Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,868
Quick preset (or use dates below)
Clear Filters
Showing 10,381 - 10,400 of 14,604 CVEs
CVE-2026-30238 MEDIUM - 6.1

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.155, 25.0.88, and 26.0.10, there is a reflected XSS vulnerability in GroupOffice on the external/index flow. The f parameter (Base64 JSON) is decoded and then injected into an inline JavaScript b...

Vendor: Intermesh
Product: groupoffice
Published: Mar 06, 2026
Source: NVD
CVE-2026-30237 MEDIUM - 6.1

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.155, 25.0.88, and 26.0.10, there is a reflected XSS vulnerability in the GroupOffice installer, endpoint install/license.php. The POST field license is rendered without escaping inside a <text...

Vendor: Intermesh
Product: groupoffice
Published: Mar 06, 2026
Source: NVD
CVE-2026-27138 MEDIUM - 5.9

Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS.

Vendor: Go standard library
Product: crypto/x509
Published: Mar 06, 2026
Source: NVD
CVE-2026-30835 MEDIUM - 5.3

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.7 and 9.5.0-alpha.6, malformed $regex query parameter (e.g. [abc) causes the database to return a structured error object that is passed unsanitized through the API response...

Vendor: parse-community
Product: parse-server
Published: Mar 06, 2026
Source: NVD
CVE-2026-30847 MEDIUM - 6.5

Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the notificationUsers publication in Wekan publishes user documents with no field filtering, causing the ReactiveCache.getUsers() call to return all fields including highly sensitive data such as bcrypt password ...

Vendor: Wekan
Product: Wekan
Published: Mar 06, 2026
Source: NVD
CVE-2026-30843 MEDIUM - 6.5

Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 have a critical Insecure Direct Object Reference (IDOR) issue which could allow unauthorized users to modify custom fields across boards through its custom fields update endpoints, potentially leading to unauthorized data ...

Vendor: Wekan
Product: Wekan
Published: Mar 06, 2026
Source: NVD
CVE-2025-69653 MEDIUM - 6.5

A crafted JavaScript input can trigger an internal assertion failure in QuickJS release 2025-09-13, fixed in commit 1dbba8a88eaa40d15a8a9b70bb1a0b8fb5b552e6 (2025-12-11), in file gc_decref_child in quickjs.c, when executed with the qjs interpreter using the -m option. This leads to an abort (SIGABRT...

Published: Mar 06, 2026
Source: NVD
CVE-2025-69652 MEDIUM - 6.2

GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an abort (SIGABRT) when processing a crafted ELF binary with malformed DWARF abbrev or debug information. Due to incomplete state cleanup in process_debug_info(), an invalid debug_info_p state may propagate into DWARF attribute pa...

Vendor: gnu
Product: binutils
Published: Mar 06, 2026
Source: NVD
CVE-2025-69649 MEDIUM - 5.5

GNU Binutils thru 2.46 readelf contains a null pointer dereference vulnerability when processing a crafted ELF binary with malformed header fields. During relocation processing, an invalid or null section pointer may be passed into display_relocations(), resulting in a segmentation fault (SIGSEGV) a...

Vendor: gnu
Product: binutils
Published: Mar 06, 2026
Source: NVD
CVE-2026-30228 MEDIUM - 4.9

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.5 and 9.5.0-alpha.3, the readOnlyMasterKey can be used to create and delete files via the Files API (POST /files/:filename, DELETE /files/:filename). This bypasses the read-o...

Vendor: npm
Product: parse-server
Published: Mar 06, 2026
Source: GitHub
CVE-2026-30833 MEDIUM - 5.3

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, a NoSQL injection vulnerability exists in Rocket.Chat's account service used in the ddp-streamer micro service that allows unauthenticate...

Vendor: RocketChat
Product: Rocket.Chat
Published: Mar 06, 2026
Source: NVD
CVE-2025-69651 MEDIUM - 5.5

GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an invalid pointer free when processing a crafted ELF binary with malformed relocation or symbol data. If dump_relocations returns early due to parsing errors, the internal all_relocations array may remain partially uninitialized....

Vendor: gnu
Product: binutils
Published: Mar 06, 2026
Source: NVD
CVE-2025-69646 MEDIUM - 5.5

Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug_rnglists data. A logic error in the handling of the debug_rnglists header can cause objdump to repeatedly print the same warning message and fail to terminate, resulting in an unbo...

Published: Mar 06, 2026
Source: NVD
CVE-2025-69645 MEDIUM - 5.5

Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug information. A logic error in the handling of DWARF compilation units can result in an invalid offset_size value being used inside byte_get_little_endian, leading to an abort (SIGA...

Published: Mar 06, 2026
Source: NVD
CVE-2025-69644 MEDIUM - 5.0

An issue was discovered in Binutils before 2.46. The objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed debug information. A logic flaw in the handling of DWARF location list headers can cause objdump to enter an unbounded loop and produce endless outp...

Vendor: gnu
Product: binutils
Published: Mar 06, 2026
Source: NVD
CVE-2026-27777 MEDIUM - 6.5

Charging station authentication identifiers are publicly accessible via web-based mapping platforms.

Vendor: Mobiliti
Product: e-mobi.hu
Published: Mar 06, 2026
Source: NVD
CVE-2026-27027 MEDIUM - 6.5

Charging station authentication identifiers are publicly accessible via web-based mapping platforms.

Vendor: Everon
Product: api.everon.io
Published: Mar 06, 2026
Source: NVD
CVE-2026-2752 MEDIUM - 5.3

Navtor NavBox allows information disclosure via the /api/ais-data endpoint. A remote, unauthenticated attacker can send crafted requests to trigger an unhandled exception, causing the server to return verbose .NET stack traces. These error messages expose internal class names, method calls, and thir...

Published: Mar 06, 2026
Source: NVD
CVE-2018-25200 MEDIUM - 5.3

OOP CMS BLOG 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create administrative user accounts by crafting malicious POST requests. Attackers can submit forms to the addUser.php endpoint with parameters including userName, password, email, and role ...

Vendor: Zsoft
Product: OOP CMS BLOG
Published: Mar 06, 2026
Source: NVD
CVE-2018-25198 MEDIUM - 6.2

eToolz 3.4.8.0 contains a denial of service vulnerability that allows local attackers to crash the application by supplying oversized input buffers. Attackers can create a payload file containing 255 bytes of data that triggers a buffer overflow condition when processed by the application.

Vendor: Gaijin
Product: eToolz
Published: Mar 06, 2026
Source: NVD