Total CVEs

141,537

Critical Severity

3,871

High Severity

13,923

Last 7 Days

1,636
Quick preset (or use dates below)
Clear Filters
Showing 9,701 - 9,720 of 14,444 CVEs
CVE-2026-32328 MEDIUM - 5.4

Cross-Site Request Forgery (CSRF) vulnerability in shufflehound Lemmony lemmony allows Cross Site Request Forgery.This issue affects Lemmony: from n/a through < 1.7.1.

Vendor: shufflehound
Product: Lemmony
Published: Mar 13, 2026
Source: NVD
CVE-2026-32322 MEDIUM - 5.3

soroban-sdk is a Rust SDK for Soroban contracts. Prior to 22.0.11, 23.5.3, and 25.3.0, The Fr (scalar field) types for BN254 and BLS12-381 in soroban-sdk compared values using their raw U256 representation without first reducing modulo the field modulus r. This caused mathematically equal field elem...

Vendor: stellar
Product: rs-soroban-sdk
Published: Mar 13, 2026
Source: NVD
CVE-2026-31949 MEDIUM - 6.5

LibreChat is a ChatGPT clone with additional features. Prior to 0.8.3-rc1, a Denial of Service (DoS) vulnerability exists in the DELETE /api/convos endpoint that allows an authenticated attacker to crash the Node.js server process by sending malformed requests. The DELETE /api/convos route handler a...

Vendor: danny-avila
Product: LibreChat
Published: Mar 13, 2026
Source: NVD
CVE-2026-31919 MEDIUM - 4.3

Missing Authorization vulnerability in Josh Kohlbach Advanced Coupons for WooCommerce Coupons advanced-coupons-for-woocommerce-free allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Advanced Coupons for WooCommerce Coupons: from n/a through <= 4.7.1.

Vendor: Josh Kohlbach
Product: Advanced Coupons for WooCommerce Coupons
Published: Mar 13, 2026
Source: NVD
CVE-2026-31918 MEDIUM - 6.5

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in immonex immonex Kickstart immonex-kickstart allows Stored XSS.This issue affects immonex Kickstart: from n/a through <= 1.13.0.

Vendor: immonex
Product: immonex Kickstart
Published: Mar 13, 2026
Source: NVD
CVE-2026-31916 MEDIUM - 5.3

Missing Authorization vulnerability in Iulia Cazan Latest Post Shortcode latest-post-shortcode allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Latest Post Shortcode: from n/a through <= 14.2.1.

Vendor: Iulia Cazan
Product: Latest Post Shortcode
Published: Mar 13, 2026
Source: NVD
CVE-2026-31915 MEDIUM - 5.3

Missing Authorization vulnerability in UX-themes Flatsome flatsome allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Flatsome: from n/a through <= 3.19.6.

Vendor: UX-themes
Product: Flatsome
Published: Mar 13, 2026
Source: NVD
CVE-2026-31885 MEDIUM - 6.5

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, there is an out-of-bounds read in MS-ADPCM and IMA-ADPCM decoders due to unchecked predictor and step_index values from input data. This vulnerability is fixed in 3.24.0.

Vendor: FreeRDP
Product: FreeRDP
Published: Mar 13, 2026
Source: NVD
CVE-2026-31884 MEDIUM - 6.5

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, division by zero in MS-ADPCM and IMA-ADPCM decoders when nBlockAlign is 0, leading to a crash. In libfreerdp/codec/dsp.c, both ADPCM decoders use size % block_size where block_size = context->common.format.nBlockAli...

Vendor: FreeRDP
Product: FreeRDP
Published: Mar 13, 2026
Source: NVD
CVE-2026-31883 MEDIUM - 6.5

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a size_t underflow in the IMA-ADPCM and MS-ADPCM audio decoders leads to heap-buffer-overflow write via the RDPSND audio channel. In libfreerdp/codec/dsp.c, the IMA-ADPCM and MS-ADPCM decoders subtract block header siz...

Vendor: FreeRDP
Product: FreeRDP
Published: Mar 13, 2026
Source: NVD
CVE-2026-31864 MEDIUM - 6.8

JumpServer is an open source bastion host and an operation and maintenance security audit system. a Server-Side Template Injection (SSTI) vulnerability exists in JumpServer's Applet and VirtualApp upload functionality. This vulnerability can only be exploited by users with administrative privil...

Vendor: jumpserver
Product: jumpserver
Published: Mar 13, 2026
Source: NVD
CVE-2026-31798 MEDIUM - 5.0

JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v4.10.16-lts, JumpServer improperly validates certificates in the Custom SMS API Client. When JumpServer sends MFA/OTP codes via Custom SMS API, an attacker can intercept the request and captur...

Vendor: jumpserver
Product: jumpserver
Published: Mar 13, 2026
Source: NVD
CVE-2026-30961 MEDIUM - 4.3

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, the chunked upload completion path for file requests does not validate the total file size against the per-request MaxSize limit. An attacker with a public file request link can split an ove...

Vendor: Forceu
Product: Gokapi
Published: Mar 13, 2026
Source: NVD
CVE-2026-30955 MEDIUM - 6.5

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, An API endpoint accepts unbounded request bodies without any size limit. An authenticated user can cause an OOM kill and complete service disruption for all users. This vulnerability is fixe...

Vendor: Forceu
Product: Gokapi
Published: Mar 13, 2026
Source: NVD
CVE-2026-30943 MEDIUM - 4.1

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, An insufficient authorization check in the file replace API allows a user with only list visibility permission (UserPermListOtherUploads) to delete another user's file by abusing the de...

Vendor: Forceu
Product: Gokapi
Published: Mar 13, 2026
Source: NVD
CVE-2026-30915 MEDIUM - 4.3

SFTPGo is an open source, event-driven file transfer solution. SFTPGo versions before v2.7.1 contain an input validation issue in the handling of dynamic group paths, for example, home directories or key prefixes. When a group is configured with a dynamic home directory or key prefix using placehold...

Vendor: drakkan
Product: sftpgo
Published: Mar 13, 2026
Source: NVD
CVE-2026-30914 MEDIUM - 8.1

SFTPGo is an open source, event-driven file transfer solution. In SFTPGo versions prior to 2.7.1, a path normalization discrepancy between the protocol handlers and the internal Virtual Filesystem routing can lead to an authorization bypass. An authenticated attacker can craft specific file paths to...

Vendor: drakkan
Product: sftpgo
Published: Mar 13, 2026
Source: NVD
CVE-2026-30853 MEDIUM - 5.0

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to 9.5.0, a path traversal vulnerability in the RocketBook (.rb) input plugin (src/calibre/ebooks/rb/reader.py) allows an attacker to write arbitrary files to any path writable by the calibre p...

Vendor: kovidgoyal
Product: calibre
Published: Mar 13, 2026
Source: NVD
CVE-2026-2888 MEDIUM - 5.3

The Formidable Forms plugin for WordPress is vulnerable to an authorization bypass through user-controlled key in all versions up to, and including, 6.28. This is due to the `frm_strp_amount` AJAX handler (`update_intent_ajax`) overwriting the global `$_POST` data with attacker-controlled JSON input...

Published: Mar 13, 2026
Source: NVD
CVE-2026-2879 MEDIUM - 5.4

The GetGenie plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.2. This is due to missing validation on the `id` parameter in the `create()` method of the `GetGenieChat` REST API endpoint. The method accepts a user-controlled post ID and,...

Published: Mar 13, 2026
Source: NVD