Total CVEs

141,537

Critical Severity

3,871

High Severity

13,923

Last 7 Days

1,614
Quick preset (or use dates below)
Clear Filters
Showing 9,701 - 9,720 of 13,923 CVEs
CVE-2026-27271 HIGH - 7.8

Illustrator versions 29.8.4, 30.1 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Vendor: Adobe
Product: Illustrator
Published: Mar 10, 2026
Source: NVD
CVE-2026-27267 HIGH - 7.8

Illustrator versions 29.8.4, 30.1 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Vendor: Adobe
Product: Illustrator
Published: Mar 10, 2026
Source: NVD
CVE-2026-21362 HIGH - 7.8

Illustrator versions 29.8.4, 30.1 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Vendor: Adobe
Product: Illustrator
Published: Mar 10, 2026
Source: NVD
CVE-2026-21333 HIGH - 8.6

Illustrator versions 29.8.4, 30.1 and earlier are affected by an Untrusted Search Path vulnerability that might allow attackers to execute arbitrary code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Vendor: Adobe
Product: Illustrator
Published: Mar 10, 2026
Source: NVD
CVE-2026-31834 HIGH - 7.2

Umbraco is an ASP.NET CMS. From 15.3.1 to before 16.5.1 and 17.2.2, A privilege escalation vulnerability has been identified in Umbraco CMS. Under certain conditions, authenticated backoffice users with permission to manage users, may be able to elevate their privileges due to insufficient authoriza...

Vendor: umbraco
Product: Umbraco-CMS
Published: Mar 10, 2026
Source: NVD
CVE-2026-31830 HIGH - 7.5

sigstore-ruby is a pure Ruby implementation of the sigstore verify command from the sigstore/cosign project. Prior to 0.2.3, Sigstore::Verifier#verify does not propagate the VerificationFailure returned by verify_in_toto when the artifact digest does not match the digest in the in-toto attestation s...

Vendor: sigstore
Product: sigstore-ruby
Published: Mar 10, 2026
Source: NVD
CVE-2026-31829 HIGH - 7.1

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.0.13, Flowise exposes an HTTP Node in AgentFlow and Chatflow that performs server-side HTTP requests using user-controlled URLs. By default, there are no restrictions on target hosts, including pr...

Vendor: FlowiseAI
Product: Flowise
Published: Mar 10, 2026
Source: NVD
CVE-2026-31824 HIGH - 8.2

Sylius is an Open Source eCommerce Framework on Symfony. A Time-of-Check To Time-of-Use (TOCTOU) race condition was discovered in the promotion usage limit enforcement. The same class of vulnerability affects the promotion usage limit (the global used counter on Promotion entities), coupon usage lim...

Vendor: Sylius
Product: Sylius
Published: Mar 10, 2026
Source: NVD
CVE-2026-31820 HIGH - 6.5

Sylius is an Open Source eCommerce Framework on Symfony. An authenticated Insecure Direct Object Reference (IDOR) vulnerability exists in multiple shop LiveComponents due to unvalidated resource IDs accepted via #[LiveArg] parameters. Unlike props, which are protected by LiveComponent's @checks...

Vendor: Sylius
Product: Sylius
Published: Mar 10, 2026
Source: NVD
CVE-2026-31817 HIGH - 8.5

OliveTin gives access to predefined shell commands from a web interface. Prior to 3000.11.2, when the saveLogs feature is enabled, OliveTin persists execution log entries to disk. The filename used for these log files is constructed in part from the user-supplied UniqueTrackingId field in the StartA...

Vendor: OliveTin
Product: OliveTin
Published: Mar 10, 2026
Source: NVD

Quinn is a pure-Rust, async-compatible implementation of the IETF QUIC transport protocol. Prior to 0.11.14, a remote, unauthenticated attacker can trigger a denial of service in applications using vulnerable quinn versions by sending a crafted QUIC Initial packet containing malformed quic_transport...

Vendor: quinn-rs
Product: quinn
Published: Mar 10, 2026
Source: NVD

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in gleam-wisp wisp allows arbitrary file read via percent-encoded path traversal. The wisp.serve_static function is vulnerable to path traversal because sanitization runs before percent-decoding. ...

Vendor: gleam-wisp
Product: wisp
Published: Mar 10, 2026
Source: NVD
CVE-2026-27278 HIGH - 7.8

Acrobat Reader versions 24.001.30307, 24.001.30308, 25.001.21265 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious fi...

Vendor: Adobe
Product: Acrobat Reader
Published: Mar 10, 2026
Source: NVD
CVE-2026-27220 HIGH - 7.8

Acrobat Reader versions 24.001.30307, 24.001.30308, 25.001.21265 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious fi...

Vendor: Adobe
Product: Acrobat Reader
Published: Mar 10, 2026
Source: NVD
CVE-2026-31801 HIGH - 7.7

zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. From 1.3.0 to 2.1.14, zotโ€™s dist-spec authorization middleware infers the required action for PUT /v2/{name}/manifests/{reference} as create by default, and only switches to update when the ...

Vendor: project-zot
Product: zot
Published: Mar 10, 2026
Source: NVD
CVE-2026-31800 HIGH - 9.1

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.12 and 8.6.25, the _GraphQLConfig and _Audience internal classes can be read, modified, and deleted via the generic /classes/_GraphQLConfig and /classes/_Audience REST API rou...

Vendor: parse-community
Product: parse-server
Published: Mar 10, 2026
Source: NVD
CVE-2026-30967 HIGH - 8.8

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.9. and 8.6.22, the OAuth2 authentication adapter, when configured without the useridField option, only verifies that a token is active via the provider's token introspect...

Vendor: parse-community
Product: parse-server
Published: Mar 10, 2026
Source: NVD
CVE-2026-30962 HIGH - 6.5

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.6 and 8.6.19, the validation for protected fields only checks top-level query keys. By wrapping a query constraint on a protected field inside a logical operator, the check is...

Vendor: parse-community
Product: parse-server
Published: Mar 10, 2026
Source: NVD
CVE-2026-30953 HIGH - 7.7

LinkAce is a self-hosted archive to collect website links. When a user creates a link via POST /links, the server fetches HTML metadata from the provided URL (LinkRepository::create() calls HtmlMeta::getFromUrl()). The LinkStoreRequest validation rules do not include NoPrivateIpRule, allowing server...

Vendor: Kovah
Product: LinkAce
Published: Mar 10, 2026
Source: NVD
CVE-2026-30951 HIGH - 7.5

Sequelize is a Node.js ORM tool. Prior to 6.37.8, there is SQL injection via unescaped cast type in JSON/JSONB where clause processing. The _traverseJSON() function splits JSON path keys on :: to extract a cast type, which is interpolated raw into CAST(... AS <type>) SQL. An attacker who contr...

Vendor: sequelize
Product: sequelize
Published: Mar 10, 2026
Source: NVD