Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,760
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 10,261 - 10,280 of 14,221 CVEs
CVE-2025-69647 MEDIUM - 6.2

GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF loclists data. A logic flaw in the DWARF parsing code can cause readelf to repeatedly print the same table output without making forward progress, resulting in an unbound...

Vendor: gnu
Product: binutils
Published: Mar 09, 2026
Source: NVD

Actual Sync Server allows authenticated users to upload files through POST /sync/upload-user-file. In versions prior to 26.3.0, improper validation of the user-controlled x-actual-file-id header means that traversal segments (../) can escape the intended directory and write files outside userFiles.T...

Vendor: npm
Product: @actual-app/sync-server
Published: Mar 09, 2026
Source: NVD
CVE-2026-2919 MEDIUM - 4.3

Malicious scripts could display attacker-controlled web content under spoofed domains in Focus for iOS by stalling a _self navigation to an invalid port and triggering an iframe redirect, causing the UI to display a trusted domain without user interaction. This vulnerability affects Focus for iOS &l...

Published: Mar 09, 2026
Source: NVD
CVE-2026-3819 MEDIUM - 5.4

A vulnerability has been found in SourceCodester Resort Reservation System 1.0. The affected element is an unknown function of the file /?page=manage_reservation of the component Reservation Management Module. Such manipulation of the argument ID leads to cross site scripting. The attack may be laun...

Vendor: oretnom23
Product: resort_reservation_system
Published: Mar 09, 2026
Source: NVD
CVE-2026-21736 MEDIUM - 4.4

Software installed and run as a non-privileged user may conduct improper GPU system calls to gain write permission to read-only wrapped user-mode memory. This is caused by improper handling of the memory protections for the user-mode wrapped memory resource.

Vendor: Imagination Technologies
Product: Graphics DDK
Published: Mar 09, 2026
Source: NVD
CVE-2026-3817 MEDIUM - 5.3

A vulnerability was detected in SourceCodester Patients Waiting Area Queue Management System 1.0. This issue affects some unknown processing of the file /patient-search.php. The manipulation results in improper authorization. The attack can be launched remotely. The exploit is now public and may be ...

Vendor: pamzey
Product: patients_waiting_area_queue_management_system
Published: Mar 09, 2026
Source: NVD
CVE-2026-3816 MEDIUM - 4.3

A security vulnerability has been detected in OWASP DefectDojo up to 2.55.4. This vulnerability affects the function input_zip.read of the file parser.py of the component SonarQubeParser/MSDefenderParser. The manipulation leads to denial of service. The attack can be initiated remotely. The exploit ...

Vendor: owasp
Product: defectdojo
Published: Mar 09, 2026
Source: NVD
CVE-2026-25604 MEDIUM - 5.4

In AWS Auth manager, the origin of the SAML authentication has been used as provided by the client and not verified against the actual instance URL.  This allowed to gain access to different instances with potentially different access controls by reusing SAML response from other instances. You shou...

Vendor: Apache Software Foundation
Product: Apache Airflow Providers Amazon
Published: Mar 09, 2026
Source: NVD
CVE-2026-3813 MEDIUM - 6.3

A vulnerability was identified in opencc JFlow up to 5badc00db382d7cb82dad231e6a866b18e0addfe. Affected by this vulnerability is the function Calculate of the file src/main/java/bp/wf/httphandler/WF_CCForm.java. Such manipulation leads to injection. The attack may be performed from remote. The explo...

Vendor: opencc
Product: jflow
Published: Mar 09, 2026
Source: NVD
CVE-2025-40638 MEDIUM - 6.1

A reflected Cross-Site Scripting (XSS) vulnerability has been found in Eventobot. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending him/her a malicious URL using the 'name' parameter in '/search-results'. This vulnerabilit...

