Total CVEs

141,492

Critical Severity

3,867

High Severity

13,899

Last 7 Days

1,659
Quick preset (or use dates below)
Clear Filters
Showing 9,321 - 9,340 of 13,899 CVEs
CVE-2026-32263 HIGH - 7.2

Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.11, in src/controllers/EntryTypesController.php, the $settings array from parse_str is passed directly to Craft::configure() without Component::cleanseConfig(). This allows injecting Yii2 behavior/event handlers...

Vendor: composer
Product: craftcms/cms
Published: Mar 16, 2026
Source: GitHub
CVE-2026-30405 HIGH - 7.5

An issue in GoBGP gobgpd v.4.2.0 allows a remote attacker to cause a denial of service via the NEXT_HOP path attribute

Vendor: go
Product: github.com/osrg/gobgp/v4
Published: Mar 16, 2026
Source: NVD
CVE-2026-32634 HIGH - 8.1

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, Glances stores both the Zeroconf-advertised server name and the discovered IP address for dynamic servers, but later builds connection URIs from the untrusted advertised name instead of ...

Vendor: pip
Product: Glances
Published: Mar 16, 2026
Source: GitHub
CVE-2026-32611 HIGH - 7.0

Glances is an open-source system cross-platform monitoring tool. The GHSA-x46r fix (commit 39161f0) addressed SQL injection in the TimescaleDB export module by converting all SQL operations to use parameterized queries and `psycopg.sql` composable objects. However, the DuckDB export module (`glances...

Vendor: pip
Product: Glances
Published: Mar 16, 2026
Source: GitHub
CVE-2026-32610 HIGH - 8.1

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS configuration that sets `allow_origins=["*"]` combined with `allow_credentials=True`. When both of these options are enabled together, Starlett...

Vendor: pip
Product: Glances
Published: Mar 16, 2026
Source: GitHub
CVE-2026-32609 HIGH - 7.5

Glances is an open-source system cross-platform monitoring tool. The GHSA-gh4x fix (commit 5d3de60) addressed unauthenticated configuration secrets exposure on the `/api/v4/config` endpoints by introducing `as_dict_secure()` redaction. However, the `/api/v4/args` and `/api/v4/args/{item}` endpoints ...

Vendor: pip
Product: Glances
Published: Mar 16, 2026
Source: GitHub
CVE-2026-32608 HIGH - 7.0

Glances is an open-source system cross-platform monitoring tool. The Glances action system allows administrators to configure shell commands that execute when monitoring thresholds are exceeded. These commands support Mustache template variables (e.g., `{{name}}`, `{{key}}`) that are populated with ...

Vendor: pip
Product: Glances
Published: Mar 16, 2026
Source: GitHub
CVE-2026-32606 HIGH - 7.7

IncusOS is an immutable OS image dedicated to running Incus. Prior to 202603142010, the default configuration of systemd-cryptenroll as used by IncusOS through mkosi allows for an attacker with physical access to the machine to access the encrypted data without requiring any interaction by the syste...

Vendor: go
Product: github.com/lxc/incus-os/incus-osd
Published: Mar 16, 2026
Source: GitHub
CVE-2026-32596 HIGH - 7.5

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.2, Glances web server runs without authentication by default when started with `glances -w`, exposing REST API with sensitive system information including process command-lines containing credentials (passwords, API keys, ...

Vendor: pip
Product: Glances
Published: Mar 16, 2026
Source: GitHub
CVE-2026-28500 HIGH - 8.6

Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. In versions up to and including 1.20.1, a security control bypass exists in onnx.hub.load() due to improper logic in the repository trust verification mechanism. While the function is designed to warn user...

Vendor: pip
Product: onnx
Published: Mar 16, 2026
Source: GitHub
CVE-2026-27459 HIGH - 9.8

pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 22.0.0 and prior to version 26.0.0, if a user provided callback to `set_cookie_generate_callback` returned a cookie value greater than 256 bytes, pyOpenSSL would overflow an OpenSSL provided buffer. Starting in version 26....

Vendor: pip
Product: pyopenssl
Published: Mar 16, 2026
Source: GitHub
CVE-2026-4276 HIGH - 7.5

LibreChat RAG API, version 0.7.0, contains a log-injection vulnerability that allows attackers to forge log entries.

Published: Mar 16, 2026
Source: NVD
CVE-2025-69784 HIGH - 8.8

A local, non-privileged attacker can abuse a vulnerable IOCTL interface exposed by the OpenEDR 2.5.1.0 kernel driver to modify the DLL injection path used by the product. By redirecting this path to a user-writable location, an attacker can cause OpenEDR to load an attacker-controlled DLL into high-...

Vendor: xcitium
Product: openedr
Published: Mar 16, 2026
Source: NVD
CVE-2025-69783 HIGH - 7.8

A local attacker can bypass OpenEDR's 2.5.1.0 self-defense mechanism by renaming a malicious executable to match a trusted process name (e.g., csrss.exe, edrsvc.exe, edrcon.exe). This allows unauthorized interaction with the OpenEDR kernel driver, granting access to privileged functionality suc...

Vendor: xcitium
Product: openedr
Published: Mar 16, 2026
Source: NVD
CVE-2026-29112 HIGH - 7.5

DiceBear is an avatar library for designers and developers. Prior to version 9.4.0, the `ensureSize()` function in `@dicebear/converter` read the `width` and `height` attributes from the input SVG to determine the output canvas size for rasterization (PNG, JPEG, WebP, AVIF). An attacker who can supp...

Vendor: npm
Product: @dicebear/converter
Published: Mar 16, 2026
Source: GitHub
CVE-2026-28490 HIGH - 6.5

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a cryptographic padding oracle vulnerability was identified in the Authlib Python library concerning the implementation of the JSON Web Encryption (JWE) RSA1_5 key management algorithm. Authlib registe...

Vendor: pip
Product: authlib
Published: Mar 16, 2026
Source: GitHub
CVE-2026-25369 HIGH - 7.1

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Flexmls Flexmls® IDX allows Reflected XSS.This issue affects Flexmls® IDX: from n/a through 3.15.9.

Vendor: Flexmls
Product: Flexmls® IDX
Published: Mar 16, 2026
Source: NVD
CVE-2025-69196 HIGH - 6.5

FastMCP is the standard framework for building MCP applications. Prior to version 2.14.2, the server does not properly respect the resource parameter submitted by the client in the authorization and token request. Instead of issuing the token explicitly for the MCP server, the token is issued for th...

Vendor: pip
Product: fastmcp
Published: Mar 16, 2026
Source: GitHub
CVE-2026-4237 HIGH - 7.3

A flaw has been found in itsourcecode Free Hotel Reservation System 1.0. This vulnerability affects unknown code of the file /hotel/admin/mod_reports/index.php. Executing a manipulation of the argument Home can lead to sql injection. The attack may be performed from remote. The exploit has been publ...

Published: Mar 16, 2026
Source: NVD
CVE-2026-4236 HIGH - 7.3

A security vulnerability has been detected in itsourcecode Online Enrollment System 1.0. Impacted is an unknown function of the file /enrollment/index.php?view=add. Such manipulation of the argument txtsearch/deptname/name leads to sql injection. The attack may be performed from remote. The exploit ...

Published: Mar 16, 2026
Source: NVD