Total CVEs

141,490

Critical Severity

3,867

High Severity

13,899

Last 7 Days

1,781
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 9,181 - 9,200 of 14,045 CVEs
CVE-2026-32816 MEDIUM - 5.7

Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the delete, activate, and deactivate modes in modules/groups-roles/groups_roles.php perform destructive state changes on organizational roles but never validate an anti-CSRF token. The client-side UI passes a CSRF t...

Vendor: Admidio
Product: admidio
Published: Mar 19, 2026
Source: NVD
CVE-2026-29107 MEDIUM - 5.0

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, it is possible to create PDF templates with `<img>` tags. When a PDF is exported using this template, the content (for example, `<img src=http://{bur...

Vendor: SuiteCRM
Product: SuiteCRM
Published: Mar 19, 2026
Source: NVD
CVE-2026-29106 MEDIUM - 5.9

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the value of the return_id request parameter is copied into the value of an HTML tag attribute which is an event handler and is encapsulated in double quotati...

Vendor: SuiteCRM
Product: SuiteCRM
Published: Mar 19, 2026
Source: NVD
CVE-2026-29105 MEDIUM - 5.4

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, SuiteCRM contains an unauthenticated open redirect vulnerability in the WebToLead capture functionality. A user-supplied POST parameter is used as a redirect ...

Vendor: SuiteCRM
Product: SuiteCRM
Published: Mar 19, 2026
Source: NVD
CVE-2026-29101 MEDIUM - 4.9

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, a Denial-of-Service (DoS) vulnerability exists in SuiteCRM modules. Versions 7.15.1 and 8.9.3 patch the issue.

Vendor: SuiteCRM
Product: SuiteCRM
Published: Mar 19, 2026
Source: NVD
CVE-2026-29098 MEDIUM - 4.9

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the `action_exportCustom` function in `modules/ModuleBuilder/controller.php` fails to properly neutralize path traversal sequences in the `$modules` and `$nam...

Vendor: SuiteCRM
Product: SuiteCRM
Published: Mar 19, 2026
Source: NVD
CVE-2026-33410 MEDIUM - 5.4

Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have two authorization issues in the chat direct message API. First, when creating a direct message channel or adding users to an existing one, the `target_groups` parameter was passed direct...

Vendor: discourse
Product: discourse
Published: Mar 19, 2026
Source: NVD
CVE-2026-33393 MEDIUM - 4.3

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the `allowed_spam_host_domains` check used `String#end_with?` without domain boundary validation, allowing domains like `attacker-example.com` to bypass spam protection when `example.com` wa...

Vendor: discourse
Product: discourse
Published: Mar 19, 2026
Source: NVD
CVE-2026-33355 MEDIUM - 6.5

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the `/private-posts` endpoint did not apply post-type visibility filtering, allowing regular PM participants to see whisper posts in PM topics they had access to. Versions 2026.3.0-latest.1,...

Vendor: discourse
Product: discourse
Published: Mar 19, 2026
Source: NVD
CVE-2026-32753 MEDIUM - 5.4

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. In versions 1.8.208 and below, bypasses of the attachment view logic and SVG sanitizer make it possible to upload and render an SVG that runs malicious JavaScript. An extension of .png with content type of image/...

Vendor: freescout-help-desk
Product: freescout
Published: Mar 19, 2026
Source: NVD
CVE-2026-32099 MEDIUM - 4.3

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, when a user has `hide_profile` enabled, their bio, location, and website were still exposed through the user onebox preview. An authenticated user could request a onebox for a hidden user�...

Vendor: discourse
Product: discourse
Published: Mar 19, 2026
Source: NVD
CVE-2026-32041 MEDIUM - 6.9

OpenClaw versions prior to 2026.3.1 fail to properly handle authentication bootstrap errors during startup, allowing browser-control routes to remain accessible without authentication. Local processes or loopback-reachable SSRF paths can exploit this to access browser-control routes including evalua...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 19, 2026
Source: NVD
CVE-2026-32040 MEDIUM - 4.6

OpenClaw versions prior to 2026.2.23 contain an html injection vulnerability in the HTML session exporter that allows attackers to execute arbitrary javascript by injecting malicious mimeType values in image content blocks. Attackers can craft session entries with specially crafted mimeType attribut...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 19, 2026
Source: NVD
CVE-2026-32039 MEDIUM - 5.9

OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in the toolsBySender group policy matching that allows attackers to inherit elevated tool permissions through identifier collision attacks. Attackers can exploit untyped sender keys by forcing collisions with mutable ...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 19, 2026
Source: NVD
CVE-2026-32037 MEDIUM - 6.0

OpenClaw versions prior to 2026.2.22 fail to consistently validate redirect chains against configured mediaAllowHosts allowlists during MSTeams media downloads. Attackers can supply or influence attachment URLs to force redirects to non-allowlisted targets, bypassing SSRF boundary controls.

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 19, 2026
Source: NVD
CVE-2026-32036 MEDIUM - 6.5

OpenClaw gateway plugin versions prior to 2026.2.26 contain a path traversal vulnerability that allows remote attackers to bypass route authentication checks by manipulating /api/channels paths with encoded dot-segment traversal sequences. Attackers can craft alternate paths using encoded traversal ...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 19, 2026
Source: NVD
CVE-2026-32035 MEDIUM - 5.9

OpenClaw versions prior to 2026.3.2 fail to pass the senderIsOwner flag when processing Discord voice transcripts in agentCommand, causing the flag to default to true. Non-owner voice participants can exploit this omission to access owner-only tools including gateway and cron functionality in mixed-...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 19, 2026
Source: NVD
CVE-2026-32034 MEDIUM - 6.8

OpenClaw versions prior to 2026.2.21 contain an authentication bypass vulnerability in the Control UI when allowInsecureAuth is explicitly enabled and the gateway is exposed over plaintext HTTP, allowing attackers to bypass device identity and pairing verification. An attacker with leaked or interce...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 19, 2026
Source: NVD
CVE-2026-32033 MEDIUM - 5.3

OpenClaw versions prior to 2026.2.24 contain a path traversal vulnerability where @-prefixed absolute paths bypass workspace-only file-system boundary validation due to canonicalization mismatch. Attackers can exploit this by crafting @-prefixed paths like @/etc/passwd to read files outside the inte...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 19, 2026
Source: NVD
CVE-2026-32031 MEDIUM - 4.8

OpenClaw versions prior to 2026.2.26 server-http contains an authentication bypass vulnerability in gateway authentication for plugin channel endpoints due to path canonicalization mismatch between the gateway guard and plugin handler routing. Attackers can bypass authentication by sending requests ...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 19, 2026
Source: NVD