Vendor: EVENTOBOT
Product: Eventobot
Published: Mar 09, 2026
Source: NVD
CVE-2026-3812 MEDIUM - 4.3

A vulnerability was determined in itsourcecode Payroll Management System 1.0. Affected is an unknown function of the file /manage_employee_allowances.php. This manipulation of the argument ID causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been publicl...

Vendor: angeljudesuarez
Product: payroll_management_system
Published: Mar 09, 2026
Source: NVD
CVE-2025-41763 MEDIUM - 6.5

A low‑privileged remote attacker can directly interact with the wwwdnload.cgi endpoint to download any resource available to administrators, including system backups and certificate request files.

Vendor: MBS
Product: UBR-01 Mk II, UBR-02, UBR-LON
Published: Mar 09, 2026
Source: NVD
CVE-2025-41762 MEDIUM - 6.2

An unauthenticated attacker can abuse the weak hash of the backup generated by the wwwdnload.cgi endpoint to gain unauthorized access to sensitive data, including password hashes and certificates.

Vendor: MBS
Product: UBR-01 Mk II, UBR-02, UBR-LON
Published: Mar 09, 2026
Source: NVD
CVE-2025-41760 MEDIUM - 4.9

An administrator may attempt to block all traffic by configuring a pass filter with an empty table. However, in UBR, an empty list does not enforce any restrictions and allows all network traffic to pass unfiltered.

Vendor: MBS
Product: UBR-01 Mk II, UBR-02, UBR-LON
Published: Mar 09, 2026
Source: NVD
CVE-2025-41759 MEDIUM - 4.9

An administrator may attempt to block all networks by specifying "\*" or "all" as the network identifier. However, these values are not supported and do not trigger any validation error. Instead, they are silently interpreted as network 0 which results in no networks being blocke...

Vendor: MBS
Product: UBR-01 Mk II, UBR-02, UBR-LON
Published: Mar 09, 2026
Source: NVD
CVE-2025-41755 MEDIUM - 6.5

A low-privileged remote attacker can exploit the ubr-logread method in wwwubr.cgi to read arbitrary files on the system. The endpoint accepts a parameter specifying the log file to open (e.g., /tmp/weblog{some_number}), but this parameter is not properly validated, allowing an attacker to modify it ...

Vendor: MBS
Product: UBR-01 Mk II, UBR-02, UBR-LON
Published: Mar 09, 2026
Source: NVD
CVE-2025-41754 MEDIUM - 6.5

A low-privileged remote attacker can exploit the ubr-editfile method in wwwubr.cgi, an undocumented and unused API endpoint to read arbitrary files on the system.

Vendor: MBS
Product: UBR-01 Mk II, UBR-02, UBR-LON
Published: Mar 09, 2026
Source: NVD
CVE-2026-3806 MEDIUM - 6.3

A weakness has been identified in SourceCodester/janobe Resort Reservation System 1.0. This issue affects some unknown processing of the file /room_rates.php. This manipulation of the argument q causes sql injection. The attack can be initiated remotely. The exploit has been made available to the pu...

Vendor: oretnom23
Product: resort_reservation_system
Published: Mar 09, 2026
Source: NVD
CVE-2026-3822 MEDIUM - 6.5

Taipower APP for Andorid developed by Taipower has an Improper Certificate Validation vulnerability. When establishing an HTTPS connection with the server, the application fails to verify the server-side TLS/SSL certificate. This flaw allows an unauthenticated remote attackers to exploit the vulnera...

Vendor: taipower
Product: taipower_app
Published: Mar 09, 2026
Source: NVD
CVE-2026-3800 MEDIUM - 6.3

A vulnerability has been found in SourceCodester/janobe Resort Reservation System 1.0. Affected is the function doInsert of the file /controller.php?action=add. Such manipulation of the argument image leads to unrestricted upload. The attack can be executed remotely. The exploit has been disclosed t...

Vendor: oretnom23
Product: resort_reservation_system
Published: Mar 09, 2026
Source: NVD