Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,763
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 10,241 - 10,260 of 14,221 CVEs
CVE-2026-28433 MEDIUM - 4.3

Misskey is an open source, federated social media platform. All Misskey servers running versions 10.93.0 and later, but prior to 2026.3.1, contain a vulnerability that allows importing other users' data due to lack of ownership validation. The impact of this vulnerability is estimated to be rel...

Vendor: misskey-dev
Product: misskey
Published: Mar 10, 2026
Source: NVD
CVE-2026-26982 MEDIUM - 6.3

Ghostty is a cross-platform terminal emulator. Ghostty allows control characters such as 0x03 (Ctrl+C) in pasted and dropped text. These can be used to execute arbitrary commands in some shell environments. This attack requires an attacker to convince the user to copy and paste or drag and drop mali...

Vendor: ghostty-org
Product: ghostty
Published: Mar 10, 2026
Source: NVD

Camaleon CMS versions 2.4.5.0 through 2.9.0, prior to commit f54a77e, contain a path traversal vulnerability in the AWS S3 uploader implementation that allows authenticated users to read arbitrary files from the web server’s filesystem. The issue occurs in the download_private_file functionality whe...

Vendor: rubygems
Product: camaleon_cms
Published: Mar 10, 2026
Source: NVD
CVE-2026-30974 MEDIUM - 4.6

Copyparty is a portable file server. Prior to v1.20.11., the nohtml config option, intended to prevent execution of JavaScript in user-uploaded HTML files, did not apply to SVG images. A user with write-permission could upload an SVG containing embedded JavaScript, which would execute in the context...

Vendor: pip
Product: copyparty
Published: Mar 10, 2026
Source: GitHub
CVE-2026-30964 MEDIUM - 5.4

web-auth/webauthn-lib is an open source set of PHP libraries and a Symfony bundle to allow developers to integrate that authentication mechanism into their web applications. Prior to 5.2.4, when allowed_origins is configured, CheckAllowedOrigins reduces URL-like values to their host component and ac...

Vendor: composer
Product: web-auth/webauthn-framework
Published: Mar 10, 2026
Source: GitHub
CVE-2026-30959 MEDIUM - 5.0

OneUptime is a solution for monitoring and managing online services. The resend-verification-code endpoint allows any authenticated user to trigger a verification code resend for any UserWhatsApp record by ID. Ownership is not validated (unlike the verify endpoint). This affects the UserWhatsAppAPI....

Vendor: npm
Product: @oneuptime/common
Published: Mar 10, 2026
Source: GitHub
CVE-2026-30938 MEDIUM - 5.3

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.12 and 9.5.1-alpha.1, the requestKeywordDenylist security control can be bypassed by placing any nested object or array before a prohibited keyword in the request payload. This is cau...

Vendor: npm
Product: parse-server
Published: Mar 10, 2026
Source: GitHub
CVE-2026-30913 MEDIUM - 4.6

Flarum is open-source forum software. When the flarum/nicknames extension is enabled, a registered user can set their nickname to a string that email clients interpret as a hyperlink. The nickname is inserted verbatim into plain-text notification emails, and recipients may be misled into visiting at...

Vendor: composer
Product: flarum/nicknames
Published: Mar 10, 2026
Source: GitHub
CVE-2025-70973 MEDIUM - 4.8

ScadaBR 1.12.4 is vulnerable to Session Fixation. The application assigns a JSESSIONID session cookie to unauthenticated users and does not regenerate the session identifier after successful authentication. As a result, a session created prior to login becomes authenticated once the victim logs in, ...

Published: Mar 09, 2026
Source: NVD
CVE-2026-25960 MEDIUM - 5.4

vLLM is an inference and serving engine for large language models (LLMs). The SSRF protection fix for CVE-2026-24779 add in 0.15.1 can be bypassed in the load_from_url_async method due to inconsistent URL parsing behavior between the validation layer and the actual HTTP client. The SSRF fix uses url...

Vendor: pip
Product: vllm
Published: Mar 09, 2026
Source: GitHub
CVE-2026-30927 MEDIUM - 5.4

Admidio is an open-source user management solution. Prior to 5.0.6, in modules/events/events_function.php, the event participation logic allows any user who can participate in an event to register OTHER users by manipulating the user_uuid GET parameter. The condition uses || (OR), meaning if possibl...

Vendor: composer
Product: admidio/admidio
Published: Mar 09, 2026
Source: GitHub
CVE-2026-3638 MEDIUM - 5.9

Improper access control in user and role restore API endpoints in Devolutions Server 2025.3.11.0 and earlier allows a low-privileged authenticated user to restore deleted users and roles via crafted API requests.

Published: Mar 09, 2026
Source: NVD
CVE-2025-70032 MEDIUM - 6.1

An issue pertaining to CWE-601: URL Redirection to Untrusted Site was discovered in Sunbird-Ed SunbirdEd-portal v1.13.4.

Published: Mar 09, 2026
Source: NVD
CVE-2025-70033 MEDIUM - 5.4

An issue pertaining to CWE-79: Improper Neutralization of Input During Web Page Generation was discovered in Sunbird-Ed SunbirdEd-portal v1.13.4.

Published: Mar 09, 2026
Source: NVD
CVE-2026-29773 MEDIUM - 4.3

Kubewarden is a policy engine for Kubernetes. Kubewarden cluster operators can grant permissions to users to deploy namespaced AdmissionPolicies and AdmissionPolicyGroups in their Namespaces. One of Kubewarden promises is that configured users can deploy namespaced policies in a safe manner, without...

Vendor: go
Product: github.com/kubewarden/kubewarden-controller
Published: Mar 09, 2026
Source: GitHub
CVE-2025-70037 MEDIUM - 6.1

An issue pertaining to CWE-601: URL Redirection to Untrusted Site was discovered in linagora Twake v2023.Q1.1223. This allows attackers to obtain sensitive information and execute arbitrary code.

Vendor: linagora
Product: twake
Published: Mar 09, 2026
Source: NVD
CVE-2025-70060 MEDIUM - 5.4

An issue pertaining to CWE-79: Improper Neutralization of Input During Web Page Generation was discovered in YMFE yapi v1.12.0.

Vendor: ymfe
Product: yapi
Published: Mar 09, 2026
Source: NVD
CVE-2025-70050 MEDIUM - 6.5

An issue pertaining to CWE-312: Cleartext Storage of Sensitive Information was discovered in lesspass lesspass v9.6.9 which allows attackers to obtain sensitive information.

Vendor: lesspass
Product: lesspass
Published: Mar 09, 2026
Source: NVD
CVE-2025-70040 MEDIUM - 5.3

An issue pertaining to CWE-532: Insertion of Sensitive Information into Log File was discovered in LupinLin1 jimeng-web-mcp v2.1.2. This allows an attacker to obtain sensitive information.

Published: Mar 09, 2026
Source: NVD
CVE-2025-69648 MEDIUM - 6.2

GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF .debug_rnglists data. A logic flaw in the DWARF parsing path causes readelf to repeatedly print the same warning message without making forward progress, resulting in a n...

Vendor: gnu
Product: binutils
Published: Mar 09, 2026
Source: NVD