Total CVEs

141,292

Critical Severity

3,799

High Severity

13,738

Last 7 Days

1,844
Quick preset (or use dates below)
Clear Filters
Showing 9,001 - 9,020 of 14,211 CVEs
CVE-2026-32001 MEDIUM - 5.4

OpenClaw versions prior to 2026.2.22 contain an authentication bypass vulnerability that allows clients authenticated with a shared gateway token to connect as role=node without device identity verification. Attackers can exploit this by claiming the node role during WebSocket handshake to inject un...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 19, 2026
Source: NVD
CVE-2026-30873 MEDIUM - 4.9

OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to both 24.10.6 and 25.12.1, the jp_get_token function, which performs lexical analysis by breaking input expressions into tokens, contains a memory leak vulnerability when extracting string literals, field lab...

Vendor: openwrt
Product: openwrt
Published: Mar 19, 2026
Source: NVD
CVE-2026-28282 MEDIUM - 6.5

Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a security flaw in the discourse-policy plugin which allowed a user with policy creation permission to gain membership access to any private/restricted groups. Once membership to a priva...

Vendor: discourse
Product: discourse
Published: Mar 19, 2026
Source: NVD
CVE-2026-27936 MEDIUM - 5.3

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a restriction bypass allows restricted post action counts to be disclosed to non-privileged users through a carefully crafted request. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 cont...

Vendor: discourse
Product: discourse
Published: Mar 19, 2026
Source: NVD
CVE-2026-27935 MEDIUM - 6.5

Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a vulnerability in an API endpoint that discloses private topic metadata of admin users to moderator users even if the moderators do not have access to the private topics. Versions 2026....

Vendor: discourse
Product: discourse
Published: Mar 19, 2026
Source: NVD

The Angular SSR is a server-rise rendering tool for Angular applications. Versions on the 22.x branch prior to 22.0.0-next.2, the 21.x branch prior to 21.2.3, and the 20.x branch prior to 20.3.21 have an Open Redirect vulnerability in `@angular/ssr` due to an incomplete fix for CVE-2026-27738. While...

Vendor: npm
Product: @angular/ssr
Published: Mar 19, 2026
Source: GitHub
CVE-2026-33305 MEDIUM - 5.4

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, an authorization bypass in the optional FaxSMS module (`oe-module-faxsms`) allows any authenticated OpenEMR user to invoke controller methods โ€” including `getNotificationLog()`,...

Vendor: openemr
Product: openemr
Published: Mar 19, 2026
Source: NVD
CVE-2026-33304 MEDIUM - 6.5

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, an authorization bypass in the dated reminders log allows any authenticated non-admin user to view reminder messages belonging to other users, including associated patient names...

Vendor: openemr
Product: openemr
Published: Mar 19, 2026
Source: NVD
CVE-2026-33303 MEDIUM - 5.4

OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.2 are vulnerable to stored cross-site scripting (XSS) via unescaped `portal_login_username` in the portal credential print view. A patient portal user can set their login ...

Vendor: openemr
Product: openemr
Published: Mar 19, 2026
Source: NVD
CVE-2026-33299 MEDIUM - 5.4

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, users with the `Notes - my encounters` role can fill **Eye Exam** forms in patient encounters. The answers to the form are displayed on the encounter page and in the visit histo...

Vendor: openemr
Product: openemr
Published: Mar 19, 2026
Source: NVD
CVE-2026-27740 MEDIUM - 6.1

Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a cross-site scripting vulnerability that arises because the system trusts the raw output from an AI Large Language Model (LLM) and renders it using htmlSafe in the Review Queue interfac...

Vendor: discourse
Product: discourse
Published: Mar 19, 2026
Source: NVD
CVE-2026-27570 MEDIUM - 6.1

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the onebox method in the SharedAiConversation model renders the conversation title directly into HTML without proper sanitization. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain ...

Vendor: discourse
Product: discourse
Published: Mar 19, 2026
Source: NVD
CVE-2026-27491 MEDIUM - 4.3

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a type coercion issue in a post actions API endpoint allowed non-staff users to issue warnings to other users. Warnings are a staff-only moderation feature. The vulnerability required the at...

Vendor: discourse
Product: discourse
Published: Mar 19, 2026
Source: NVD
CVE-2026-27454 MEDIUM - 5.3

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, requesting /posts/:id.json?version=X bypassed authorization checks on post revisions. The display_post method called post.revert_to directly without verifying whether the revision was hidden...

Vendor: discourse
Product: discourse
Published: Mar 19, 2026
Source: NVD
CVE-2026-27166 MEDIUM - 4.1

Discourse is an open source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1 and 2026.1.2, insufficient cleanup in the default Codepen allowed iframes value allows an attacker to trick a user into changing the URL of the main page. This issue has been fixed in versions 2026.3.0-la...

Vendor: discourse
Product: discourse
Published: Mar 19, 2026
Source: NVD
CVE-2026-26136 MEDIUM - 6.5

Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to disclose information over a network.

Published: Mar 19, 2026
Source: NVD
CVE-2026-26120 MEDIUM - 6.5

Server-side request forgery (ssrf) in Microsoft Bing allows an unauthorized attacker to perform tampering over a network.

Published: Mar 19, 2026
Source: NVD
CVE-2026-24299 MEDIUM - 5.3

Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network.

Vendor: microsoft
Product: 365_copilot
Published: Mar 19, 2026
Source: NVD
CVE-2026-3580 MEDIUM - 4.7

In wolfSSL 5.8.4, constant-time masking logic in sp_256_get_entry_256_9 is optimized into conditional branches (bnez) by GCC when targeting RISC-V RV32I with -O3. This transformation breaks the side-channel resistance of ECC scalar multiplication, potentially allowing a local attacker to recover sec...

Vendor: wolfssl
Product: wolfssl
Published: Mar 19, 2026
Source: NVD
CVE-2026-3579 MEDIUM - 5.9

wolfSSL 5.8.4 on RISC-V RV32I architectures lacks a constant-time software implementation for 64-bit multiplication. The compiler-inserted __muldi3 subroutine executes in variable time based on operand values. This affects multiple SP math functions (sp_256_mul_9, sp_256_sqr_9, etc.), leading to a t...

Vendor: wolfssl
Product: wolfssl
Published: Mar 19, 2026
Source: NVD