Total CVEs

141,537

Critical Severity

3,871

High Severity

13,923

Last 7 Days

1,619
Quick preset (or use dates below)
Clear Filters
Showing 9,841 - 9,860 of 14,444 CVEs
CVE-2026-32094 MEDIUM - 6.5

Shescape is a simple shell escape library for JavaScript. Prior to 2.1.10, Shescape#escape() does not escape square-bracket glob syntax for Bash, BusyBox sh, and Dash. Applications that interpolate the return value directly into a shell command string can cause an attacker-controlled value like secr...

Vendor: npm
Product: shescape
Published: Mar 11, 2026
Source: GitHub
CVE-2026-31888 MEDIUM - 5.3

Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint (POST /store-api/account/login) returns different error codes depending on whether the submitted email address belongs to a registered customer (CHECKOUT__CUSTOMER_AUTH_BAD_CREDENTIALS) or is unknown ...

Vendor: shopware
Product: core, platform
Published: Mar 11, 2026
Source: NVD
CVE-2026-31879 MEDIUM - 5.4

Frappe is a full-stack web application framework. Prior to 14.100.2, 15.101.0, and 16.10.0, due to a lack of validation and improper permission checks, users could modify other user's private workspaces. Specially crafted requests could lead to stored XSS here. This vulnerability is fixed in 14...

Vendor: frappe
Product: frappe
Published: Mar 11, 2026
Source: NVD
CVE-2026-31878 MEDIUM - 5.0

Frappe is a full-stack web application framework. Prior to 14.100.1, 15.100.0, and 16.6.0, a malicious user could send a crafted request to an endpoint which would lead to the server making an HTTP call to a service of the user's choice. This vulnerability is fixed in 14.100.1, 15.100.0, and 16...

Vendor: frappe
Product: frappe
Published: Mar 11, 2026
Source: NVD
CVE-2026-31876 MEDIUM - 5.4

Notesnook is a note-taking app focused on user privacy & ease of use. Prior to 3.3.9, a Stored Cross-Site Scripting (XSS) vulnerability existed in Notesnook's editor embed component when rendering Twitter/X embed URLs. The tweetToEmbed() function in component.tsx interpolated the user-suppl...

Vendor: streetwriters
Product: notesnook
Published: Mar 11, 2026
Source: NVD
CVE-2019-25485 MEDIUM - 6.2

R 3.4.4 on Windows x64 contains a buffer overflow vulnerability in the GUI Preferences language menu field that allows local attackers to bypass DEP and ASLR protections. Attackers can inject a crafted payload through the Language for menus preference to trigger a structured exception handler chain ...

Vendor: R-Project
Product: R
Published: Mar 11, 2026
Source: NVD
CVE-2019-25484 MEDIUM - 6.2

WinMPG iPod Convert 3.0 contains a buffer overflow vulnerability in the Register dialog that allows local attackers to crash the application by supplying an oversized payload. Attackers can paste a large string of characters into the User Name and User Code field to trigger a denial of service condi...

Vendor: Winmpg
Product: WinMPG iPod Convert
Published: Mar 11, 2026
Source: NVD
CVE-2019-25477 MEDIUM - 6.2

RAR Password Recovery 1.80 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an oversized payload in the registration dialog. Attackers can craft a malicious input string exceeding 6000 bytes and paste it into the User Name and Registration Co...

Vendor: Top-Password
Product: RAR Password Recovery
Published: Mar 11, 2026
Source: NVD
CVE-2019-25476 MEDIUM - 6.2

Outlook Password Recovery 2.10 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an oversized payload. Attackers can create a malicious text file containing 6000 bytes of data and paste it into the User Name and Registration Code field to trig...

Vendor: Top-Password
Product: Outlook Password Recovery Denial of Service Exploit
Published: Mar 11, 2026
Source: NVD
CVE-2019-25475 MEDIUM - 6.2

SQL Server Password Changer 1.90 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an oversized payload. Attackers can inject 6000 bytes of data into the User Name and Registration Code field to trigger a denial of service condition.

