Total CVEs

141,292

Critical Severity

3,799

High Severity

13,738

Last 7 Days

1,604
Quick preset (or use dates below)
Clear Filters
Showing 9,101 - 9,120 of 13,738 CVEs
CVE-2026-33039 HIGH - 8.6

WWBN AVideo is an open source video platform. In versions 25.0 and below, the plugin/LiveLinks/proxy.php endpoint validates user-supplied URLs against internal/private networks using isSSRFSafeURL(), but only checks the initial URL. When the initial URL responds with an HTTP redirect (Location heade...

Vendor: composer
Product: wwbn/avideo
Published: Mar 17, 2026
Source: GitHub
CVE-2026-4295 HIGH - 7.8

Improper trust boundary enforcement in Kiro IDE before version 0.8.0 on all supported platforms might allow a remote unauthenticated threat actor to execute arbitrary code via maliciously crafted project directory files that bypass workspace trust protections when a local user opens the directory. ...

Published: Mar 17, 2026
Source: NVD
CVE-2026-4064 HIGH - 8.3

Missing authorization checks on multiple gRPC service endpoints in PowerShell Universal before 2026.1.4 allows an authenticated user with any valid token to bypass role-based access controls and perform privileged operations — including reading sensitive data, creating or deleting resources, and dis...

Vendor: ironmansoftware
Product: powershell_universal
Published: Mar 17, 2026
Source: NVD
CVE-2026-32981 HIGH - 7.5

A path traversal vulnerability was identified in Ray Dashboard (default port 8265) in Ray versions prior to 2.8.1. Due to improper validation and sanitization of user-supplied paths in the static file handling mechanism, an attacker can use traversal sequences (e.g., ../) to access files outside the...

Vendor: ray-project
Product: Ray
Published: Mar 17, 2026
Source: NVD
CVE-2026-30707 HIGH - 8.1

An issue was discovered in SpeedExam Online Examination System (SaaS) after v.FEV2026. It allows Broken Access Control via the ReviewAnswerDetails ASP.NET PageMethod. Authenticated attackers can bypass client-side restrictions and invoke this method directly to retrieve the full answer key. The prov...

Published: Mar 17, 2026
Source: NVD
CVE-2026-32256 HIGH - 7.5

music-metadata is a metadata parser for audio and video media files. Prior to version 11.12.3, music-metadata's ASF parser (`parseExtensionObject()` in `lib/asf/AsfParser.ts:112-158`) enters an infinite loop when a sub-object inside the ASF Header Extension Object has `objectSize = 0`. Version ...

Vendor: npm
Product: music-metadata
Published: Mar 17, 2026
Source: GitHub
CVE-2026-33043 HIGH - 8.1

WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/phpsessionid.json.php exposes the current PHP session ID to any unauthenticated request. The allowOrigin() function reflects any Origin header back in Access-Control-Allow-Origin with Access-Control-Allow-Credentials:...

Vendor: composer
Product: wwbn/avideo
Published: Mar 17, 2026
Source: GitHub
CVE-2026-33038 HIGH - 8.1

WWBN AVideo is an open source video platform. Versions 25.0 and below are vulnerable to unauthenticated application takeover through the install/checkConfiguration.php endpoint. install/checkConfiguration.php performs full application initialization: database setup, admin account creation, and confi...

Vendor: composer
Product: wwbn/avideo
Published: Mar 17, 2026
Source: GitHub
CVE-2026-33036 HIGH - 7.5

fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (&#NNN;, &#xHH;) and standard XML entities completely evade the entity expansion limits...

Vendor: npm
Product: fast-xml-parser
Published: Mar 17, 2026
Source: GitHub
CVE-2025-66342 HIGH - 7.8

A type confusion vulnerability exists in the EMF functionality of Canva Affinity. A specially crafted EMF file can trigger this vulnerability, which can lead to memory corruption and result in arbitrary code execution.

Vendor: Canva
Product: Affinity
Published: Mar 17, 2026
Source: NVD
CVE-2025-64301 HIGH - 7.8

An out‑of‑bounds write vulnerability exists in the EMF functionality of Canva Affinity. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out‑of‑bounds write, potentially leading to code execution.

Vendor: Canva
Product: Affinity
Published: Mar 17, 2026
Source: NVD
CVE-2026-33012 HIGH - 7.5

Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. Versions 4.7.0 through 4.10.16 used an unbounded ConcurrentHashMap cache with no eviction policy in its DefaultHtmlErrorResponseBodyProvider. If the application throws an ex...

Vendor: maven
Product: io.micronaut:micronaut-http-server
Published: Mar 17, 2026
Source: GitHub
CVE-2026-33011 HIGH - 7.5

Nest is a framework for building scalable Node.js server-side applications. In versions 11.1.15 and below, a NestJS application using @nestjs/platform-fastify GET middleware can be bypassed because Fastify automatically redirects HEAD requests to the corresponding GET handlers (if they exist). As a ...

Vendor: npm
Product: @nestjs/platform-fastify
Published: Mar 17, 2026
Source: GitHub
CVE-2026-4319 HIGH - 7.3

A vulnerability was identified in code-projects Simple Food Order System 1.0. Affected by this vulnerability is an unknown functionality of the file /routers/add-item.php. Such manipulation of the argument price leads to sql injection. The attack can be launched remotely. The exploit is publicly ava...

Published: Mar 17, 2026
Source: NVD
CVE-2026-32297 HIGH - 7.5

The Angeet ES3 KVM allows a remote, unauthenticated attacker to write arbitrary files, including configuration files or system binaries. Modified configuration files or system binaries could allow an attacker to take complete control of a vulnerable system.

Vendor: ANGEET
Product: ES3 KVM
Published: Mar 17, 2026
Source: NVD
CVE-2026-32296 HIGH - 8.2

Sipeed NanoKVM before 2.3.1 exposes a Wi-Fi configuration endpoint without proper security checks, allowing an unauthenticated attacker with network access to change the saved configured Wi-Fi network to one of the attacker's choosing, or craft a request to exhaust the system memory and termina...

Vendor: Sipeed
Product: NanoKVM
Published: Mar 17, 2026
Source: NVD
CVE-2026-32295 HIGH - 7.5

JetKVM before 0.5.4 does not rate limit login requests, enabling brute-force attempts to guess credentials.

Vendor: JetKVM
Product: JetKVM
Published: Mar 17, 2026
Source: NVD
CVE-2026-32292 HIGH - 7.5

The GL-iNet Comet (GL-RM1) KVM web interface does not limit login requests, enabling brute-force attempts to guess credentials.

Vendor: GL-iNet
Product: Comet KVM
Published: Mar 17, 2026
Source: NVD
CVE-2026-32886 HIGH - 7.5

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.24 and 8.6.47, remote clients can crash the Parse Server process by calling a cloud function endpoint with a crafted function name that traverses the JavaScript prototype chai...

Vendor: npm
Product: parse-server
Published: Mar 17, 2026
Source: GitHub
CVE-2026-32254 HIGH - 7.1

Kube-router is a turnkey solution for Kubernetes networking. Prior to version 2.8.0, Kube-router's proxy module does not validate externalIPs or loadBalancer IPs before programming them into the node's network configuration. Version 2.8.0 contains a patch for the issue. Available workaroun...

Vendor: go
Product: github.com/cloudnativelabs/kube-router/v2
Published: Mar 17, 2026
Source: GitHub