Total CVEs

141,292

Critical Severity

3,799

High Severity

13,738

Last 7 Days

1,604
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 9,141 - 9,160 of 13,828 CVEs
CVE-2026-22174 MEDIUM - 5.7

OpenClaw versions prior to 2026.2.22 inject the x-OpenClaw-relay-token header into Chrome CDP probe traffic on loopback interfaces, allowing local processes to capture the Gateway authentication token. An attacker controlling a loopback port can intercept CDP reachability probes to the /json/version...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 18, 2026
Source: NVD
CVE-2026-22170 MEDIUM - 4.8

OpenClaw versions prior to 2026.2.22 with the optional BlueBubbles plugin contain an access control bypass vulnerability where empty allowFrom configuration causes dmPolicy pairing and allowlist restrictions to be ineffective. Remote attackers can send direct messages to BlueBubbles accounts by expl...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 18, 2026
Source: NVD
CVE-2026-22169 MEDIUM - 6.4

OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in the safeBins configuration that allows attackers to invoke external helpers through the compress-program option. When sort is explicitly added to tools.exec.safeBins, remote attackers can bypass intended safe-bin appro...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 18, 2026
Source: NVD
CVE-2026-22168 MEDIUM - 6.5

OpenClaw versions prior to 2026.2.21 contain an approval-integrity mismatch vulnerability in system.run that allows authenticated operators to execute arbitrary trailing arguments after cmd.exe /c while approval text reflects only a benign command. Attackers can smuggle malicious arguments through c...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 18, 2026
Source: NVD
CVE-2026-27895 MEDIUM - 4.3

LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. Prior to version 9.5, the PDF export component does not correctly validate uploaded file extensions. This way any file type (including .php files) can be uploaded. With G...

Vendor: LDAPAccountManager
Product: lam
Published: Mar 18, 2026
Source: NVD
CVE-2026-26004 MEDIUM - 6.5

Sentry is a developer-first error tracking and performance monitoring tool. Versions prior to 26.1.0 have a cross-organization Insecure Direct Object Reference (IDOR) vulnerability in Sentry's GroupEventJsonView endpoint. Version 26.1.0 patches the issue.

Vendor: getsentry
Product: sentry
Published: Mar 18, 2026
Source: NVD
CVE-2026-25937 MEDIUM - 6.5

GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, a malicious actor with knowledge of a user's credentials can bypass MFA and steal their account. Version 11.0.6 fixes the issue.

Vendor: glpi-project
Product: glpi
Published: Mar 18, 2026
Source: NVD
CVE-2026-3856 MEDIUM - 5.3

IBM Db2 Recovery Expert for Linux, UNIX and Windows 5.5 IF 2 could allow an attacker to modify or corrupt data due to an insecure mechanism used for verifying the integrity of the data during transmission.

Vendor: ibm
Product: db2_recovery_expert
Published: Mar 17, 2026
Source: NVD
CVE-2026-20643 MEDIUM - 5.4

A cross-origin issue in the Navigation API was addressed with improved input validation. This issue is fixed in Background Security Improvements for iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2. Processing maliciously crafted web content may bypass Same Origin Policy.

Vendor: Apple
Product: macOS, iOS, iPadOS
Published: Mar 17, 2026
Source: NVD
CVE-2026-4349 MEDIUM - 5.6

A vulnerability was determined in Duende IdentityServer 4. The affected element is an unknown function of the file /connect/authorize of the component Token Renewal Endpoint. This manipulation of the argument id_token_hint causes improper authentication. It is possible to initiate the attack remotel...

Published: Mar 17, 2026
Source: NVD
CVE-2026-32842 MEDIUM - 6.5

Edimax GS-5008PL firmware version 1.00.54 and prior contain an insecure credential storage vulnerability that allows attackers to obtain administrator credentials by accessing configuration backup files. Attackers can download the config.bin file through fupload.cgi to extract plaintext username and...

Vendor: EDIMAX Technology Co., Ltd.
Product: Edimax GS-5008PL
Published: Mar 17, 2026
Source: NVD
CVE-2026-32840 MEDIUM - 5.4

Edimax GS-5008PL firmware version 1.00.54 and prior contain a stored cross-site scripting vulnerability in the system_name_set.cgi script that allows attackers to inject arbitrary script code by manipulating the sysName parameter. Attackers can send a crafted POST request with malicious script paylo...

Vendor: EDIMAX Technology Co., Ltd.
Product: Edimax GS-5008PL
Published: Mar 17, 2026
Source: NVD
CVE-2026-32839 MEDIUM - 4.3

Edimax GS-5008PL firmware version 1.00.54 and prior contain a cross-site request forgery vulnerability that allows remote attackers to perform unauthorized administrative actions by inducing logged-in administrators to visit malicious pages. Attackers can exploit the lack of anti-CSRF tokens and req...

Vendor: EDIMAX Technology Co., Ltd.
Product: Edimax GS-5008PL
Published: Mar 17, 2026
Source: NVD
CVE-2026-1267 MEDIUM - 6.5

IBM Planning Analytics Local 2.1.0 through 2.1.17 could allow an unauthorized access to sensitive application data and administrative functionalities due to lack of proper access controls.

Vendor: ibm
Product: planning_analytics_local
Published: Mar 17, 2026
Source: NVD
CVE-2025-14806 MEDIUM - 5.7

IBM Planning Analytics Local 2.1.0 through 2.1.17 could allow an attacker to trick the caching mechanism into storing and serving sensitive, user-specific responses as publicly cacheable resources.

Vendor: IBM
Product: Planning Analytics Local
Published: Mar 17, 2026
Source: NVD
CVE-2026-4358 MEDIUM - 6.4

A specially crafted aggregation query with $lookup by an authenticated user with write privileges can cause a double-free or use-after-free memory issue in the slot-based execution (SBE) engine when an in-memory hash table is spilled to disk.

Published: Mar 17, 2026
Source: NVD
CVE-2026-3563 MEDIUM - 5.5

Improper input validation in the apps and endpoints configuration in PowerShell Universal before 2026.1.4 allows an authenticated user with permissions to create or modify Apps or Endpoints to override existing application or system routes, resulting in unintended request routing and denial of servi...

Vendor: ironmansoftware
Product: powershell_universal
Published: Mar 17, 2026
Source: NVD
CVE-2026-32837 MEDIUM - 5.5

miniaudio version 0.11.25 and earlier contain a heap out-of-bounds read vulnerability in the WAV BEXT metadata parser that allows attackers to trigger memory access violations by processing crafted WAV files. Attackers can exploit improper null-termination handling in the coding history field to cau...

Vendor: mackron
Product: miniaudio
Published: Mar 17, 2026
Source: NVD
CVE-2026-32836 MEDIUM - 5.5

dr_libsΒ dr_flac.h version 0.13.3 and earlier contain an uncontrolled memory allocation vulnerability in drflac__read_and_decode_metadata() that allows attackers to trigger excessive memory allocation by supplying crafted PICTURE metadata blocks. Attackers can exploit attacker-controlled mimeLength a...

Vendor: mackron
Product: dr_libs
Published: Mar 17, 2026
Source: NVD
CVE-2026-25936 MEDIUM - 6.5

GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, an authenticated user can perfom a SQL injection. Version 11.0.6 fixes the issue.

Vendor: glpi-project
Product: glpi
Published: Mar 17, 2026
Source: NVD