Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,763
Quick preset (or use dates below)
Clear Filters
Showing 10,481 - 10,500 of 14,604 CVEs
CVE-2026-29061 MEDIUM - 5.4

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a privilege escalation vulnerability in the user rank demotion logic allows a demoted user's existing API keys to retain ApiPermManageFileRequests and ApiPermManageLogs permissi...

Vendor: go
Product: github.com/forceu/gokapi
Published: Mar 05, 2026
Source: GitHub
CVE-2026-28277 MEDIUM - 6.8

LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). In version 1.0.9 and prior, LangGraph checkpointers can load msgpack-encoded checkpoints that reconstruct Python objects during deserialization. If an attacker can ...

Vendor: langchain-ai
Product: langgraph
Published: Mar 05, 2026
Source: NVD
CVE-2024-43035 MEDIUM - 5.8

Fonoster 0.5.5 before 0.6.1 allows ../ directory traversal to read arbitrary files via the /sounds/:file or /tts/:file VoiceServer endpoint. This occurs in serveFiles in mods/voice/src/utils.ts. NOTE: serveFiles exists in 0.5.5 but not in the next release, 0.6.1.

Vendor: Fonoster
Product: Fonoster
Published: Mar 05, 2026
Source: NVD
CVE-2026-27723 MEDIUM - 4.3

OpenProject is an open-source, web-based project management software. Prior to versions 17.0.5 and 17.1.2, an attacker can create wiki pages belonging to unpermitted projects through an improperly authenticated request. This issue has been patched in versions 17.0.5 and 17.1.2.

Vendor: opf
Product: openproject
Published: Mar 05, 2026
Source: NVD
CVE-2026-27023 MEDIUM - 5.0

Twenty is an open source CRM. Prior to version 1.18, the SSRF protection in SecureHttpClientService validated request URLs at the request level but did not validate redirect targets. An authenticated user who could control outbound request URLs (e.g., webhook endpoints, image URLs) could bypass priv...

Vendor: twentyhq
Product: twenty
Published: Mar 05, 2026
Source: NVD
CVE-2026-26196 MEDIUM - 5.3

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, gogs api still accepts tokens in url params like token and access_token, which can leak through logs, browser history, and referrers. This issue has been patched in version 0.14.2.

Vendor: gogs
Product: gogs
Published: Mar 05, 2026
Source: NVD
CVE-2026-26195 MEDIUM - 6.1

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, stored xss is still possible through unsafe template rendering that mixes user input with safe plus permissive sanitizer handling of data urls. This issue has been patched in version 0.14.2.

Vendor: gogs
Product: gogs
Published: Mar 05, 2026
Source: NVD
CVE-2025-7375 MEDIUM - 6.5

A denial-of-service (DoS) vulnerability was identified in Omada EAP610 v3. An attacker with adjacent network access can send crafted requests to cause the device’s HTTP service to crash. This results in temporary service unavailability until the device is rebooted. This issue affects Omada EAP610 ...

Vendor: tp-link
Product: omada_eap610_firmware
Published: Mar 05, 2026
Source: NVD
CVE-2026-29060 MEDIUM - 5.0

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a registered user without privileges to create or modify file requests is able to create a short-lived API key that has the permission to do so. The user must be registered with Goka...

Vendor: go
Product: github.com/forceu/gokapi
Published: Mar 05, 2026
Source: GitHub
CVE-2026-28682 MEDIUM - 6.4

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the upload status SSE implementation on /uploadStatus publishes global upload state to any authenticated listener and includes file_id values that are not scoped to the requesting us...

Vendor: go
Product: github.com/forceu/gokapi
Published: Mar 05, 2026
Source: GitHub
CVE-2026-26377 MEDIUM - 5.4

Cross Site Scripting vulnerability in Koha 25.11 and before allows a remote attacker to execute arbitrary code via the News function.

Vendor: koha
Product: koha
Published: Mar 05, 2026
Source: NVD
CVE-2025-64166 MEDIUM - 5.4

Mercurius is a GraphQL adapter for Fastify. Prior to version 16.4.0, a cross-site request forgery (CSRF) vulnerability was identified. The issue arises from incorrect parsing of the Content-Type header in requests. Specifically, requests with Content-Type values such as application/x-www-form-urlenc...

Vendor: mercurius-js
Product: mercurius
Published: Mar 05, 2026
Source: NVD
CVE-2025-69534 MEDIUM - 7.5

Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like sequences can cause html.parser.HTMLParser to raise an unhandled AssertionError during Markdown parsing. Because Python-Markdown does not catch this exception, any application that processes attacker-controlled Markdown ma...

Vendor: pip
Product: Markdown
Published: Mar 05, 2026
Source: NVD
CVE-2026-28551 MEDIUM - 4.7

Race condition vulnerability in the device security management module. Impact: Successful exploitation of this vulnerability may affect availability.

Vendor: Huawei
Product: HarmonyOS
Published: Mar 05, 2026
Source: NVD
CVE-2026-28549 MEDIUM - 6.6

Race condition vulnerability in the permission management service. Impact: Successful exploitation of this vulnerability may affect availability.

Vendor: Huawei
Product: HarmonyOS
Published: Mar 05, 2026
Source: NVD
CVE-2026-28547 MEDIUM - 6.8

Vulnerability of uninitialized pointer access in the scanning module. Impact: Successful exploitation of this vulnerability may affect availability.

Vendor: Huawei
Product: HarmonyOS
Published: Mar 05, 2026
Source: NVD
CVE-2026-28546 MEDIUM - 5.9

Buffer overflow vulnerability in the scanning module. Impact: Successful exploitation of this vulnerability may affect availability.

Vendor: Huawei
Product: HarmonyOS
Published: Mar 05, 2026
Source: NVD
CVE-2026-2893 MEDIUM - 6.5

The Page and Post Clone plugin for WordPress is vulnerable to SQL Injection via the 'meta_key' parameter in the content_clone() function in all versions up to, and including, 6.3. This is due to insufficient escaping on the user-supplied meta_key value and insufficient preparation on the e...

Published: Mar 05, 2026
Source: NVD
CVE-2026-28552 MEDIUM - 6.5

Out-of-bounds write vulnerability in the IMS module. Impact: Successful exploitation of this vulnerability may affect availability.

Vendor: Huawei
Product: HarmonyOS, EMUI
Published: Mar 05, 2026
Source: NVD
CVE-2026-28550 MEDIUM - 4.0

Race condition vulnerability in the security control module. Impact: Successful exploitation of this vulnerability may affect availability.

Vendor: Huawei
Product: HarmonyOS
Published: Mar 05, 2026
Source: NVD