Total CVEs

141,292

Critical Severity

3,799

High Severity

13,738

Last 7 Days

1,821
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 8,921 - 8,940 of 13,828 CVEs
CVE-2026-4485 MEDIUM - 6.3

A vulnerability has been found in itsourcecode College Management System 1.0. The impacted element is an unknown function of the file /admin/search_student.php. The manipulation of the argument Search leads to sql injection. The attack is possible to be carried out remotely. The exploit has been dis...

Published: Mar 20, 2026
Source: NVD
CVE-2026-33372 MEDIUM - 5.4

An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A cross-site request forgery (CSRF) vulnerability exists in Zimbra Webmail due to improper validation of CSRF tokens. The application accepts CSRF tokens supplied within the request body instead of requiring them through the expect...

Published: Mar 20, 2026
Source: NVD
CVE-2026-33371 MEDIUM - 4.3

An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. An XML External Entity (XXE) vulnerability exists in the Zimbra Exchange Web Services (EWS) SOAP interface due to improper handling of XML input. An authenticated attacker can submit crafted XML data that is processed by an XML par...

Published: Mar 20, 2026
Source: NVD
CVE-2026-33370 MEDIUM - 6.1

An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A stored cross-site scripting (XSS) vulnerability exists in the Zimbra Briefcase feature due to insufficient sanitization of specific uploaded file types. When a user opens a publicly shared Briefcase file containing malicious scri...

Published: Mar 20, 2026
Source: NVD
CVE-2026-33369 MEDIUM - 4.3

Zimbra Collaboration (ZCS) 10.0 and 10.1 contains an LDAP injection vulnerability in the Mailbox SOAP service within a FolderAction operation. The application fails to properly sanitize user-supplied input before incorporating it into an LDAP search filter. An authenticated attacker can exploit this...

Published: Mar 20, 2026
Source: NVD
CVE-2026-33368 MEDIUM - 6.1

Zimbra Collaboration Suite (ZCS) 10.0 and 10.1 contains a reflected cross-site scripting (XSS) vulnerability in the Classic Webmail REST interface (/h/rest). The application fails to properly sanitize user-supplied input, allowing an unauthenticated attacker to inject malicious JavaScript into a cra...

Published: Mar 20, 2026
Source: NVD
CVE-2026-31382 MEDIUM - 6.1

The error_description parameter is vulnerable to Reflected XSS. An attacker can bypass the domain's WAF using a Safari-specific onpagereveal payload.

Vendor: Gainsight
Product: Gainsight Assist
Published: Mar 20, 2026
Source: NVD
CVE-2026-31381 MEDIUM - 5.3

An attacker can extract user email addresses (PII) exposed in base64 encoding via the state parameter in the OAuth callback URL.

Vendor: Gainsight
Product: Gainsight Assist
Published: Mar 20, 2026
Source: NVD
CVE-2026-32595 MEDIUM - 3.7

Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 comtain BasicAuth middleware that allows username enumeration via a timing attack. When a submitted username exists, the middleware performs a bcrypt password comparison taking ...

Vendor: traefik
Product: traefik
Published: Mar 20, 2026
Source: NVD
CVE-2026-25792 MEDIUM - 6.5

Greenshot is an open source Windows screenshot utility. Versions 1.3.312 and below have untrusted executable search path / binary hijacking vulnerability that allows a local attacker to execute arbitrary code when the affected Windows application launches explorer.exe without using an absolute path....

Vendor: greenshot
Product: greenshot
Published: Mar 20, 2026
Source: NVD
CVE-2026-33130 MEDIUM - 6.5

Uptime Kuma is an open source, self-hosted monitoring tool. In versions 1.23.0 through 2.2.0, the fix from GHSA-vffh-c9pq-4crh doesn't fully work to preventServer-side Template Injection (SSTI). The three mitigations added to the Liquid engine (root, relativeReference, dynamicPartials) only blo...

Vendor: louislam
Product: uptime-kuma
Published: Mar 20, 2026
Source: NVD
CVE-2024-31119 MEDIUM - 5.9

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Vasilis Triantafyllou Special Box for Content allows DOM-Based XSS.This issue affects Special Box for Content: from n/a through 1.

Vendor: Vasilis Triantafyllou
Product: Special Box for Content
Published: Mar 20, 2026
Source: NVD
CVE-2026-3550 MEDIUM - 5.3

The RockPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.17. This is due to missing capability checks on multiple AJAX actions (rockpress_import, rockpress_import_status, rockpress_last_import, rockpress_reset_import, and rockpress_check_ser...

Published: Mar 20, 2026
Source: NVD
CVE-2026-33071 MEDIUM - 4.3

FileRise is a self-hosted web file manager / WebDAV server. In versions prior to 3.8.0, the WebDAV upload endpoint accepts any file extension including .phtml, .php5, .htaccess, and other server-side executable types, bypassing the filename validation enforced by the regular upload path. In non-defa...

Vendor: error311
Product: FileRise
Published: Mar 20, 2026
Source: NVD
CVE-2026-2432 MEDIUM - 4.4

The CM Custom Reports โ€“ Flexible reporting to track what matters most plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated ...

Published: Mar 20, 2026
Source: NVD
CVE-2026-2421 MEDIUM - 6.5

The ilGhera Carta Docente for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.5.0 via the 'cert' parameter of the 'wccd-delete-certificate' AJAX action. This is due to insufficient file path validation before performing a f...

Published: Mar 20, 2026
Source: NVD
CVE-2026-33061 MEDIUM - 5.8

exactyl is a customisable game management panel and billing system. Commits after 025e8dbb0daaa04054276bda814d922cf4af58da and before e28edb204e80efab628d1241198ea4f079779cfd inject server-side objects into client-side JavaScript through resources/views/templates/wrapper.blade.php. Using unescaped {...

Vendor: Jexactyl
Product: Jexactyl
Published: Mar 20, 2026
Source: NVD
CVE-2026-33056 MEDIUM - 6.5

tar-rs is a tar archive reading/writing library for Rust. In versions 0.4.44 and below, when unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path that already exists is a directory. Because fs::metadata() follows symbolic links, a crafted tarb...

Vendor: alexcrichton
Product: tar-rs
Published: Mar 20, 2026
Source: NVD
CVE-2026-4476 MEDIUM - 6.3

A vulnerability was found in Yi Technology YI Home Camera 2 2.1.1_20171024151200. The impacted element is an unknown function of the file home/web/ipc of the component CGI Endpoint. Performing a manipulation results in missing authentication. Access to the local network is required for this attack. ...

Published: Mar 20, 2026
Source: NVD
CVE-2026-33055 MEDIUM - 8.1

tar-rs is a tar archive reading/writing library for Rust. Versions 0.4.44 and below have conditional logic that skips the PAX size header in cases where the base header size is nonzero. As part of CVE-2025-62518, the astral-tokio-tar project was changed to correctly honor PAX size headers in the cas...

Vendor: alexcrichton
Product: tar-rs
Published: Mar 20, 2026
Source: NVD