Total CVEs

141,537

Critical Severity

3,871

High Severity

13,923

Last 7 Days

1,636
Quick preset (or use dates below)
Clear Filters
Showing 9,721 - 9,740 of 14,444 CVEs
CVE-2026-2859 MEDIUM - 4.3

Improper permission enforcement in Checkmk versions 2.4.0 before 2.4.0p23, 2.3.0 before 2.3.0p43, and 2.2.0 (EOL) allows unauthenticated users to enumerate existing hosts by observing different HTTP response codes in deploy_agent endpoint, which could lead to information disclosure.

Vendor: checkmk
Product: checkmk
Published: Mar 13, 2026
Source: NVD
CVE-2026-2257 MEDIUM - 6.4

The GetGenie plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.2 due to missing validation on a user controlled key in the `action` function. This makes it possible for authenticated attackers, with Author-level access and above, to upda...

Published: Mar 13, 2026
Source: NVD
CVE-2026-29775 MEDIUM - 5.3

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a client-side heap out-of-bounds read/write occurs in FreeRDP's bitmap cache subsystem due to an off-by-one boundary check in bitmap_cache_put. A malicious server can send a CACHE_BITMAP_ORDER (Rev1) with cacheId ...

Vendor: FreeRDP
Product: FreeRDP
Published: Mar 13, 2026
Source: NVD
CVE-2026-29774 MEDIUM - 5.3

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, a client-side heap buffer overflow occurs in the FreeRDP client's AVC420/AVC444 YUV-to-RGB conversion path due to missing horizontal bounds validation of H.264 metablock regionRects coordinates. In yuv.c, the cla...

Vendor: FreeRDP
Product: FreeRDP
Published: Mar 13, 2026
Source: NVD
CVE-2026-24097 MEDIUM - 4.3

Improper permission enforcement in Checkmk versions 2.4.0 before 2.4.0p23, 2.3.0 before 2.3.0p43, and 2.2.0 (EOL) allows authenticated users to enumerate existing hosts by observing different HTTP response codes in agent-receiver/register_existing endpoint, which could lead to information disclosure...

Vendor: Checkmk GmbH
Product: Checkmk
Published: Mar 13, 2026
Source: NVD
CVE-2026-23940 MEDIUM - 6.5

Uncontrolled Resource Consumption vulnerability in hexpm hexpm/hexpm allows Excessive Allocation. Publishing an oversized package can cause Hex.pm to run out of memory while extracting the uploaded package tarball. This can terminate the affected application instance and result in a denial of servic...

Vendor: hexpm
Product: hexpm, hex.pm
Published: Mar 13, 2026
Source: NVD
CVE-2026-22216 MEDIUM - 6.5

wpDiscuz before 7.6.47 contains a missing rate limiting vulnerability that allows unauthenticated attackers to subscribe arbitrary email addresses to post notifications by sending POST requests to the wpdAddSubscription handler in class.WpdiscuzHelperAjax.php. Attackers can exploit LIKE wildcard cha...

Vendor: gVectors
Product: wpDiscuz
Published: Mar 13, 2026
Source: NVD
CVE-2026-22215 MEDIUM - 4.3

wpDiscuz before 7.6.47 contains a cross-site request forgery vulnerability in the getFollowsPage() function that allows attackers to trigger unauthorized actions without nonce validation. Attackers can craft malicious requests to enumerate follow relationships and manipulate user follow data by expl...

Vendor: gVectors
Product: wpDiscuz
Published: Mar 13, 2026
Source: NVD
CVE-2026-22210 MEDIUM - 4.4

wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability that allows attackers to inject malicious code through unescaped attachment URLs in HTML output by exploiting the WpdiscuzHelperUpload class. Attackers can craft malicious attachment records or filter hooks to inject arbitrary Java...

