/api
Published: Mar 20, 2026
Source: GitHub