Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,884
Quick preset (or use dates below)
Clear Filters
Showing 10,061 - 10,080 of 14,108 CVEs
CVE-2026-30939 HIGH - 7.5

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.13 and 9.5.1-alpha.2, an unauthenticated attacker can crash the Parse Server process by calling a Cloud Function endpoint with a prototype property name as the function name. The serv...

Vendor: npm
Product: parse-server
Published: Mar 10, 2026
Source: GitHub
CVE-2026-30925 HIGH - 7.5

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.0-alpha.14 and 8.6.11, a malicious client can subscribe to a LiveQuery with a crafted $regex pattern that causes catastrophic backtracking, blocking the Node.js event loop. This makes...

Vendor: npm
Product: parse-server
Published: Mar 10, 2026
Source: GitHub
CVE-2026-3288 HIGH - 8.8

A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/rewrite-target` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to...

Published: Mar 09, 2026
Source: NVD
CVE-2026-25737 HIGH - 8.9

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.24.0 and earlier, an arbitrary file upload vulnerability exists even though file extension restrictions are configured. The restriction is enforced only at the UI level. An attacker can bypass these restri...

Vendor: Budibase
Product: budibase
Published: Mar 09, 2026
Source: NVD
CVE-2026-25045 HIGH - 8.8

Budibase is a low code platform for creating internal tools, workflows, and admin panels. This issue is a combination of Vertical Privilege Escalation and IDOR (Insecure Direct Object Reference) due to missing server-side RBAC checks in the /api/global/users endpoints. A Creator-level user, who shou...

Vendor: Budibase
Product: budibase
Published: Mar 09, 2026
Source: NVD
CVE-2025-70028 HIGH - 7.5

An issue pertaining to CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') was discovered in Sunbird-Ed SunbirdEd-portal v1.13.4.

Published: Mar 09, 2026
Source: NVD
CVE-2026-0846 HIGH - 8.6

A vulnerability in the `filestring()` function of the `nltk.util` module in nltk version 3.9.2 allows arbitrary file read due to improper validation of input paths. The function directly opens files specified by user input without sanitization, enabling attackers to access sensitive system files by ...

Published: Mar 09, 2026
Source: NVD
CVE-2025-70031 HIGH - 8.8

An issue pertaining to CWE-352: Cross-Site Request Forgery was discovered in Sunbird-Ed SunbirdEd-portal v1.13.4.

Published: Mar 09, 2026
Source: NVD
CVE-2025-70030 HIGH - 7.5

An issue pertaining to CWE-1333: Inefficient Regular Expression Complexity (4.19) was discovered in Sunbird-Ed SunbirdEd-portal v1.13.4.

Published: Mar 09, 2026
Source: NVD
CVE-2025-62166 HIGH - 7.5

FreshRSS is a free, self-hostable RSS aggregator. Prior 1.28.0, a bug in the auth logic related to master authentication tokens, this restriction is bypassed. Usually only the default user's feed should be viewable if anonymous viewing is enabled, and feeds of other users should be private. Thi...

Vendor: FreshRSS
Product: FreshRSS
Published: Mar 09, 2026
Source: NVD
CVE-2026-30930 HIGH - 9.8

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, The TimescaleDB export module constructs SQL queries using string concatenation with unsanitized system monitoring data. The normalize() method wraps string values in single quotes but does not escape embedded single qu...

Vendor: pip
Product: Glances
Published: Mar 09, 2026
Source: GitHub
CVE-2026-30928 HIGH - 7.5

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, the /api/4/config REST API endpoint returns the entire parsed Glances configuration file (glances.conf) via self.config.as_dict() with no filtering of sensitive values. The configuration file contains credentials for al...

Vendor: pip
Product: glances
Published: Mar 09, 2026
Source: GitHub
CVE-2026-30934 HIGH - 8.9

FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, Stored XSS is possible via share metadata fields (e.g., title, description) that are rendered into HTML for /public/share/<hash> without context-aware escaping. The server uses text/templa...

Vendor: go
Product: github.com/gtsteffaniak/filebrowser
Published: Mar 09, 2026
Source: GitHub
CVE-2026-30933 HIGH - 7.5

FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, the remediation for CVE-2026-27611 is incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info. This vulnerability is fixed in 1.3.1-beta and 1.2.2-s...

Vendor: go
Product: github.com/gtsteffaniak/filebrowser/backend
Published: Mar 09, 2026
Source: GitHub
CVE-2026-30140 HIGH - 7.5

An incorrect access control vulnerability exists in Tenda W15E V02.03.01.26_cn. An unauthenticated attacker can access the /cgi-bin/DownloadCfg/RouterCfm.jpg endpoint to download the configuration file containing plaintext administrator credentials, leading to sensitive information disclosure and po...

Vendor: tenda
Product: w15e_firmware
Published: Mar 09, 2026
Source: NVD
CVE-2026-30926 HIGH - 7.1

SiYuan is a personal knowledge management system. Prior to 3.5.10, a privilege escalation vulnerability exists in the publish service of SiYuan Note that allows low-privilege publish accounts (RoleReader) to modify notebook content via the /api/block/appendHeadingChildren API endpoint. The endpoint ...

Vendor: go
Product: github.com/siyuan-note/siyuan/kernel
Published: Mar 09, 2026
Source: GitHub
CVE-2026-29023 HIGH - 7.3

Keygraph Shannon contains a hard-coded API key in its router configuration that, when the router component is enabled and exposed, allows network attackers to authenticate using the publicly known static key. An attacker able to reach the router port can proxy requests through the Shannon instance u...

Vendor: KeygraphHQ
Product: Shannon
Published: Mar 09, 2026
Source: NVD
CVE-2025-70038 HIGH - 8.8

An issue pertaining to CWE-79: Improper Neutralization of Input During Web Page Generation was discovered in linagora Twake v2023.Q1.1223. This allows attackers to execute arbitrary code.

Vendor: linagora
Product: twake
Published: Mar 09, 2026
Source: NVD
CVE-2025-70034 HIGH - 7.5

An issue pertaining to CWE-1333: Inefficient Regular Expression Complexity (4.19) was discovered in mscdex ssh2 v1.17.0.

Published: Mar 09, 2026
Source: NVD
CVE-2026-30920 HIGH - 8.6

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.19, OneUptime's GitHub App callback trusts attacker-controlled state and installation_id values and updates Project.gitHubAppInstallationId with isRoot: true without validating that the caller is authorized for t...

Vendor: npm
Product: @oneuptime/common
Published: Mar 09, 2026
Source: GitHub