Vendor: gVectors
Product: wpDiscuz
Published: Mar 13, 2026
Source: NVD
CVE-2026-22209 MEDIUM - 5.5

thingino-firmware up to commit e3f6a41 (published on 2026-03-15) contains an unauthenticated os command injection vulnerability in the WiFi captive portal CGI script that allows remote attackers to execute arbitrary commands as root by injecting malicious code through unsanitized HTTP parameter name...

Vendor: gVectors
Product: wpDiscuz
Published: Mar 13, 2026
Source: NVD
CVE-2026-22203 MEDIUM - 4.9

wpDiscuz before 7.6.47 contains an information disclosure vulnerability that allows administrators to inadvertently expose OAuth secrets by exporting plugin options as JSON. Attackers can obtain exported files containing plaintext API secrets like fbAppSecret, googleClientSecret, twitterAppSecret, a...

Vendor: gVectors
Product: wpDiscuz
Published: Mar 13, 2026
Source: NVD
CVE-2026-22201 MEDIUM - 5.3

wpDiscuz before 7.6.47 contains an IP spoofing vulnerability in the getIP() function that allows attackers to bypass IP-based rate limiting and ban enforcement by trusting untrusted HTTP headers. Attackers can set HTTP_CLIENT_IP or HTTP_X_FORWARDED_FOR headers to spoof their IP address and circumven...

Vendor: gVectors
Product: wpDiscuz
Published: Mar 13, 2026
Source: NVD
CVE-2026-22199 MEDIUM - 5.3

wpDiscuz before 7.6.47 contains a vote manipulation vulnerability that allows attackers to manipulate comment votes by obtaining fresh nonces and bypassing rate limiting through client-controlled headers. Attackers can vary User-Agent headers to reset rate limits, request nonces from the unauthentic...

Vendor: gVectors
Product: wpDiscuz
Published: Mar 13, 2026
Source: NVD
CVE-2026-22192 MEDIUM - 6.1

wpDiscuz before 7.6.47 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by importing a crafted options file with unescaped customCss field values. Attackers can supply a malicious JSON import file containing script payloads in th...

Vendor: gVectors
Product: wpDiscuz
Published: Mar 13, 2026
Source: NVD
CVE-2026-22191 MEDIUM - 6.5

wpDiscuz before 7.6.47 contains a shortcode injection vulnerability that allows attackers to execute arbitrary shortcodes by including them in comment content sent via email notifications. Attackers can inject shortcodes like [contact-form-7] or [user_meta] in comments, which are executed server-sid...

Vendor: gVectors
Product: wpDiscuz
Published: Mar 13, 2026
Source: NVD
CVE-2026-22183 MEDIUM - 6.1

wpDiscuz before 7.6.47 contains a stored cross-site scripting vulnerability in the inline comment preview functionality that allows authenticated users to inject malicious scripts by submitting comments with unescaped content. Attackers with unfiltered_html capabilities can inject JavaScript directl...

Vendor: gVectors
Product: wpDiscuz
Published: Mar 13, 2026
Source: NVD
CVE-2026-1704 MEDIUM - 4.3

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.6.9.29. This is due to the `get_item_permissions_check` method granting access to users with the `ssa_manage_a...

Published: Mar 13, 2026
Source: NVD
CVE-2026-0835 MEDIUM - 5.4

IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.1.0.0 through 6.1.2.7_2, 6.2.0.0 through 6.2.0.5_1, 6.2.1.0 through 6.2.1.1_1, and 6.2.2.0 are vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus alterin...

Vendor: ibm
Product: sterling_b2b_integrator
Published: Mar 13, 2026
Source: NVD
CVE-2025-8766 MEDIUM - 6.4

A container privilege escalation flaw was found in certain Multi-Cloud Object Gateway Core images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, eve...

Published: Mar 13, 2026
Source: NVD
CVE-2025-66249 MEDIUM - 6.3

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache Livy. This issue affects Apache Livy: from 0.3.0 before 0.9.0. The vulnerability can only be exploited with non-default Apache Livy Server settings. If the configuration value "liv...

Vendor: Apache Software Foundation
Product: Apache Livy
Published: Mar 13, 2026
Source: NVD