Total CVEs

141,537

Critical Severity

3,871

High Severity

13,923

Last 7 Days

1,619
Quick preset (or use dates below)
Clear Filters
Showing 9,821 - 9,840 of 14,444 CVEs
CVE-2026-32124 MEDIUM - 5.4

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, the dynamic code picker AJAX endpoint returns code descriptions (code_text) that are rendered in the front end (e.g. DataTables) without HTML escaping. If an administrator (or u...

Vendor: openemr
Product: openemr
Published: Mar 11, 2026
Source: NVD
CVE-2026-32122 MEDIUM - 4.3

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, the Claim File Tracker feature exposes an AJAX endpoint that returns billing claim metadata (claim IDs, payer info, transmission logs). The endpoint does not enforce the same AC...

Vendor: openemr
Product: openemr
Published: Mar 11, 2026
Source: NVD
CVE-2026-32118 MEDIUM - 5.4

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, stored cross-site scripting (XSS) in the Graphical Pain Map ("clickmap") form allows any authenticated clinician to inject arbitrary JavaScript that executes in the br...

Vendor: openemr
Product: openemr
Published: Mar 11, 2026
Source: NVD
CVE-2026-32112 MEDIUM - 6.8

ha-mcp is a Home Assistant MCP Server. Prior to 7.0.0, the ha-mcp OAuth consent form renders user-controlled parameters via Python f-strings with no HTML escaping. An attacker who can reach the OAuth endpoint and convince the server operator to follow a crafted authorization URL could execute JavaSc...

Vendor: homeassistant-ai
Product: ha-mcp
Published: Mar 11, 2026
Source: NVD
CVE-2026-32111 MEDIUM - 5.3

ha-mcp is a Home Assistant MCP Server. Prior to 7.0.0, the ha-mcp OAuth consent form (beta feature) accepts a user-supplied ha_url and makes a server-side HTTP request to {ha_url}/api/config with no URL validation. An unauthenticated attacker can submit arbitrary URLs to perform internal network rec...

Vendor: homeassistant-ai
Product: ha-mcp
Published: Mar 11, 2026
Source: NVD
CVE-2026-32106 MEDIUM - 4.7

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the REST API createUser endpoint uses string-based rank checks that only block creating owner accounts, while the Dashboard API uses indexOf-based rank comparison that prevents creating users at or...

Vendor: withstudiocms
Product: studiocms
Published: Mar 11, 2026
Source: NVD
CVE-2026-32104 MEDIUM - 5.4

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the updateUserNotifications endpoint accepts a user ID from the request payload and uses it to update that user's notification preferences. It checks that the caller is logged in but never ver...

Vendor: withstudiocms
Product: studiocms
Published: Mar 11, 2026
Source: NVD
CVE-2026-32103 MEDIUM - 6.8

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the POST /studiocms_api/dashboard/create-reset-link endpoint allows any authenticated user with admin privileges to generate a password reset token for any other user, including the owner account. ...

Vendor: withstudiocms
Product: studiocms
Published: Mar 11, 2026
Source: NVD
CVE-2026-2640 MEDIUM - 5.5

During an internal security assessment, a potential vulnerability was discovered in Lenovo PC Manager that could allow a local authenticated user to terminate privileged processes.

Published: Mar 11, 2026
Source: NVD
CVE-2026-1717 MEDIUM - 5.5

An input validation vulnerability was reported in the LenovoProductivitySystemAddin used in Lenovo Vantage and Lenovo Baiying that could allow a local authenticated user to terminate arbitrary processes with elevated privileges.

Published: Mar 11, 2026
Source: NVD
CVE-2026-1653 MEDIUM - 5.5

A potential divide by zero vulnerability was reported in the Lenovo Virtual Bus driver used in Smart Connect that could allow a local authenticated user to cause a Windows blue screen error.

Published: Mar 11, 2026
Source: NVD
CVE-2026-1652 MEDIUM - 6.1

A potential buffer overflow vulnerability was reported in the Lenovo Virtual Bus driver used in Smart Connect that could allow a local authenticated user to corrupt memory and cause a Windows blue screen error.

Published: Mar 11, 2026
Source: NVD
CVE-2026-1068 MEDIUM - 5.3

An improper certificate validation vulnerability was reported in the Lenovo Filez application that could allow a user capable of intercepting network traffic to obtain sensitive user data from the application.

Published: Mar 11, 2026
Source: NVD
CVE-2026-0940 MEDIUM - 6.7

A potential improper initialization vulnerability was reported in the BIOS of some ThinkPads that could allow a local privileged user to modify data and execute arbitrary code.

Published: Mar 11, 2026
Source: NVD
CVE-2026-3954 MEDIUM - 6.5

A weakness has been identified in OpenBMB XAgent 1.0.0. Affected by this vulnerability is the function workspace of the file XAgentServer/application/routers/workspace.py. This manipulation of the argument file_name causes path traversal. The attack may be initiated remotely. The exploit has been ma...

Published: Mar 11, 2026
Source: NVD
CVE-2026-3951 MEDIUM - 4.3

A security flaw has been discovered in LockerProject Locker 0.0.0/0.0.1/0.1.0. Affected is the function authIsAwesome of the file source-code/Locker-master/Ops/registry.js of the component Error Response Handler. The manipulation of the argument ID results in cross site scripting. The attack can be ...

Published: Mar 11, 2026
Source: NVD
CVE-2026-32234 MEDIUM - 4.7

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.10 and 8.6.36, an attacker with access to the master key can inject malicious SQL via crafted field names used in query constraints when Parse Server is configured with Postgr...

Vendor: parse-community
Product: parse-server
Published: Mar 11, 2026
Source: NVD
CVE-2026-32098 MEDIUM - 7.5

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.9 and 8.6.35, an attacker can exploit LiveQuery subscriptions to infer the values of protected fields without directly receiving them. By subscribing with a WHERE clause that ...

Vendor: parse-community
Product: parse-server
Published: Mar 11, 2026
Source: NVD
CVE-2026-32095 MEDIUM - 5.4

Plunk is an open-source email platform built on top of AWS SES. Prior to 0.7.1, Plunk's image upload endpoint accepted SVG files, which browsers treat as active documents capable of executing embedded JavaScript, creating a stored XSS vulnerability. This vulnerability is fixed in 0.7.1.

Vendor: useplunk
Product: plunk
Published: Mar 11, 2026
Source: NVD
CVE-2026-24510 MEDIUM - 6.7

Dell Alienware Command Center (AWCC), versions prior to 6.12.24.0, contain an Improper Privilege Management vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of Privileges.

Vendor: Dell
Product: Alienware Command Center (AWCC)
Published: Mar 11, 2026
Source: NVD