Total CVEs

141,537

Critical Severity

3,871

High Severity

13,923

Last 7 Days

1,576
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 9,961 - 9,980 of 14,061 CVEs
CVE-2026-27270 MEDIUM - 5.5

Illustrator versions 29.8.4, 30.1 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to access sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim ...

Vendor: Adobe
Product: Illustrator
Published: Mar 10, 2026
Source: NVD
CVE-2026-27268 MEDIUM - 5.5

Illustrator versions 29.8.4, 30.1 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to access sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim ...

Vendor: Adobe
Product: Illustrator
Published: Mar 10, 2026
Source: NVD
CVE-2026-31833 MEDIUM - 6.7

Umbraco is an ASP.NET CMS. From 16.2.0 to before 16.5.1 and 17.2.2, An authenticated backoffice user with access to Settings can inject malicious HTML into property type descriptions. Due to an overly permissive attributeNameCheck configuration (/.+/) in the UFM DOMPurify instance, event handler att...

Vendor: umbraco
Product: Umbraco-CMS
Published: Mar 10, 2026
Source: NVD
CVE-2026-31832 MEDIUM - 5.4

Umbraco is an ASP.NET CMS. From 14.0.0 to before 16.5.1 and 17.2.2, A broken object-level authorization vulnerability exists in a backoffice API endpoint that allows authenticated users to assign domain-related data to content nodes without proper authorization checks. The issue is caused by insuffi...

Vendor: umbraco
Product: Umbraco-CMS
Published: Mar 10, 2026
Source: NVD
CVE-2026-31828 MEDIUM - 8.8

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.13 and 8.6.26, the LDAP authentication adapter is vulnerable to LDAP injection. User-supplied input (authData.id) is interpolated directly into LDAP Distinguished Names (DN) a...

Vendor: parse-community
Product: parse-server
Published: Mar 10, 2026
Source: NVD

pypdf is a free and open-source pure-python PDF library. Prior to 6.8.0, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing a content stream with a rather large /Length value, regardless of the actual data length inside the stream. This v...

Vendor: py-pdf
Product: pypdf
Published: Mar 10, 2026
Source: NVD
CVE-2026-31825 MEDIUM - 5.3

Sylius is an Open Source eCommerce Framework on Symfony. Sylius API filters ProductPriceOrderFilter and TranslationOrderNameAndLocaleFilter pass user-supplied order direction values directly to Doctrine's orderBy() without validation. An attacker can inject arbitrary DQL. The issue is fixed in ...

Vendor: Sylius
Product: Sylius
Published: Mar 10, 2026
Source: NVD
CVE-2026-31823 MEDIUM - 4.8

Sylius is an Open Source eCommerce Framework on Symfony. An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple places across the shop frontend and admin panel due to unsanitized entity names being rendered as raw HTML. Shop breadcrumbs (shared/breadcrumbs.html.twig): Th...

Vendor: Sylius
Product: Sylius
Published: Mar 10, 2026
Source: NVD
CVE-2026-31822 MEDIUM - 6.1

Sylius is an Open Source eCommerce Framework on Symfony. A cross-site scripting (XSS) vulnerability exists in the shop checkout login form handled by the ApiLoginController Stimulus controller. When a login attempt fails, AuthenticationFailureHandler returns a JSON response whose message field is re...

Vendor: Sylius
Product: Sylius
Published: Mar 10, 2026
Source: NVD
CVE-2026-31821 MEDIUM - 5.3

Sylius is an Open Source eCommerce Framework on Symfony. The POST /api/v2/shop/orders/{tokenValue}/items endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers' carts by knowing the cart tokenValue. An attacker who obtains a cart tokenVa...

Vendor: Sylius
Product: Sylius
Published: Mar 10, 2026
Source: NVD
CVE-2026-31819 MEDIUM - 6.1

Sylius is an Open Source eCommerce Framework on Symfony. CurrencySwitchController::switchAction(), ImpersonateUserController::impersonateAction() and StorageBasedLocaleSwitcher::handle() use the HTTP Referer header directly when redirecting. The attack requires the victim to click a legitimate appli...

Vendor: Sylius
Product: Sylius
Published: Mar 10, 2026
Source: NVD
CVE-2026-31815 MEDIUM - 5.3

Unicorn adds modern reactive component functionality to your Django templates. Prior to 0.67.0, component state manipulation is possible in django-unicorn due to missing access control checks during property updates and method calls. An attacker can bypass the intended _is_public protection to modif...

Vendor: django-commons
Product: django-unicorn
Published: Mar 10, 2026
Source: NVD
CVE-2026-27221 MEDIUM - 5.5

Acrobat Reader versions 24.001.30307, 24.001.30308, 25.001.21265 and earlier are affected by an Improper Certificate Validation vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to spoof the identity of a signer. Exploitation of this issue re...

Vendor: Adobe
Product: Acrobat Reader
Published: Mar 10, 2026
Source: NVD
CVE-2026-31809 MEDIUM - 6.1

SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer (SanitizeSVG) checks href attributes for the javascript: prefix using strings.HasPrefix(). However, inserting ASCII tab (	), newline (
), or carriage return (
) characters inside the...

Vendor: siyuan-note
Product: siyuan
Published: Mar 10, 2026
Source: NVD
CVE-2026-31808 MEDIUM - 5.3

file-type detects the file type of a file, stream, or data. Prior to 21.3.1, a denial of service vulnerability exists in the ASF (WMV/WMA) file type detection parser. When parsing a crafted input where an ASF sub-header has a size field of zero, the parser enters an infinite loop. The payload value ...

Vendor: sindresorhus
Product: file-type
Published: Mar 10, 2026
Source: NVD
CVE-2026-31807 MEDIUM - 6.1

SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer (SanitizeSVG) blocks dangerous elements (<script>, <iframe>, <foreignobject>) and removes on* event handlers and javascript: in href attributes. However, it does NOT block SVG animation e...

Vendor: siyuan-note
Product: siyuan
Published: Mar 10, 2026
Source: NVD
CVE-2026-30972 MEDIUM - 7.5

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior o 9.5.2-alpha.10 and 8.6.23, Parse Server's rate limiting middleware is applied at the Express middleware layer, but the batch request endpoint (/batch) processes sub-requests internall...

Vendor: parse-community
Product: parse-server
Published: Mar 10, 2026
Source: NVD
CVE-2026-30954 MEDIUM - 4.3

LinkAce is a self-hosted archive to collect website links. In 2.1.0 and earlier, the processTaxonomy() method in LinkRepository.php allows authenticated users to attach other users' private tags and lists to their own links by passing integer IDs.

Vendor: Kovah
Product: LinkAce
Published: Mar 10, 2026
Source: NVD
CVE-2026-0119 MEDIUM - 6.8

In usim_SendMCCMNCIndMsg of usim_Registration.c, there is a possible out of bounds write due to memory corruption. This could lead to physical escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Vendor: google
Product: android
Published: Mar 10, 2026
Source: NVD
CVE-2026-0108 MEDIUM - 4.0

The register protection of the PowerVR GPU is incorrectly configured. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

Vendor: google
Product: android
Published: Mar 10, 2026
Source: NVD