Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,917
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 10,041 - 10,060 of 14,221 CVEs
CVE-2026-3904 MEDIUM - 6.2

Calling NSS-backed functions that support caching via nscd may call the nscd client side code and in the GNU C Library version 2.36 under high load on x86_64 systems, the client may call memcmp on inputs that are concurrently modified by other processes or threads and crash. The nscd client i...

Published: Mar 11, 2026
Source: NVD
CVE-2026-32061 MEDIUM - 4.4

OpenClaw versions prior to 2026.2.17 contain a path traversal vulnerability in the $include directive resolution that allows reading arbitrary local files outside the config directory boundary. Attackers with config modification capabilities can exploit this by specifying absolute paths, traversal s...

Vendor: openclaw
Product: openclaw
Published: Mar 11, 2026
Source: NVD
CVE-2026-3784 MEDIUM - 6.5

curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection.

Vendor: haxx
Product: curl
Published: Mar 11, 2026
Source: NVD
CVE-2026-3783 MEDIUM - 5.3

When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. If the hostname that the first request is redirected to has information in the used .netrc file, with eithe...

Vendor: haxx
Product: curl
Published: Mar 11, 2026
Source: NVD
CVE-2026-1965 MEDIUM - 6.5

libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteri...

Vendor: haxx
Product: curl
Published: Mar 11, 2026
Source: NVD
CVE-2026-3906 MEDIUM - 4.3

WordPress core is vulnerable to unauthorized access in versions 6.9 through 6.9.1. The Notes feature (block-level collaboration annotations) was introduced in WordPress 6.9 to allow editorial comments directly on posts in the block editor. However, the REST API `create_item_permissions_check()` meth...

Published: Mar 11, 2026
Source: NVD
CVE-2026-3492 MEDIUM - 6.4

The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.9.28.1. This is due to a compound failure involving missing authorization on the `create_from_template` AJAX endpoint (allowing any authenticated user to create forms), insuffi...

Published: Mar 11, 2026
Source: NVD
CVE-2026-3903 MEDIUM - 4.3

The Modular DS: Monitor, update, and backup multiple websites plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.1. This is due to missing nonce validation on the postConfirmOauth() function. This makes it possible for unauthenticated attackers...

Published: Mar 11, 2026
Source: NVD
CVE-2026-2918 MEDIUM - 6.4

The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the `ha_condition_update` AJAX action. This is due to the `validate_reqeust()` method using `current_user_can('edit_posts', $template_id)` ...

Published: Mar 11, 2026
Source: NVD
CVE-2026-2917 MEDIUM - 5.4

The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the `ha_duplicate_thing` admin action handler. This is due to the `can_clone()` method only checking `current_user_can('edit_posts')` (a ge...

Published: Mar 11, 2026
Source: NVD
CVE-2024-14025 MEDIUM - 6.7

An SQL injection vulnerability has been reported to affect Video Station. If an attacker gains local network access who have also gained an administrator account, they can then exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the followi...

Vendor: QNAP Systems Inc.
Product: Video Station
Published: Mar 11, 2026
Source: NVD
CVE-2024-14024 MEDIUM - 6.7

An improper certificate validation vulnerability has been reported to affect Video Station. If an attacker gains local network access who have also gained an administrator account, they can then exploit the vulnerability to compromise the security of the system. We have already fixed the vulnerabil...

Vendor: QNAP Systems Inc.
Product: Video Station
Published: Mar 11, 2026
Source: NVD
CVE-2026-3825 MEDIUM - 6.1

IFTOP developed by WellChoose has a Reflected Cross-site Scripting vulnerability, allowing authenticated remote attackers to execute arbitrary JavaScript codes in user's browser through phishing attacks.

Vendor: wellchoose
Product: organization_portal_system
Published: Mar 11, 2026
Source: NVD
CVE-2026-3824 MEDIUM - 6.1

IFTOP developed by WellChoose has an Open redirect vulnerability, allowing authenticated remote attackers to craft a URL that tricks users into visiting malicious website.

Vendor: wellchoose
Product: organization_portal_system
Published: Mar 11, 2026
Source: NVD
CVE-2026-3534 MEDIUM - 6.4

The Astra theme for WordPress is vulnerable to Stored Cross-Site Scripting via the `ast-page-background-meta` and `ast-content-background-meta` post meta fields in all versions up to, and including, 4.12.3. This is due to insufficient input sanitization on meta registration and missing output escapi...

Published: Mar 11, 2026
Source: NVD
CVE-2026-3884 MEDIUM - 6.1

Versions of the package spin.js before 3.0.0 are vulnerable to Cross-site Scripting (XSS) via the spin() function that allows a creation of more than 1 alert for each 'target' element. An attacker would need to set an arbitrary key-value pair on Object.prototype through a crafted URL achie...

Published: Mar 11, 2026
Source: NVD
CVE-2026-2707 MEDIUM - 6.4

The weForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API entry submission endpoint in all versions up to, and including, 1.6.27. This is due to inconsistent input sanitization between the frontend AJAX handler and the REST API endpoint. When entries are submitte...

Published: Mar 11, 2026
Source: NVD
CVE-2026-2358 MEDIUM - 6.4

The WP ULike plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `[wp_ulike_likers_box]` shortcode `template` attribute in all versions up to, and including, 5.0.1. This is due to the use of `html_entity_decode()` on shortcode attributes without subsequent output sanitization, ...

Published: Mar 11, 2026
Source: NVD
CVE-2026-1867 MEDIUM - 5.9

The Guest posting / Frontend Posting / Front Editor WordPress plugin before 5.0.6 allows passing a URL parameter to regenerate a .json file based on demo data that it initially creates. If an administrator modifies the demo form and enables admin notifications in the Guest posting / Frontend Postin...

Published: Mar 11, 2026
Source: NVD
CVE-2026-1753 MEDIUM - 6.8

The Gutena Forms WordPress plugin before 1.6.1 does not validate option to be updated, which could allow contributors and above role to update arbitrary boolean and array options (such as users_can_register).

Published: Mar 11, 2026
Source: NVD