Total CVEs

141,492

Critical Severity

3,867

High Severity

13,899

Last 7 Days

1,728
Quick preset (or use dates below)
Clear Filters
Showing 9,221 - 9,240 of 13,899 CVEs
CVE-2026-3090 HIGH - 7.2

The Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘event_type’ parameter in all versions up to, and including, 3.8.0 due to insufficient input sanitization an...

Published: Mar 18, 2026
Source: NVD
CVE-2026-33002 HIGH - 7.5

Jenkins 2.442 through 2.554 (both inclusive), LTS 2.426.3 through LTS 2.541.2 (both inclusive) performs origin validation of requests made through the CLI WebSocket endpoint by computing the expected origin for comparison using the Host or X-Forwarded-Host HTTP request headers, making it vulnerable ...

Vendor: Jenkins Project
Product: Jenkins
Published: Mar 18, 2026
Source: NVD
CVE-2026-33001 HIGH - 8.8

Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkin...

Vendor: Jenkins Project
Product: Jenkins
Published: Mar 18, 2026
Source: NVD
CVE-2026-2992 HIGH - 8.2

The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization on the `/wp-json/kivicare/v1/setup-wizard/clinic` REST API endpoint in all versions up to, and including, 4.1.2. This makes it possible for unauthentica...

Published: Mar 18, 2026
Source: NVD
CVE-2026-24063 HIGH - 8.2

When a plugin is installed using the Arturia Software Center (MacOS), it also installs an uninstall.sh bash script in a root owned path. This script is written to disk with the file permissions 777, meaning it is writable by any user. When uninstalling a plugin via the Arturia Software Center the Pr...

Vendor: Arturia
Product: Software Center
Published: Mar 18, 2026
Source: NVD
CVE-2026-24062 HIGH - 7.8

The "Privileged Helper" component of the Arturia Software Center (MacOS) does not perform sufficient client code signature validation when a client connects. This leads to an attacker being able to connect to the helper and execute privileged actions leading to local privilege escalation.

Vendor: Arturia
Product: Software Center
Published: Mar 18, 2026
Source: NVD
CVE-2025-55046 HIGH - 8.1

MuraCMS through 10.1.10 contains a CSRF vulnerability that allows attackers to permanently destroy all deleted content stored in the trash system through a simple CSRF attack. The vulnerable cTrash.empty function lacks CSRF token validation, enabling malicious websites to forge requests that irrever...

Vendor: murasoftware
Product: mura_cms
Published: Mar 18, 2026
Source: NVD
CVE-2025-55045 HIGH - 7.1

The update address CSRF vulnerability in MuraCMS through 10.1.10 allows attackers to manipulate user address information through CSRF. The vulnerable cUsers.updateAddress function lacks CSRF token validation, enabling malicious websites to forge requests that add, modify, or delete user addresses wh...

Vendor: murasoftware
Product: mura_cms
Published: Mar 18, 2026
Source: NVD
CVE-2025-55044 HIGH - 8.8

The Trash Restore CSRF vulnerability in MuraCMS through 10.1.10 allows attackers to restore deleted content from the trash to unauthorized locations through CSRF. The vulnerable cTrash.restore function lacks CSRF token validation, enabling malicious websites to forge requests that restore content to...

Vendor: murasoftware
Product: mura_cms
Published: Mar 18, 2026
Source: NVD
CVE-2025-55041 HIGH - 8.0

MuraCMS through 10.1.10 contains a CSRF vulnerability in the Add To Group functionality for user management (cUsers.cfc addToGroup method) that allows attackers to escalate privileges by adding any user to any group without proper authorization checks. The vulnerable function lacks CSRF token valida...

Vendor: murasoftware
Product: mura_cms
Published: Mar 18, 2026
Source: NVD
CVE-2025-55040 HIGH - 8.8

The import form CSRF vulnerability in MuraCMS through 10.1.10 allows attackers to upload and install malicious form definitions through a CSRF attack. The vulnerable cForm.importform function lacks CSRF token validation, enabling malicious websites to forge file upload requests that install attacker...

Vendor: murasoftware
Product: mura_cms
Published: Mar 18, 2026
Source: NVD
CVE-2026-33125 HIGH - 7.1

Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In versions 0.16.2 and below, users with the viewer role can delete admin and low-privileged user accounts. Exploitation can lead to DoS and affect data integrity. This issue has been patched in version 0....

Vendor: pip
Product: frigate
Published: Mar 18, 2026
Source: GitHub
CVE-2026-32693 HIGH - 8.8

In Juju from version 3.0.0 through 3.6.18, the authorization of the "secret-set" tool is not performed correctly, which allows a grantee to update the secret content, and can lead to reading or updating other secrets. When the "secret-set" tool logs an error in an exploitation at...

Vendor: Canonical
Product: Juju
Published: Mar 18, 2026
Source: NVD
CVE-2026-32692 HIGH - 7.6

An authorization bypass vulnerability in the Vault secrets back-end implementation of Juju versions 3.1.6 through 3.6.18 allows an authenticated unit agent to perform unauthorized updates to secret revisions. With sufficient information, an attacker can poison any existing secret revision within the...

Vendor: Canonical
Product: Juju
Published: Mar 18, 2026
Source: NVD
CVE-2026-32875 HIGH - 7.5

UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.10 through 5.11.0 are vulnerable to buffer overflow or infinite loop through large indent handling. ujson.dumps() crashes the Python interpreter (segmentation fault) when the product of the inden...

Vendor: pip
Product: ujson
Published: Mar 18, 2026
Source: GitHub
CVE-2026-32874 HIGH - 7.5

UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.4.0 through 5.11.0 contain an accumulating memory leak in JSON parsing large (outside of the range [-2^63, 2^64 - 1]) integers. The leaked memory is a copy of the string form of the integer plus ...

Vendor: pip
Product: ujson
Published: Mar 18, 2026
Source: GitHub
CVE-2026-32811 HIGH - 8.2

Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. When using Heimdall in envoy gRPC decision API mode with versions 0.7.0-alpha through 0.17.10, wrong encoding of the query URL string allows rules with non-wildcard path expressions to be bypassed. Envoy splits the ...

Vendor: go
Product: github.com/dadrus/heimdall
Published: Mar 18, 2026
Source: GitHub
CVE-2026-32763 HIGH - 8.2

Kysely is a type-safe TypeScript SQL query builder. Versions up to and including 0.28.11 has a SQL injection vulnerability in JSON path compilation for MySQL and SQLite dialects. The `visitJSONPathLeg()` function appends user-controlled values from `.key()` and `.at()` directly into single-quoted JS...

Vendor: npm
Product: kysely
Published: Mar 18, 2026
Source: GitHub
CVE-2026-33053 HIGH - 8.8

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the delete_api_key_route() endpoint accepts an api_key_id path parameter and deletes it with only a generic authentication check (get_current_active_user dependency). However, the delete_api_ke...

Vendor: pip
Product: langflow
Published: Mar 18, 2026
Source: GitHub
CVE-2025-41258 HIGH - 8.0

LibreChat version 0.8.1-rc2 uses the same JWT secret for the user session mechanism and RAG API which compromises the service-level authentication of the RAG API.

Vendor: danny-avila
Product: LibreChat
Published: Mar 18, 2026
Source: NVD