Total CVEs

141,537

Critical Severity

3,871

High Severity

13,923

Last 7 Days

1,636
Quick preset (or use dates below)
Clear Filters
Showing 9,761 - 9,780 of 14,444 CVEs
CVE-2026-32142 MEDIUM - 5.3

Shopware is an open commerce platform. /api/_info/config route exposes information about licenses. This vulnerability is fixed in 7.8.1 and 6.10.15.

Vendor: shopware
Product: commercial
Published: Mar 12, 2026
Source: NVD
CVE-2026-2376 MEDIUM - 4.9

A flaw was found in mirror-registry where an authenticated user can trick the system into accessing unintended internal or restricted systems by providing malicious web addresses. When the application processes these addresses, it automatically follows redirects without verifying the final destina...

Published: Mar 12, 2026
Source: NVD
CVE-2025-66955 MEDIUM - 6.5

Local File Inclusion in Contact Plan, E-Mail, SMS and Fax components in Asseco SEE Live 2.0 allows remote authenticated users to access files on the host via "path" parameter in the downloadAttachment and downloadAttachmentFromPath API calls.

Published: Mar 12, 2026
Source: NVD
CVE-2025-61154 MEDIUM - 6.5

Heap buffer overflow vulnerability in LibreDWG versions v0.13.3.7571 up to v0.13.3.7835 allows a crafted DWG file to cause a Denial of Service (DoS) via the function decompress_R2004_section at decode.c.

Published: Mar 12, 2026
Source: NVD
CVE-2025-13913 MEDIUM - 6.3

Inductive Automation Ignition Software is vulnerable to an unauthenticated API endpoint exposure that may allow an attacker to remotely change the "forgot password" recovery email address.

Vendor: Inductive Automation
Product: Ignition Software
Published: Mar 12, 2026
Source: NVD
CVE-2026-32139 MEDIUM - 5.4

Dataease is an open source data visualization analysis tool. In DataEase 2.10.19 and earlier, the static resource upload interface allows SVG uploads. However, backend validation only checks whether the XML is parseable and whether the root node is svg. It does not sanitize active content such as on...

Vendor: dataease
Product: dataease
Published: Mar 12, 2026
Source: NVD
CVE-2026-32100 MEDIUM - 5.3

Shopware is an open commerce platform. /api/_info/config route exposes information about active security fixes. This vulnerability is fixed in 2.0.16, 3.0.12, and 4.0.7.

Vendor: swag
Product: platform-security
Published: Mar 12, 2026
Source: NVD
CVE-2026-31890 MEDIUM - 5.5

Inspektor Gadget is a set of tools and framework for data collection and system inspection on Kubernetes clusters and Linux hosts using eBPF. Prior to 0.50.1, in a situation where the ring-buffer of a gadget is – incidentally or maliciously – already full, the gadget will silently drop events. The i...

Vendor: inspektor-gadget
Product: inspektor-gadget
Published: Mar 12, 2026
Source: NVD
CVE-2026-31841 MEDIUM - 6.5

Hyperterse is a tool-first MCP framework for building AI-ready backend surfaces from declarative config. Prior to v2.2.0, the search tool allows LLMs to search for tools using natural language. While returning results, Hyperterse also returned the raw SQL queries, exposing statements which were supp...

Vendor: hyperterse
Product: hyperterse
Published: Mar 12, 2026
Source: NVD
CVE-2026-29066 MEDIUM - 6.2

Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI dev server configures Vite with server.fs.strict: false, which disables Vite's built-in filesystem access restriction. This allows any unauthenticated attacker who can reach the dev server to read arbitrary files on t...

Vendor: @tinacms
Product: cli
Published: Mar 12, 2026
Source: NVD
CVE-2026-24125 MEDIUM - 6.3

Tina is a headless content management system. Prior to 2.1.2, TinaCMS allows users to create, update, and delete content documents using relative file paths (relativePath, newRelativePath) via GraphQL mutations. Under certain conditions, these paths are combined with the collection path using path.j...

Vendor: @tinacms
Product: graphql
Published: Mar 12, 2026
Source: NVD
CVE-2026-32237 MEDIUM - 4.4

Backstage is an open framework for building developer portals. Prior to 3.1.5, authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all part...

Vendor: npm
Product: @backstage/plugin-scaffolder-backend
Published: Mar 12, 2026
Source: GitHub
CVE-2026-32235 MEDIUM - 5.9

Backstage is an open framework for building developer portals. Prior to 0.27.1, the experimental OIDC provider in @backstage/plugin-auth-backend is vulnerable to a redirect URI allowlist bypass. Instances that have enabled experimental Dynamic Client Registration or Client ID Metadata Documents and ...

Vendor: npm
Product: @backstage/plugin-auth-backend
Published: Mar 12, 2026
Source: GitHub
CVE-2026-32230 MEDIUM - 5.3

Uptime Kuma is an open source, self-hosted monitoring tool. From 2.0.0 to 2.1.3 , the GET /api/badge/:id/ping/:duration? endpoint in server/routers/api-router.js does not verify that the requested monitor belongs to a public group. All other badge endpoints check AND public = 1 in their SQL query be...

Vendor: npm
Product: uptime-kuma
Published: Mar 12, 2026
Source: GitHub
CVE-2026-3099 MEDIUM - 5.8

A flaw was found in Libsoup. The server-side digest authentication implementation in the SoupAuthDomainDigest class does not properly track issued nonces or enforce the required incrementing nonce-count (nc) attribute. This vulnerability allows a remote attacker to capture a single valid authenticat...

Published: Mar 12, 2026
Source: NVD
CVE-2026-2987 MEDIUM - 6.1

The Simple Ajax Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'c' parameter in versions up to, and including, 20260217 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web s...

Published: Mar 12, 2026
Source: NVD
CVE-2026-4039 MEDIUM - 6.3

A vulnerability was determined in OpenClaw 2026.2.19-2. This vulnerability affects the function applySkillConfigenvOverrides of the component Skill Env Handler. Executing a manipulation can lead to code injection. It is possible to launch the attack remotely. Upgrading to version 2026.2.21-beta.1 is...

Vendor: openclaw
Product: openclaw
Published: Mar 12, 2026
Source: NVD
CVE-2026-3234 MEDIUM - 4.3

A flaw was found in mod_proxy_cluster. This vulnerability, a Carriage Return Line Feed (CRLF) injection in the decodeenc() function, allows a remote attacker to bypass input validation. By injecting CRLF sequences into the cluster configuration, an attacker can corrupt the response body of INFO end...

Published: Mar 12, 2026
Source: NVD
CVE-2026-4016 MEDIUM - 5.3

A security vulnerability has been detected in GPAC 26.03-DEV. Affected by this vulnerability is the function svgin_process of the file src/filters/load_svg.c of the component SVG Parser. The manipulation leads to out-of-bounds write. Local access is required to approach this attack. The exploit has ...

Published: Mar 12, 2026
Source: NVD
CVE-2026-4015 MEDIUM - 5.3

A weakness has been identified in GPAC 26.03-DEV. Affected is the function txtin_process_texml of the file src/filters/load_text.c of the component TeXML File Parser. Executing a manipulation can lead to stack-based buffer overflow. It is possible to launch the attack on the local host. The exploit ...

Published: Mar 12, 2026
Source: NVD