Total CVEs

141,292

Critical Severity

3,799

High Severity

13,738

Last 7 Days

1,666
Quick preset (or use dates below)
Clear Filters
Showing 9,041 - 9,060 of 13,738 CVEs
CVE-2026-32730 HIGH - 8.1

ApostropheCMS is an open-source content management framework. Prior to version 4.28.0, the bearer token authentication middleware in `@apostrophecms/express/index.js` (lines 386-389) contains an incorrect MongoDB query that allows incomplete login tokens β€” where the password was verified but TOTP/MF...

Vendor: npm
Product: apostrophe
Published: Mar 18, 2026
Source: GitHub
CVE-2026-31965 HIGH - 8.2

HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. In the `cram_decode_slice()` function called while reading CRAM records, validation of the reference id field occurred too late, allowing two out of bounds r...

Vendor: samtools
Product: htslib
Published: Mar 18, 2026
Source: NVD
CVE-2026-31964 HIGH - 7.5

HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data using a variety of encodings and compression methods. While most alignment records store DNA sequence and quality values, the format also allows them to omit...

Vendor: samtools
Product: htslib
Published: Mar 18, 2026
Source: NVD
CVE-2026-31963 HIGH - 8.1

HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. As one method of removing redundant data, CRAM uses reference-based compression so that instead of storing the full sequence for each alignment record it sto...

Vendor: samtools
Product: htslib
Published: Mar 18, 2026
Source: NVD
CVE-2025-58112 HIGH - 8.8

Microsoft Dynamics 365 Customer Engagement (on-premises) 1612 (9.0.2.3034) allows the generation of customized reports via raw SQL queries in an upload of a .rdl (Report Definition Language) file; this is then processed by the SQL Server Reporting Service. An account with the privilege Add Reporting...

Published: Mar 18, 2026
Source: NVD
CVE-2026-31962 HIGH - 8.8

HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. While most alignment records store DNA sequence and quality values, the format also allows them to omit this data in certain cases to save space. Due to some...

Vendor: samtools
Product: htslib
Published: Mar 18, 2026
Source: NVD
CVE-2026-29858 HIGH - 7.5

A lack of path validation in aaPanel v7.57.0 allows attackers to execute a local file inclusion (LFI), leadingot sensitive information exposure.

Vendor: aapanel
Product: aapanel
Published: Mar 18, 2026
Source: NVD
CVE-2026-29856 HIGH - 7.5

An issue in the VirtualHost configuration handling/parser component of aaPanel v7.57.0 allows attackers to cause a Regular Expression Denial of Service (ReDoS) via a crafted input.

Vendor: aapanel
Product: aapanel
Published: Mar 18, 2026
Source: NVD
CVE-2026-27135 HIGH - 7.5

nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They migh...

Vendor: nghttp2
Product: nghttp2
Published: Mar 18, 2026
Source: NVD
CVE-2026-26740 HIGH - 8.2

Buffer Overflow vulnerability in giflib v.5.2.2 allows a remote attacker to cause a denial of service via the EGifGCBToExtension overwriting an existing Graphic Control Extension block without validating its allocated size.

Vendor: giflib_project
Product: giflib
Published: Mar 18, 2026
Source: NVD
CVE-2026-32937 HIGH - 6.5

free5GC is an open source 5G core network. free5GC CHF prior to version 1.2.2 has an out-of-bounds slice access vulnerability in the CHF `nchf-convergedcharging` service. A valid authenticated request to PUT `/nchf-convergedcharging/v3/recharging/:ueId?ratingGroup=...` can trigger a server-side pani...

Vendor: go
Product: github.com/free5gc/chf
Published: Mar 18, 2026
Source: GitHub

Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. Prior to versions 3.3.5, 3.4.4, and 4.2.6, a specially crafted Socket.IO packet can make the server wait for a large number of binary attachments and buffer them, which can be exploited to make the server ru...

Vendor: npm
Product: socket.io-parser
Published: Mar 18, 2026
Source: GitHub
CVE-2026-33143 HIGH - 7.5

OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the WhatsApp POST webhook handler (/notification/whatsapp/webhook) processes incoming status update events without verifying the Meta/WhatsApp X-Hub-Signature-256 HMAC signature, allowing any unauthenticat...

Vendor: npm
Product: oneuptime
Published: Mar 18, 2026
Source: GitHub
CVE-2026-30345 HIGH - 7.5

A zip slip vulnerability in the Admin import functionality of CTFd v3.8.1-18-gdb5a18c4 allows attackers to write arbitrary files outside the intended directories via supplying a crafted import.

Published: Mar 18, 2026
Source: NVD
CVE-2026-1463 HIGH - 8.8

The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.0.3 via the 'template' parameter in gallery shortcodes. This makes it possible for authenticated attackers, with Author-level...

Published: Mar 18, 2026
Source: NVD
CVE-2026-33142 HIGH - 8.1

OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the fix for CVE-2026-32306 (ClickHouse SQL injection via aggregate query parameters) added column name validation to the _aggregateBy method but did not apply the same validation to three other query const...

Vendor: npm
Product: oneuptime
Published: Mar 18, 2026
Source: GitHub
CVE-2026-33139 HIGH - 7.8

PySpector is a static analysis security testing (SAST) Framework engineered for modern Python development workflows. PySpector versions 0.1.6 and prior are affected by a security validation bypass in the plugin system. The validate_plugin_code() function in plugin_system.py, performs static AST anal...

Vendor: pip
Product: pyspector
Published: Mar 18, 2026
Source: GitHub
CVE-2026-33131 HIGH - 7.4

H3 is a minimal H(TTP) framework. Versions 2.0.0-0 through 2.0.1-rc.14 contain a Host header spoofing vulnerability in the NodeRequestUrl (which extends FastURL) which allows middleware bypass. When event.url, event.url.hostname, or event.url._url is accessed, such as in a logging middleware, the _u...

Vendor: npm
Product: h3
Published: Mar 18, 2026
Source: GitHub
CVE-2026-33128 HIGH - 7.5

H3 is a minimal H(TTP) framework. In versions prior to 1.15.6 and between 2.0.0 through 2.0.1-rc.14, createEventStream is vulnerable to Server-Sent Events (SSE) injection due to missing newline sanitization in formatEventStreamMessage() and formatEventStreamComment(). An attacker who controls any pa...

Vendor: npm
Product: h3
Published: Mar 18, 2026
Source: GitHub
CVE-2026-3090 HIGH - 7.2

The Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the β€˜event_type’ parameter in all versions up to, and including, 3.8.0 due to insufficient input sanitization an...

Published: Mar 18, 2026
Source: NVD