Total CVEs

141,492

Critical Severity

3,867

High Severity

13,899

Last 7 Days

1,640
Quick preset (or use dates below)
Clear Filters
Showing 9,381 - 9,400 of 13,899 CVEs
CVE-2026-32775 HIGH - 7.4

libexif through 0.6.25 has a flaw in decoding MakerNotes. If the exif_mnote_data_get_value function gets passed in a 0 size, the passed in-buffer would be overwritten due to an integer underflow.

Vendor: libexif
Product: libexif
Published: Mar 16, 2026
Source: NVD
CVE-2026-32729 HIGH - 8.1

Runtipi is a personal homeserver orchestrator. Prior to 4.8.1, The Runtipi /api/auth/verify-totp endpoint does not enforce any rate limiting, attempt counting, or account lockout mechanism. An attacker who has obtained a user's valid credentials (via phishing, credential stuffing, or data breac...

Vendor: runtipi
Product: runtipi
Published: Mar 16, 2026
Source: NVD
CVE-2026-32708 HIGH - 7.8

PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, the Zenoh uORB subscriber allocates a stack VLA directly from the incoming payload length without bounds. A remote Zenoh publisher can send an oversized fragmented message to force an unbounded stack allocation and copy, cau...

Vendor: PX4
Product: PX4-Autopilot
Published: Mar 16, 2026
Source: NVD
CVE-2026-32706 HIGH - 7.1

PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, The crsf_rc parser accepts an oversized variable-length known packet and copies it into a fixed 64-byte global buffer without a bounds check. In deployments where crsf_rc is enabled on a CRSF serial port, an adjacent/raw-ser...

Vendor: PX4
Product: PX4-Autopilot
Published: Mar 16, 2026
Source: NVD
CVE-2026-32628 HIGH - 8.8

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, a SQL injection vulnerability in the built-in SQL Agent plugin allows any user who can invoke the agent to execute arbitrary SQL commands on connected da...

Vendor: Mintplex-Labs
Product: anything-llm
Published: Mar 16, 2026
Source: NVD
CVE-2026-32627 HIGH - 8.7

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.37.2, when a cpp-httplib client is configured with a proxy and set_follow_location(true), any HTTPS redirect it follows will have TLS certificate and hostname verification silently disabled on the new connec...

Vendor: yhirose
Product: cpp-httplib
Published: Mar 16, 2026
Source: NVD
CVE-2026-32617 HIGH - 7.1

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, On default installations where no password or API key has been configured, all HTTP endpoints and the agent WebSocket lack authentication, and the server...

Vendor: Mintplex-Labs
Product: anything-llm
Published: Mar 16, 2026
Source: NVD
CVE-2026-32616 HIGH - 8.2

Pigeon is a message board/notepad/social system/blog. Prior to 1.0.201, the application uses $_SERVER['HTTP_HOST'] without validation to construct email verification URLs in the register and resendmail flows. An attacker can manipulate the Host header in the HTTP request, causing the verif...

Vendor: kasuganosoras
Product: Pigeon
Published: Mar 16, 2026
Source: NVD
CVE-2026-31386 HIGH - 7.2

OpenLiteSpeed and LSWS Enterprise provided by LiteSpeed Technologies contain an OS command injection vulnerability. An arbitrary OS command may be executed by an attacker with the administrative privilege.

Vendor: LiteSpeed Technologies
Product: OpenLiteSpeed, LSWS Enterprise
Published: Mar 16, 2026
Source: NVD
CVE-2026-2923 HIGH - 7.8

GStreamer DVB Subtitles Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending ...

Vendor: gstreamer
Product: gstreamer
Published: Mar 16, 2026
Source: NVD
CVE-2026-2922 HIGH - 7.8

GStreamer RealMedia Demuxer Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depend...

Vendor: gstreamer
Product: gstreamer
Published: Mar 16, 2026
Source: NVD
CVE-2026-2921 HIGH - 7.8

GStreamer RIFF Palette Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on t...

Vendor: gstreamer
Product: gstreamer
Published: Mar 16, 2026
Source: NVD
CVE-2026-2920 HIGH - 7.8

GStreamer ASF Demuxer Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depen...

Vendor: gstreamer
Product: gstreamer
Published: Mar 16, 2026
Source: NVD
CVE-2026-2493 HIGH - 7.5

IceWarp collaboration Directory Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of IceWarp. Authentication is not required to exploit this vulnerability. The specific flaw exists within handling o...

Published: Mar 16, 2026
Source: NVD
CVE-2026-2476 HIGH - 7.6

Mattermost Plugins versions <=2.0.3.0 fail to properly mask sensitive configuration values which allows an attacker with access to support packets to obtain original plugin settings via exported configuration data. Mattermost Advisory ID: MMSA-2026-00606

Vendor: mattermost
Product: ms_teams
Published: Mar 16, 2026
Source: NVD
CVE-2026-28521 HIGH - 7.7

arduino-TuyaOpen before version 1.2.1 contains an out-of-bounds memory read vulnerability in the TuyaIoT component. An attacker who hijacks or controls the Tuya cloud service can issue malicious DP event data to victim devices, causing out-of-bounds memory access that may result in information discl...

Vendor: Tuya
Product: arduino-TuyaOpen
Published: Mar 16, 2026
Source: NVD
CVE-2026-28520 HIGH - 8.4

arduino-TuyaOpen before version 1.2.1 contains a single-byte buffer overflow vulnerability in the WiFiMulti component. When the victim's smart hardware connects to an attacker-controlled AP hotspot, the attacker can exploit the overflow to execute arbitrary code on the affected embedded device.

Vendor: Tuya
Product: arduino-TuyaOpen
Published: Mar 16, 2026
Source: NVD
CVE-2026-28519 HIGH - 8.8

arduino-TuyaOpen before version 1.2.1 contains a heap-based buffer overflow vulnerability in the DnsServer component. An attacker on the same local area network who controls the LAN DNS server can send malicious DNS responses to overflow the heap buffer, potentially allowing execution of arbitrary c...

Vendor: Tuya
Product: arduino-TuyaOpen
Published: Mar 16, 2026
Source: NVD
CVE-2026-26133 HIGH - 7.1

AI command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.

Published: Mar 16, 2026
Source: NVD
CVE-2026-25083 HIGH - 8.3

GROWI OpenAI thread/message API endpoints do not perform authorization. Affected are v7.4.5 and earlier versions. A logged-in user who knows a shared AI assistant's identifier may view and/or tamper the other user's threads/messages.

Vendor: GROWI, Inc.
Product: GROWI
Published: Mar 16, 2026
Source: NVD