Total CVEs

141,292

Critical Severity

3,799

High Severity

13,738

Last 7 Days

1,666
Quick preset (or use dates below)
Clear Filters
Showing 9,281 - 9,300 of 14,211 CVEs
CVE-2026-3562 MEDIUM - 6.3

Philips Hue Bridge hk_hap Ed25519 Signature Verification Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Philips Hue Bridge. Authentication is not required to exploit this vulnerability. The specific fl...

Published: Mar 16, 2026
Source: NVD
CVE-2026-3442 MEDIUM - 6.1

A flaw was found in GNU Binutils. This vulnerability, a heap-based buffer overflow, specifically an out-of-bounds read, exists in the bfd linker component. An attacker could exploit this by convincing a user to process a specially crafted malicious XCOFF object file. Successful exploitation may lead...

Vendor: gnu
Product: binutils
Published: Mar 16, 2026
Source: NVD
CVE-2026-3441 MEDIUM - 6.1

A flaw was found in GNU Binutils. This heap-based buffer overflow vulnerability, specifically an out-of-bounds read in the bfd linker, allows an attacker to gain access to sensitive information. By convincing a user to process a specially crafted XCOFF object file, an attacker can trigger this flaw,...

Vendor: gnu
Product: binutils
Published: Mar 16, 2026
Source: NVD
CVE-2026-3024 MEDIUM - 5.4

Stored Cross-Site Scripting (XSS) vulnerability in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/configuracion/agenda/modelo-formulario-evento'. A user with permission to create personalized accounts could exploit this vulnerability simply by creating a maliciou...

Vendor: wakyma
Product: wakyma
Published: Mar 16, 2026
Source: NVD
CVE-2026-3022 MEDIUM - 6.5

Non-relational SQL injection vulnerability (NoSQLi) in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/hospitalization/generate-hospitalization-summary'. This vulnerability could allow an authenticated user to alter a POST request to the affected endpoint for the ...

Vendor: wakyma
Product: wakyma
Published: Mar 16, 2026
Source: NVD
CVE-2026-3021 MEDIUM - 6.5

Non-relational SQL injection vulnerability (NoSQLi) in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/centro/equipo/empleado'. This vulnerability could allow an authenticated user to alter a GET request to the affected endpoint for the purpose of injecting specia...

Vendor: wakyma
Product: wakyma
Published: Mar 16, 2026
Source: NVD
CVE-2026-32777 MEDIUM - 4.0

libexpat before 2.7.5 allows an infinite loop while parsing DTD content.

Vendor: libexpat project
Product: libexpat
Published: Mar 16, 2026
Source: NVD
CVE-2026-32776 MEDIUM - 4.0

libexpat before 2.7.5 allows a NULL pointer dereference with empty external parameter entity content.

Vendor: libexpat project
Product: libexpat
Published: Mar 16, 2026
Source: NVD
CVE-2026-32774 MEDIUM - 6.4

Vulnogram 1.0.0 contains a stored cross-site scripting vulnerability in comment hypertext handling that allows attackers to inject malicious scripts. Remote attackers can inject XSS payloads through comments to execute arbitrary JavaScript in victims' browsers.

Vendor: Vulnogram
Product: Vulnogram
Published: Mar 16, 2026
Source: NVD
CVE-2026-32724 MEDIUM - 5.3

PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc1, a heap-use-after-free is detected in the MavlinkShell::available() function. The issue is caused by a race condition between the MAVLink receiver thread (which handles shell creation/destruction) and the telemetry sender thr...

Vendor: PX4
Product: PX4-Autopilot
Published: Mar 16, 2026
Source: NVD
CVE-2026-32719 MEDIUM - 4.2

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, The ImportedPlugin.importCommunityItemFromUrl() function in server/utils/agents/imported.js downloads a ZIP file from a community hub URL and extracts it...

Vendor: Mintplex-Labs
Product: anything-llm
Published: Mar 16, 2026
Source: NVD
CVE-2026-32713 MEDIUM - 4.3

PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, A logic error in the PX4 Autopilot MAVLink FTP session validation uses incorrect boolean logic (&& instead of ||), allowing BurstReadFile and WriteFile operations to proceed with invalid sessions or closed file descr...

Vendor: PX4
Product: PX4-Autopilot
Published: Mar 16, 2026
Source: NVD
CVE-2026-32709 MEDIUM - 5.4

PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, An unauthenticated path traversal vulnerability in the PX4 Autopilot MAVLink FTP implementation allows any MAVLink peer to read, write, create, delete, and rename arbitrary files on the flight controller filesystem without a...

Vendor: PX4
Product: PX4-Autopilot
Published: Mar 16, 2026
Source: NVD
CVE-2026-32707 MEDIUM - 5.2

PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, tattu_can contains an unbounded memcpy in its multi-frame assembly loop, allowing stack memory overwrite when crafted CAN frames are processed. In deployments where tattu_can is enabled and running, a CAN-injection-capable a...

Vendor: PX4
Product: PX4-Autopilot
Published: Mar 16, 2026
Source: NVD
CVE-2026-32705 MEDIUM - 6.8

PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, the BST telemetry probe writes a string terminator using a device-provided length without bounds. A malicious BST device can report an oversized dev_name_len, causing a stack overflow in the driver and crashing the task (or ...

Vendor: PX4
Product: PX4-Autopilot
Published: Mar 16, 2026
Source: NVD
CVE-2026-32702 MEDIUM - 5.3

Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. From 2.7.0 to 2.8.0, the /api/auth/login endpoint contains a logic flaw that allows unauthenticated remote attackers to enumerate valid usernames by measur...

Vendor: Cleanuparr
Product: Cleanuparr
Published: Mar 16, 2026
Source: NVD
CVE-2026-2578 MEDIUM - 4.3

Mattermost versions 11.3.x <= 11.3.0 fail to preserve the redacted state of burn-on-read posts during deletion which allows channel members to access unrevealed burn-on-read message contents via the WebSocket post deletion event.. Mattermost Advisory ID: MMSA-2026-00579

Vendor: mattermost
Product: mattermost_server
Published: Mar 16, 2026
Source: NVD
CVE-2026-2491 MEDIUM - 6.3

Socomec DIRIS A-40 HTTP API Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Socomec DIRIS A-40 power monitoring devices. Authentication is not required to exploit this vulnerability. The specific flaw ex...

Published: Mar 16, 2026
Source: NVD
CVE-2026-2463 MEDIUM - 4.3

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to filter invite IDs based on user permissions, which allows regular users to bypass access control restrictions and register unauthorized accounts via leaked invite IDs during team creation.. Mattermost Adviso...

Vendor: mattermost
Product: mattermost_server
Published: Mar 16, 2026
Source: NVD
CVE-2026-2462 MEDIUM - 6.6

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to restrict plugin installation on CI test instances with default admin credentials which allows an unauthenticated attacker to achieve remote code execution and exfiltrate sensitive configuration data includin...

Vendor: mattermost
Product: mattermost_server
Published: Mar 16, 2026
Source: NVD