Total CVEs

141,292

Critical Severity

3,799

High Severity

13,738

Last 7 Days

1,667
Quick preset (or use dates below)
Clear Filters
Showing 8,961 - 8,980 of 13,738 CVEs
CVE-2026-23658 HIGH - 8.6

Insufficiently protected credentials in Azure DevOps allows an unauthorized attacker to elevate privileges over a network.

Published: Mar 19, 2026
Source: NVD
CVE-2026-33354 HIGH - 7.6

WWBN AVideo is an open source video platform. In versions up to and including 26.0, `POST /objects/aVideoEncoder.json.php` accepts a requester-controlled `chunkFile` parameter intended for staged upload chunks. Instead of restricting that path to trusted server-generated chunk locations, the endpoin...

Vendor: composer
Product: wwbn/avideo
Published: Mar 19, 2026
Source: GitHub
CVE-2026-33353 HIGH - 6.5

Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.6, an authorization flaw in repo import allows any authenticated SSH user to clone a server-local Git repository, including another user's private repo, into a new repository they control. T...

Vendor: go
Product: github.com/charmbracelet/soft-serve
Published: Mar 19, 2026
Source: GitHub
CVE-2026-33344 HIGH - 8.1

Dagu is a workflow engine with a built-in Web user interface. From version 2.0.0 to before version 2.3.1, the fix for CVE-2026-27598 added ValidateDAGName to CreateNewDAG and rewrote generateFilePath to use filepath.Base. This patched the CREATE path. The remaining API endpoints - GET, DELETE, RENAM...

Vendor: go
Product: github.com/dagu-org/dagu
Published: Mar 19, 2026
Source: GitHub
CVE-2026-25667 HIGH - 7.5

ASP.NET Core Kestrel in Microsoft .NET 8.0 before 8.0.22 and .NET 9.0 before 9.0.11 allows a remote attacker to cause excessive CPU consumption by sending a crafted QUIC packet, because of an incorrect exit condition for HTTP/3 Encoder/Decoder stream processing.

Published: Mar 19, 2026
Source: NVD
CVE-2026-33282 HIGH - 7.5

Ella Core is a 5G core designed for private networks. Versions prior to 1.6.0 panic when processing a malformed NGAP LocationReport message with `ue-presence-in-area-of-interest` event type and omitting the optional `UEPresenceInAreaOfInterestList` IE. An attacker able to send crafted NGAP messages...

Vendor: go
Product: github.com/ellanetworks/core
Published: Mar 19, 2026
Source: GitHub
CVE-2026-33310 HIGH - 8.8

Intake is a package for finding, investigating, loading and disseminating data. Prior to version 2.0.9, the shell() syntax within parameter default values appears to be automatically expanded during the catalog parsing process. If a catalog contains a parameter default such as shell(<command>)...

Vendor: pip
Product: intake
Published: Mar 19, 2026
Source: GitHub
CVE-2026-33228 HIGH - 9.8

flatted is a circular JSON parser. Prior to version 3.4.2, the parse() function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating that they are numeric. Since the internal input buffer is a JavaScript Array, accessing it with the...

Vendor: npm
Product: flatted
Published: Mar 19, 2026
Source: GitHub
CVE-2026-30403 HIGH - 7.5

There is an arbitrary file read vulnerability in the test connection function of backend database management in wgcloud v3.6.3 and before, which can be used to read any file on the victim's server.

Published: Mar 19, 2026
Source: NVD
CVE-2026-33295 HIGH - 5.4

WWBN AVideo is an open source video platform. Prior to version 26.0, WWBN/AVideo contains a stored cross-site scripting vulnerability in the CDN plugin's download buttons component. The `clean_title` field of a video record is interpolated directly into a JavaScript string literal without any e...

Vendor: composer
Product: wwbn/avideo
Published: Mar 19, 2026
Source: GitHub
CVE-2026-33293 HIGH - 8.1

WWBN AVideo is an open source video platform. Prior to version 26.0, the `deleteDump` parameter in `plugin/CloneSite/cloneServer.json.php` is passed directly to `unlink()` without any path sanitization. An attacker with valid clone credentials can use path traversal sequences (e.g., `../../`) to del...

Vendor: composer
Product: wwbn/avideo
Published: Mar 19, 2026
Source: GitHub
CVE-2026-33292 HIGH - 7.5

WWBN AVideo is an open source video platform. Prior to version 26.0, the HLS streaming endpoint (`view/hls.php`) is vulnerable to a path traversal attack that allows an unauthenticated attacker to stream any private or paid video on the platform. The `videoDirectory` GET parameter is used in two div...

Vendor: composer
Product: wwbn/avideo
Published: Mar 19, 2026
Source: GitHub
CVE-2026-33252 HIGH - 7.1

The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.1, the Go SDK's Streamable HTTP transport accepted browser-generated cross-site `POST` requests without validating the `Origin` header and without requiring `Content-Type: application/json`. In deployments without Author...

Vendor: go
Product: github.com/modelcontextprotocol/go-sdk
Published: Mar 19, 2026
Source: GitHub
CVE-2026-32935 HIGH - 5.9

phpseclib is a PHP secure communications library. Projects using versions 1.0.26 and below, 2.0.0 through 2.0.51, and 3.0.0 through 3.0.49 are vulnerable to a to padding oracle timing attack when using AES in CBC mode. This issue has been fixed in versions 1.0.27, 2.0.52 and 3.0.50.

Vendor: composer
Product: phpseclib/phpseclib
Published: Mar 19, 2026
Source: GitHub
CVE-2026-27953 HIGH - 7.1

ormar is a async mini ORM for Python. Versions 0.23.0 and below are vulnerable to Pydantic validation bypass through the model constructor, allowing any unauthenticated user to skip all field validation by injecting "__pk_only__": true into a JSON request body. By injecting "__pk_only...

Vendor: pip
Product: ormar
Published: Mar 19, 2026
Source: GitHub
CVE-2026-30404 HIGH - 7.5

The backend database management connection test feature in wgcloud v3.6.3 has a server-side request forgery (SSRF) vulnerability. This issue can be exploited to make the server send requests to probe the internal network, remotely download malicious files, and perform other dangerous operations.

Published: Mar 19, 2026
Source: NVD
CVE-2026-4427 HIGH - 7.5

A flaw was found in pgproto3. A malicious or compromised PostgreSQL server can exploit this by sending a DataRow message with a negative field length. This input validation vulnerability can lead to a denial of service (DoS) due to a slice bounds out of range panic.

Vendor: go
Product: github.com/jackc/pgproto3/v2
Published: Mar 19, 2026
Source: NVD
CVE-2026-4424 HIGH - 7.5

A flaw was found in libarchive. This heap out-of-bounds read vulnerability exists in the RAR archive processing logic due to improper validation of the LZSS sliding window size after transitions between compression methods. A remote attacker can exploit this by providing a specially crafted RAR arch...

Published: Mar 19, 2026
Source: NVD
CVE-2026-30711 HIGH - 8.8

Devome GRR v4.5.0 was discovered to contain multiple authenticated SQL injection vulnerabilities in the include/session.inc.php file via the referer and user-agent.

Published: Mar 19, 2026
Source: NVD
CVE-2026-27043 HIGH - 7.2

Unrestricted Upload of File with Dangerous Type vulnerability in ThemeGoods Photography allows Path Traversal.This issue affects Photography: from n/a through 7.7.5.

Vendor: ThemeGoods
Product: Photography
Published: Mar 19, 2026
Source: NVD