Total CVEs

141,292

Critical Severity

3,799

High Severity

13,738

Last 7 Days

1,821
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 8,901 - 8,920 of 13,828 CVEs
CVE-2026-33473 MEDIUM - 5.7

Vikunja is an open-source self-hosted task management platform. Starting in version 0.13 and prior to version 2.2.1, any user that has enabled 2FA can have their TOTP reused during the standard 30 second validity window. Version 2.2.1 patches the issue.

Vendor: go
Product: code.vikunja.io/api
Published: Mar 20, 2026
Source: GitHub
CVE-2026-4505 MEDIUM - 6.3

A vulnerability has been found in eosphoros-ai DB-GPT up to 0.7.5. This issue affects the function module_plugin.refresh_plugins of the file packages/dbgpt-serve/src/dbgpt_serve/agent/hub/controller.py of the component FastAPI Endpoint. Such manipulation leads to unrestricted upload. It is possible ...

Published: Mar 20, 2026
Source: NVD
CVE-2026-4500 MEDIUM - 6.3

A vulnerability was identified in bagofwords1 bagofwords up to 0.0.297. This impacts the function generate_df of the file backend/app/ai/code_execution/code_execution.py. Such manipulation leads to injection. The attack may be launched remotely. The exploit is publicly available and might be used. U...

Published: Mar 20, 2026
Source: NVD
CVE-2026-4438 MEDIUM - 5.4

Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification.

Published: Mar 20, 2026
Source: NVD
CVE-2026-33126 MEDIUM - 5.0

Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to version 0.16.3, the /ffprobe endpoint accepts arbitrary user-controlled URLs without proper validation, allowing Server-Side Request Forgery (SSRF) attacks. An attacker can use the Frigate server ...

Vendor: blakeblackshear
Product: frigate
Published: Mar 20, 2026
Source: NVD
CVE-2025-63260 MEDIUM - 5.4

SyncFusion 30.1.37 is vulnerable to Cross Site Scripting (XSS) via the Document-Editor reply to comment field and Chat-UI Chat message.

Published: Mar 20, 2026
Source: NVD
CVE-2026-4496 MEDIUM - 5.3

A vulnerability was found in sigmade Git-MCP-Server up to 785aa159f262a02d5791a5d8a8e13c507ac42880. Affected by this vulnerability is the function child_process.exec of the file src/gitUtils.ts of the component show_merge_diff/quick_merge_summary/show_file_diff. The manipulation results in os comman...

Published: Mar 20, 2026
Source: NVD
CVE-2026-32310 MEDIUM - 4.1

Cryptomator encrypts data being stored on cloud infrastructure. From version 1.6.0 to before version 1.19.1, vault configuration is parsed before its integrity is verified, and the masterkeyfile loader uses the unverified keyId as a filesystem path. The loader resolves keyId.getSchemeSpecificPart() ...

Vendor: cryptomator
Product: cryptomator
Published: Mar 20, 2026
Source: NVD
CVE-2026-32844 MEDIUM - 6.1

XinLiangCoder php_api_doc through commit 1ce5bbf contains a reflected cross-site scripting vulnerability in list_method.php that allows remote attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious code through the f parameter. Attackers can craft a malicious URL...

Vendor: XinLiangCoder
Product: php_api_doc
Published: Mar 20, 2026
Source: NVD
CVE-2026-30580 MEDIUM - 4.3

File Thingie 2.5.7 is vulnerable to Directory Traversal. A malicious user can leverage the "create folder from url" functionality of the application to read arbitrary files on the target system.

Published: Mar 20, 2026
Source: NVD
CVE-2026-30579 MEDIUM - 6.5

File Thingie 2.5.7 is vulnerable to Cross Site Scripting (XSS). A malicious user can leverage the "upload file" functionality to upload a file with a crafted file name used to trigger a Javascript payload.

Published: Mar 20, 2026
Source: NVD
CVE-2026-30578 MEDIUM - 6.5

File Thinghie 2.5.7 is vulnerable to Cross Site Scripting (XSS). A malicious user can leverage the "dir" parameter of the GET request to invoke arbitrary javascript code.

Published: Mar 20, 2026
Source: NVD
CVE-2026-33315 MEDIUM - 4.3

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be pro...

Vendor: go
Product: code.vikunja.io/api
Published: Mar 20, 2026
Source: GitHub
CVE-2026-33313 MEDIUM - 4.3

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, an authenticated user can read any task comment by ID, regardless of whether they have access to the task the comment belongs to, by substituting the task ID in the API URL with a task they do have access to. Ver...

Vendor: go
Product: code.vikunja.io/api
Published: Mar 20, 2026
Source: GitHub
CVE-2026-29828 MEDIUM - 6.1

DooTask v1.6.27 has a Cross-Site Scripting (XSS) vulnerability in the /manage/project/<id> page via the input field projectDesc.

Published: Mar 20, 2026
Source: NVD
CVE-2026-22902 MEDIUM - 6.7

A command injection vulnerability has been reported to affect QuNetSwitch. If a local attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following version: QuNetSwitch 2.0.5.0906 and later

Vendor: QNAP Systems Inc.
Product: QuNetSwitch
Published: Mar 20, 2026
Source: NVD
CVE-2026-32986 MEDIUM - 6.1

Textpattern CMS version 4.9.0 contains a second-order cross-site scripting vulnerability that allows attackers to inject malicious scripts by exploiting improper sanitization of user-supplied input in Atom feed XML elements. Attackers can embed unescaped payloads in parameters such as category that ...

Vendor: Textpattern
Product: Textpattern CMS
Published: Mar 20, 2026
Source: NVD
CVE-2026-33312 MEDIUM - 5.4

Vikunja is an open-source self-hosted task management platform. Starting in version 0.20.2 and prior to version 2.2.0, the `DELETE /api/v1/projects/:project/background` endpoint checks `CanRead` permission instead of `CanUpdate`, allowing any user with read-only access to a project to permanently de...

Vendor: go-vikunja
Product: vikunja
Published: Mar 20, 2026
Source: NVD
CVE-2026-29794 MEDIUM - 5.3

Vikunja is an open-source self-hosted task management platform. Starting in version 0.8 and prior to version 2.2.0, unauthenticated users are able to bypass the application's built-in rate-limits by spoofing the `X-Forwarded-For` or `X-Real-IP` headers due to the rate-limit relying on the value...

Vendor: go-vikunja
Product: vikunja
Published: Mar 20, 2026
Source: NVD
CVE-2025-46598 MEDIUM - 5.3

Bitcoin Core through 29.0 allows a denial of service via a crafted transaction.

Published: Mar 20, 2026
Source: NVD