Total CVEs

141,537

Critical Severity

3,871

High Severity

13,923

Last 7 Days

1,614
Quick preset (or use dates below)
Clear Filters
Showing 9,681 - 9,700 of 13,923 CVEs
CVE-2026-2466 HIGH - 7.1

The DukaPress WordPress plugin through 3.2.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Published: Mar 11, 2026
Source: NVD
CVE-2026-20892 HIGH - 7.2

Code injection vulnerability exists in MR-GM5L-S1 and MR-GM5A-L1, which may allow an attacker with administrative privileges to execute arbitrary commands.

Vendor: Micro Research Ltd.
Product: MR-GM5L-S1, MR-GM5A-L1
Published: Mar 11, 2026
Source: NVD
CVE-2026-2413 HIGH - 7.5

The Ally โ€“ Web Accessibility & Usability plugin for WordPress is vulnerable to SQL Injection via the URL path in all versions up to, and including, 4.0.3. This is due to insufficient escaping on the user-supplied URL parameter in the `get_global_remediations()` method, where it is directly conca...

Published: Mar 11, 2026
Source: NVD
CVE-2025-13067 HIGH - 8.8

The Royal Addons for Elementor plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 1.7.1049. This is due to insufficient file type validation detecting files named main.php, allowing a file with such a name to bypass sanitization. This makes it possible ...

Vendor: wproyal
Product: Royal Addons for Elementor โ€“ Addons and Templates Kit for Elementor
Published: Mar 11, 2026
Source: NVD
CVE-2026-23816 HIGH - 7.2

A vulnerability in the command line interface of AOS-CX Switches could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system.

Vendor: Hewlett Packard Enterprise (HPE)
Product: AOS-CX
Published: Mar 11, 2026
Source: NVD
CVE-2026-23815 HIGH - 7.2

A vulnerability in a custom binary used in AOS-CX Switches' CLI could allow an authenticated remote attacker with high privileges to perform command injection. Successful exploitation could allow an attacker to execute unauthorized commands.

Vendor: Hewlett Packard Enterprise (HPE)
Product: AOS-CX
Published: Mar 11, 2026
Source: NVD
CVE-2026-23814 HIGH - 8.8

A vulnerability in the command parameters of a certain AOS-CX CLI command could allow a low-privilege authenticated remote attacker to inject malicious commands resulting in unwanted behavior.

Vendor: Hewlett Packard Enterprise (HPE)
Product: AOS-CX
Published: Mar 11, 2026
Source: NVD
CVE-2026-3453 HIGH - 8.1

The ProfilePress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.16.11. This is due to missing ownership validation on the change_plan_sub_id parameter in the process_checkout() function. The ppress_process_checkout AJAX handler accepts ...

Published: Mar 11, 2026
Source: NVD
CVE-2026-21361 HIGH - 8.1

Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vvulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript ma...

Vendor: Adobe
Product: Adobe Commerce
Published: Mar 11, 2026
Source: NVD
CVE-2026-21311 HIGH - 8.0

Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may...

Vendor: Adobe
Product: Adobe Commerce
Published: Mar 11, 2026
Source: NVD
CVE-2026-21309 HIGH - 7.5

Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthoriz...

Vendor: Adobe
Product: Adobe Commerce
Published: Mar 11, 2026
Source: NVD
CVE-2026-21290 HIGH - 8.7

Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may ...

Vendor: Adobe
Product: Adobe Commerce
Published: Mar 11, 2026
Source: NVD
CVE-2026-21289 HIGH - 7.5

Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthoriz...

Vendor: Adobe
Product: Adobe Commerce
Published: Mar 11, 2026
Source: NVD
CVE-2026-21284 HIGH - 8.1

Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may...

Vendor: Adobe
Product: Adobe Commerce
Published: Mar 11, 2026
Source: NVD
CVE-2026-31875 HIGH - 5.9

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.7 and 8.6.33, when multi-factor authentication (MFA) via TOTP is enabled for a user account, Parse Server generates two single-use recovery codes. These codes are intended as ...

Vendor: npm
Product: parse-server
Published: Mar 11, 2026
Source: GitHub
CVE-2026-31872 HIGH - 7.5

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.6 and 8.6.32, the protectedFields class-level permission (CLP) can be bypassed using dot-notation in query WHERE clauses and sort parameters. An attacker can use dot-notation ...

Vendor: npm
Product: parse-server
Published: Mar 11, 2026
Source: GitHub
CVE-2026-31866 HIGH - 7.5

flagd is a feature flag daemon with a Unix philosophy. Prior to 0.14.2, flagd exposes OFREP (/ofrep/v1/evaluate/...) and gRPC (evaluation.v1, evaluation.v2) endpoints for feature flag evaluation. These endpoints are designed to be publicly accessible by client applications. The evaluation context in...

Vendor: go
Product: github.com/open-feature/flagd/flagd
Published: Mar 11, 2026
Source: GitHub
CVE-2026-31858 HIGH - 8.8

Craft is a content management system (CMS). The ElementSearchController::actionSearch() endpoint is missing the unset() protection that was added to ElementIndexesController in CVE-2026-25495. The exact same SQL injection vulnerability (including criteria[orderBy], the original advisory vector) work...

Vendor: composer
Product: craftcms/cms
Published: Mar 11, 2026
Source: GitHub
CVE-2026-31861 HIGH - 8.8

Cloud CLI (aka Claude Code UI) is a desktop and mobile UI for Claude Code, Cursor CLI, Codex, and Gemini-CLI. Prior to 1.24.0, The /api/user/git-config endpoint constructs shell commands by interpolating user-supplied gitName and gitEmail values into command strings passed to child_process.exec(). T...

Vendor: npm
Product: @siteboon/claude-code-ui
Published: Mar 10, 2026
Source: GitHub
CVE-2026-27272 HIGH - 7.8

Illustrator versions 29.8.4, 30.1 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Vendor: Adobe
Product: Illustrator
Published: Mar 10, 2026
Source: NVD