Total CVEs

141,537

Critical Severity

3,871

High Severity

13,923

Last 7 Days

1,618
Quick preset (or use dates below)
Clear Filters
Showing 9,661 - 9,680 of 13,923 CVEs
CVE-2026-31839 HIGH - 8.2

Striae is a firearms examiner's comparison companion. A high-severity integrity bypass vulnerability existed in Striae's digital confirmation workflow prior to v3.0.0. Hash-only validation trusted manifest hash fields that could be modified together with package content, allowing tampered ...

Vendor: npm
Product: @striae-org/striae
Published: Mar 11, 2026
Source: GitHub
CVE-2026-28229 HIGH - 7.5

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to 4.0.2 and 3.7.11, Workflow templates endpoints allow any client to retrieve WorkflowTemplates (and ClusterWorkflowTemplates). Any request with a Authorization: Bearer nothing tok...

Vendor: go
Product: github.com/argoproj/argo-workflows/v3
Published: Mar 11, 2026
Source: GitHub
CVE-2026-3496 HIGH - 7.5

The JetBooking plugin for WordPress is vulnerable to SQL Injection via the 'check_in_date' parameter in all versions up to, and including, 4.0.3. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it ...

Published: Mar 11, 2026
Source: NVD
CVE-2026-32063 HIGH - 7.1

OpenClaw version 2026.2.19-2 prior to 2026.2.21 contains a command injection vulnerability in systemd unit file generation where attacker-controlled environment values are not validated for CR/LF characters, allowing newline injection to break out of Environment= lines and inject arbitrary systemd d...

Vendor: openclaw
Product: openclaw
Published: Mar 11, 2026
Source: NVD
CVE-2026-32062 HIGH - 7.5

OpenClaw versions2026.2.21-2 prior to 2026.2.22 and @openclaw/voice-call versions 2026.2.21 prior to 2026.2.22 accept media-stream WebSocket upgrades before stream validation, allowing unauthenticated clients to establish connections. Remote attackers can hold idle pre-authenticated sockets open to ...

Vendor: openclaw
Product: openclaw, voice-call
Published: Mar 11, 2026
Source: NVD
CVE-2026-32060 HIGH - 8.8

OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in apply_patch that allows attackers to write or delete files outside the configured workspace directory. When apply_patch is enabled without filesystem sandbox containment, attackers can exploit crafted paths including dire...

Vendor: openclaw
Product: openclaw
Published: Mar 11, 2026
Source: NVD
CVE-2026-32059 HIGH - 8.8

OpenClaw version 2026.2.22-2 prior to 2026.2.23 tools.exec.safeBins validation for sort command fails to properly validate GNU long-option abbreviations, allowing attackers to bypass denied-flag checks via abbreviated options. Remote attackers can execute sort commands with abbreviated long options ...

Vendor: openclaw
Product: openclaw
Published: Mar 11, 2026
Source: NVD
CVE-2026-3944 HIGH - 7.3

A vulnerability was determined in itsourcecode University Management System 1.0. This vulnerability affects unknown code of the file /att_add.php. This manipulation of the argument Name causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be uti...

Vendor: angeljudesuarez
Product: university_management_system
Published: Mar 11, 2026
Source: NVD
CVE-2026-3943 HIGH - 7.3

A vulnerability was found in H3C ACG1000-AK230 up to 20260227. This affects an unknown part of the file /webui/?aaa_portal_auth_local_submit. The manipulation of the argument suffix results in command injection. The attack can be launched remotely. The exploit has been made public and could be used....

Published: Mar 11, 2026
Source: NVD
CVE-2026-3178 HIGH - 7.2

The Name Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name_directory_name' parameter in all versions up to, and including, 1.32.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inje...

Published: Mar 11, 2026
Source: NVD
CVE-2026-3805 HIGH - 7.5

When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory.

Vendor: haxx
Product: curl
Published: Mar 11, 2026
Source: NVD
CVE-2026-3231 HIGH - 7.2

The Checkout Field Editor (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom radio and checkboxgroup field values submitted through the WooCommerce Block Checkout Store API in all versions up to, and including, 2.1.7. This is due to the `p...

Published: Mar 11, 2026
Source: NVD
CVE-2026-1993 HIGH - 8.8

The ExactMetrics โ€“ Google Analytics Dashboard for WordPress plugin is vulnerable to Improper Privilege Management in versions 7.1.0 through 9.0.2. This is due to the `update_settings()` function accepting arbitrary plugin setting names without a whitelist of allowed settings. This makes it possible ...

Published: Mar 11, 2026
Source: NVD
CVE-2026-1992 HIGH - 8.8

The ExactMetrics โ€“ Google Analytics Dashboard for WordPress plugin is vulnerable to Insecure Direct Object Reference in versions 8.6.0 through 9.0.2. This is due to the `store_settings()` method in the `ExactMetrics_Onboarding` class accepting a user-supplied `triggered_by` parameter that is used in...

Published: Mar 11, 2026
Source: NVD
CVE-2026-1454 HIGH - 7.2

The Responsive Contact Form Builder & Lead Generation Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.0.1 via form field submissions. This is due to insufficient input sanitization in the lfb_lead_sanitize() function which omits ce...

Published: Mar 11, 2026
Source: NVD
CVE-2026-1708 HIGH - 7.5

The Appointment Booking Calendar โ€” Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection in all versions up to, and including, 1.6.9.27. This is due to the `db_where_conditions` method in the `TD_DB_Model` class failing to prevent the `append_where_sql...

Published: Mar 11, 2026
Source: NVD
CVE-2024-14026 HIGH - 7.8

A command injection vulnerability has been reported to affect several QNAP operating system versions. If an attacker gains local network access who have also gained a user account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the ...

Vendor: QNAP Systems Inc.
Product: QTS, QuTS hero
Published: Mar 11, 2026
Source: NVD
CVE-2026-31844 HIGH - 8.8

An authenticated SQL Injection vulnerability (CWE-89) exists in the Koha staff interface in the /cgi-bin/koha/suggestion/suggestion.pl endpoint due to improper validation of the displayby parameter used by the GetDistinctValues functionality. A low-privileged staff user can inject arbitrary SQL quer...

Vendor: Koha Community
Product: Koha
Published: Mar 11, 2026
Source: NVD
CVE-2026-3222 HIGH - 7.5

The WP Maps plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'location_id' parameter in all versions up to, and including, 4.9.1. This is due to the plugin's database abstraction layer (`FlipperCode_Model_Base::is_column()`) treating user input wrapped in b...

Published: Mar 11, 2026
Source: NVD
CVE-2026-2626 HIGH - 8.1

The divi-booster WordPress plugin before 5.0.2 does not have authorization and CSRF checks in one of its fixing function, allowing unauthenticated users to modify stored divi-booster WordPress plugin before 5.0.2 options. Furthermore, due to the use of unserialize() on the data, this could be furthe...

Published: Mar 11, 2026
Source: NVD