Total CVEs

141,292

Critical Severity

3,799

High Severity

13,738

Last 7 Days

1,667
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 9,041 - 9,060 of 13,828 CVEs
CVE-2026-26931 MEDIUM - 5.7

Memory Allocation with Excessive Size Value (CWE-789) in the Prometheus remote_write HTTP handler in Metricbeat can lead Denial of Service via Excessive Allocation (CAPEC-130).

Vendor: Elastic
Product: Metricbeat
Published: Mar 19, 2026
Source: NVD
CVE-2026-33294 MEDIUM - 5.0

WWBN AVideo is an open source video platform. Prior to version 26.0, the BulkEmbed plugin's save endpoint (`plugin/BulkEmbed/save.json.php`) fetches user-supplied thumbnail URLs via `url_get_contents()` without SSRF protection. Unlike all six other URL-fetching endpoints in AVideo that were har...

Vendor: composer
Product: wwbn/avideo
Published: Mar 19, 2026
Source: GitHub
CVE-2026-3029 MEDIUM - 7.5

A path traversal and arbitrary file write vulnerability exist in the embedded get function in '_main_.py' in PyMuPDF version, 1.26.5.

Vendor: pip
Product: PyMuPDF
Published: Mar 19, 2026
Source: NVD
CVE-2026-32869 MEDIUM - 5.5

OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of the "Name of Organization" field when filling out case information. An authenticated attacker can inject an XSS payload which is executed in the context of a victim's session when they visit the case...

Vendor: OPEXUS
Product: eComplaint, eCASE
Published: Mar 19, 2026
Source: NVD
CVE-2026-32868 MEDIUM - 5.5

OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of first and last name fields in the 'My Information' screen. An authenticated attacker can inject parts of an XSS payload in the first and last name fields. The payload is executed when the full name is ren...

Vendor: OPEXUS
Product: eComplaint, eCASE
Published: Mar 19, 2026
Source: NVD
CVE-2026-32867 MEDIUM - 5.4

OPEXUS eComplaint before version 10.1.0.0 allows an unauthenticated attacker to obtain or guess an existing case number and upload arbitrary files via 'Portal/EEOC/DocumentUploadPub.aspx'. Users would see these unexpected files in cases. Uploading a large number of files could consume stor...

Vendor: OPEXUS
Product: eComplaint
Published: Mar 19, 2026
Source: NVD
CVE-2026-32866 MEDIUM - 5.5

OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of first and last name fields in a user profile. An authenticated attacker can inject parts of an XSS payload in their first and last name fields. The payload is executed when the user's full name is rendered. Th...

Vendor: OPEXUS
Product: eCASE
Published: Mar 19, 2026
Source: NVD
CVE-2026-4426 MEDIUM - 6.5

A flaw was found in libarchive. An Undefined Behavior vulnerability exists in the zisofs decompression logic, caused by improper validation of a field (`pz_log2_bs`) read from ISO9660 Rock Ridge extensions. A remote attacker can exploit this by supplying a specially crafted ISO file. This can lead t...

Published: Mar 19, 2026
Source: NVD
CVE-2026-2369 MEDIUM - 6.5

A flaw was found in libsoup. An integer underflow vulnerability occurs when processing content with a zero-length resource, leading to a buffer overread. This can allow an attacker to potentially access sensitive information or cause an application level denial of service.

Published: Mar 19, 2026
Source: NVD
CVE-2025-71259 MEDIUM - 4.3

BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a blind server-side request forgery vulnerability in the externalfeed/RSS API component that allows authenticated attackers to trigger arbitrary outbound requests from the server. Attackers can exploit insufficient validation of exte...

Vendor: BMC Software, Inc.
Product: FootPrints
Published: Mar 19, 2026
Source: NVD
CVE-2025-71258 MEDIUM - 4.3

BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a blind server-side request forgery vulnerability in the searchWeb API component that allows authenticated attackers to cause the server to initiate arbitrary outbound requests. Attackers can exploit improper URL validation to perfor...

Vendor: BMC Software, Inc.
Product: FootPrints
Published: Mar 19, 2026
Source: NVD
CVE-2026-33320 MEDIUM - 6.2

Dasel is a command-line tool and library for querying, modifying, and transforming data structures. Starting in version 3.0.0 and prior to version 3.3.1, Dasel's YAML reader allows an attacker who can supply YAML for processing to trigger extreme CPU and memory consumption. The issue is in the ...

Vendor: go
Product: github.com/tomwright/dasel/v3
Published: Mar 19, 2026
Source: GitHub
CVE-2026-33319 MEDIUM - 5.9

WWBN AVideo is an open source video platform. Prior to version 26.0, the `uploadVideoToLinkedIn()` method in the SocialMediaPublisher plugin constructs a shell command by directly interpolating an upload URL received from LinkedIn's API response, without sanitization via `escapeshellarg()`. If ...

Vendor: composer
Product: wwbn/avideo
Published: Mar 19, 2026
Source: GitHub
CVE-2026-33238 MEDIUM - 4.3

WWBN AVideo is an open source video platform. Prior to version 26.0, the `listFiles.json.php` endpoint accepts a `path` POST parameter and passes it directly to `glob()` without restricting the path to an allowed base directory. An authenticated uploader can traverse the entire server filesystem by ...

Vendor: composer
Product: wwbn/avideo
Published: Mar 19, 2026
Source: GitHub
CVE-2026-33237 MEDIUM - 5.5

WWBN AVideo is an open source video platform. Prior to version 26.0, the Scheduler plugin's `run()` function in `plugin/Scheduler/Scheduler.php` calls `url_get_contents()` with an admin-configurable `callbackURL` that is validated only by `isValidURL()` (URL format check). Unlike other AVideo e...

Vendor: composer
Product: wwbn/avideo
Published: Mar 19, 2026
Source: GitHub
CVE-2025-14716 MEDIUM - 6.5

Improper Authentication vulnerability in Secomea GateManager (webserver modules) allows Authentication Bypass.This issue affects GateManager: 11.4;0.

Vendor: Secomea
Product: GateManager
Published: Mar 19, 2026
Source: NVD
CVE-2026-21788 MEDIUM - 5.4

HCL Connections is vulnerable to a cross-site scripting attack where an attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user which leads to executing malicious script code.ย  This may allow the attacker steal cookie-based authentication credentials ...

Vendor: HCLSoftware
Product: Connections
Published: Mar 19, 2026
Source: NVD
CVE-2025-62043 MEDIUM - 6.5

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPSight WPCasa allows DOM-Based XSS.This issue affects WPCasa: from n/a through 1.4.1.

Vendor: WPSight
Product: WPCasa
Published: Mar 19, 2026
Source: NVD
CVE-2025-32223 MEDIUM - 6.5

Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through 3.9.4.

Vendor: Themeum
Product: Tutor LMS
Published: Mar 19, 2026
Source: NVD
CVE-2026-3475 MEDIUM - 5.3

The Instant Popup Builder plugin for WordPress is vulnerable to Unauthenticated Arbitrary Shortcode Execution in all versions up to and including 1.1.7. This is due to the handle_email_verification_page() function constructing a shortcode string from user-supplied GET parameters (token, email) and p...

Published: Mar 19, 2026
Source: NVD