Vendor: Top-Password
Product: SQL Server Password Changer Denial of Service Exploit
Published: Mar 11, 2026
Source: NVD
CVE-2019-25474 MEDIUM - 6.2

Easy MP3 Downloader 4.7.8.8 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an excessively long unlock code. Attackers can generate a file containing 6000 'A' characters and paste the contents into the Unlock Code field during appl...

Vendor: Unknown
Product: Easy MP3 Downloader Denial of Service
Published: Mar 11, 2026
Source: NVD
CVE-2019-25469 MEDIUM - 6.2

Folder Lock 7.7.9 contains a buffer overflow vulnerability in the serial number registration field that allows local attackers to crash the application by submitting an oversized payload. Attackers can paste a 6000-byte buffer of arbitrary data into the 'Serial Number and Registration Key'...

Vendor: Newsoftwares
Product: Folder Lock
Published: Mar 11, 2026
Source: NVD
CVE-2019-25464 MEDIUM - 5.5

InputMapper 1.6.10 contains a buffer overflow vulnerability in the username field that allows local attackers to crash the application by entering an excessively long string. Attackers can trigger a denial of service by copying a large payload into the username field and double-clicking to process i...

Vendor: DSD Consulting Services LLC.
Product: InputMapper
Published: Mar 11, 2026
Source: NVD
CVE-2019-25463 MEDIUM - 6.2

SpotIE Internet Explorer Password Recovery 2.9.5 contains a denial of service vulnerability in the registration key input field that allows local attackers to crash the application by supplying an excessively long string. Attackers can paste a 256-character payload into the Key field during registra...

Vendor: Nsauditor
Product: SpotIE Internet Explorer Password Recovery
Published: Mar 11, 2026
Source: NVD
CVE-2026-30226 MEDIUM - 7.5

Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. In devalue v5.6.3 and earlier, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could...

Vendor: sveltejs
Product: devalue
Published: Mar 11, 2026
Source: NVD
CVE-2026-3429 MEDIUM - 4.2

A flaw was identified in the Account REST API of Keycloak that allows a user authenticated at a lower security level to perform sensitive actions intended only for higher-assurance sessions. Specifically, an attacker who has already obtained a victim’s password can delete the victim’s registered MFA...

Vendor: maven
Product: org.keycloak:keycloak-services
Published: Mar 11, 2026
Source: NVD
CVE-2026-31813 MEDIUM - 4.8

Supabase Auth is a JWT based API for managing users and issuing JWT tokens. Prior to 2.185.0, a vulnerability has been identified that allows an attacker to issue sessions for arbitrary users using specially crafted ID tokens when the Apple or Azure providers are enabled. The attacker issues a valid...

Vendor: supabase
Product: auth
Published: Mar 11, 2026
Source: NVD
CVE-2026-30868 MEDIUM - 6.3

OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.4, multiple OPNsense MVC API endpoints perform state‑changing operations but are accessible via HTTP GET requests without CSRF protection. The framework CSRF validation in ApiControllerBase only applies to POST/PUT/DELETE metho...

Vendor: opnsense
Product: core
Published: Mar 11, 2026
Source: NVD
CVE-2026-30239 MEDIUM - 6.5

OpenProject is an open-source, web-based project management software. Prior to 17.2.0, when budgets are deleted, the work packages that were assigned to this budget need to be moved to a different budget. This action was performed before the permission check on the delete action was executed. This a...

Vendor: opf
Product: openproject
Published: Mar 11, 2026
Source: NVD
CVE-2026-30236 MEDIUM - 4.3

OpenProject is an open-source, web-based project management software. Prior to 17.2.0, when editing a project budget and planning the labor cost, it was not checked that the user that was planned in the budget is actually a project member. This exposed the user's default rate (if one was set up...

Vendor: opf
Product: openproject
Published: Mar 11, 2026
Source: NVD