Total CVEs

141,537

Critical Severity

3,871

High Severity

13,923

Last 7 Days

1,636
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 9,521 - 9,540 of 14,061 CVEs
CVE-2026-32776 MEDIUM - 4.0

libexpat before 2.7.5 allows a NULL pointer dereference with empty external parameter entity content.

Vendor: libexpat project
Product: libexpat
Published: Mar 16, 2026
Source: NVD
CVE-2026-32774 MEDIUM - 6.4

Vulnogram 1.0.0 contains a stored cross-site scripting vulnerability in comment hypertext handling that allows attackers to inject malicious scripts. Remote attackers can inject XSS payloads through comments to execute arbitrary JavaScript in victims' browsers.

Vendor: Vulnogram
Product: Vulnogram
Published: Mar 16, 2026
Source: NVD
CVE-2026-32724 MEDIUM - 5.3

PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc1, a heap-use-after-free is detected in the MavlinkShell::available() function. The issue is caused by a race condition between the MAVLink receiver thread (which handles shell creation/destruction) and the telemetry sender thr...

Vendor: PX4
Product: PX4-Autopilot
Published: Mar 16, 2026
Source: NVD
CVE-2026-32719 MEDIUM - 4.2

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, The ImportedPlugin.importCommunityItemFromUrl() function in server/utils/agents/imported.js downloads a ZIP file from a community hub URL and extracts it...

Vendor: Mintplex-Labs
Product: anything-llm
Published: Mar 16, 2026
Source: NVD
CVE-2026-32713 MEDIUM - 4.3

PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, A logic error in the PX4 Autopilot MAVLink FTP session validation uses incorrect boolean logic (&& instead of ||), allowing BurstReadFile and WriteFile operations to proceed with invalid sessions or closed file descr...

Vendor: PX4
Product: PX4-Autopilot
Published: Mar 16, 2026
Source: NVD
CVE-2026-32709 MEDIUM - 5.4

PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, An unauthenticated path traversal vulnerability in the PX4 Autopilot MAVLink FTP implementation allows any MAVLink peer to read, write, create, delete, and rename arbitrary files on the flight controller filesystem without a...

Vendor: PX4
Product: PX4-Autopilot
Published: Mar 16, 2026
Source: NVD
CVE-2026-32707 MEDIUM - 5.2

PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, tattu_can contains an unbounded memcpy in its multi-frame assembly loop, allowing stack memory overwrite when crafted CAN frames are processed. In deployments where tattu_can is enabled and running, a CAN-injection-capable a...

Vendor: PX4
Product: PX4-Autopilot
Published: Mar 16, 2026
Source: NVD
CVE-2026-32705 MEDIUM - 6.8

PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, the BST telemetry probe writes a string terminator using a device-provided length without bounds. A malicious BST device can report an oversized dev_name_len, causing a stack overflow in the driver and crashing the task (or ...

Vendor: PX4
Product: PX4-Autopilot
Published: Mar 16, 2026
Source: NVD
CVE-2026-32702 MEDIUM - 5.3

Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. From 2.7.0 to 2.8.0, the /api/auth/login endpoint contains a logic flaw that allows unauthenticated remote attackers to enumerate valid usernames by measur...

Vendor: Cleanuparr
Product: Cleanuparr
Published: Mar 16, 2026
Source: NVD
CVE-2026-2578 MEDIUM - 4.3

Mattermost versions 11.3.x <= 11.3.0 fail to preserve the redacted state of burn-on-read posts during deletion which allows channel members to access unrevealed burn-on-read message contents via the WebSocket post deletion event.. Mattermost Advisory ID: MMSA-2026-00579

Vendor: mattermost
Product: mattermost_server
Published: Mar 16, 2026
Source: NVD
CVE-2026-2491 MEDIUM - 6.3

Socomec DIRIS A-40 HTTP API Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Socomec DIRIS A-40 power monitoring devices. Authentication is not required to exploit this vulnerability. The specific flaw ex...

Published: Mar 16, 2026
Source: NVD
CVE-2026-2463 MEDIUM - 4.3

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to filter invite IDs based on user permissions, which allows regular users to bypass access control restrictions and register unauthorized accounts via leaked invite IDs during team creation.. Mattermost Adviso...

Vendor: mattermost
Product: mattermost_server
Published: Mar 16, 2026
Source: NVD
CVE-2026-2462 MEDIUM - 6.6

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to restrict plugin installation on CI test instances with default admin credentials which allows an unauthenticated attacker to achieve remote code execution and exfiltrate sensitive configuration data includin...

Vendor: mattermost
Product: mattermost_server
Published: Mar 16, 2026
Source: NVD
CVE-2026-2461 MEDIUM - 4.3

Mattermost Plugins versions <=11.3 11.0.3 11.2.2 10.10.11.0 fail to implement authorisation checks on comment block modifications, which allows an authorised attacker with editor permission to modify comments created by other board members. Mattermost Advisory ID: MMSA-2025-00559

Vendor: mattermost
Product: mattermost_server
Published: Mar 16, 2026
Source: NVD
CVE-2026-2458 MEDIUM - 4.3

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly validate team membership when searching channels which allows a removed team member to enumerate all public channels within a private team via the channel search API endpoint.. Mattermost Advisory I...

Vendor: go
Product: github.com/mattermost/mattermost/server/v8
Published: Mar 16, 2026
Source: NVD
CVE-2026-2457 MEDIUM - 4.3

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to sanitize client-supplied post metadata which allows an authenticated attacker to spoof permalink embeds impersonating other users via crafted PUT requests to the post update API endpoint.. Mattermost Advisor...

Vendor: mattermost
Product: mattermost_server
Published: Mar 16, 2026
Source: NVD
CVE-2026-2456 MEDIUM - 5.3

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 Mattermost fails to limit the size of responses from integration action endpoints, which allows an authenticated attacker to cause server memory exhaustion and denial of service via a malicious integration server th...

Vendor: go
Product: github.com/mattermost/mattermost/server/v8
Published: Mar 16, 2026
Source: NVD
CVE-2026-2233 MEDIUM - 5.3

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the draft_post() function in all versions up to, and including, 4.2.8. This makes i...

Published: Mar 16, 2026
Source: NVD
CVE-2026-28522 MEDIUM - 6.5

arduino-TuyaOpen before version 1.2.1 contains a null pointer dereference vulnerability in the WiFiUDP component. An attacker on the same local area network can send a large volume of malicious UDP packets to cause memory exhaustion on the device, triggering a null pointer dereference and resulting ...

Vendor: Tuya
Product: arduino-TuyaOpen
Published: Mar 16, 2026
Source: NVD
CVE-2026-26246 MEDIUM - 4.3

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to bound memory allocation when processing PSD image files which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a specially crafted PSD file. Mattermost A...

Vendor: Mattermost
Product: Mattermost
Published: Mar 16, 2026
Source: NVD