Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,755
Quick preset (or use dates below)
Clear Filters
Showing 10,521 - 10,540 of 14,604 CVEs
CVE-2026-27344 MEDIUM - 5.3

Missing Authorization vulnerability in inseriswiss inseri core inseri-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects inseri core: from n/a through <= 1.0.5.

Vendor: inseriswiss
Product: inseri core
Published: Mar 05, 2026
Source: NVD
CVE-2026-23799 MEDIUM - 6.5

Missing Authorization vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through <= 3.9.5.

Vendor: Themeum
Product: Tutor LMS
Published: Mar 05, 2026
Source: NVD
CVE-2026-23546 MEDIUM - 6.5

Insertion of Sensitive Information Into Sent Data vulnerability in RadiusTheme Classified Listing classified-listing allows Retrieve Embedded Sensitive Data.This issue affects Classified Listing: from n/a through <= 5.3.4.

Vendor: RadiusTheme
Product: Classified Listing
Published: Mar 05, 2026
Source: NVD
CVE-2026-22459 MEDIUM - 6.5

Missing Authorization vulnerability in Blend Media WordPress CTA easy-sticky-sidebar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress CTA: from n/a through <= 1.7.4.

Vendor: Blend Media
Product: WordPress CTA
Published: Mar 05, 2026
Source: NVD
CVE-2025-69343 MEDIUM - 6.5

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeroen Schmit Theater for WordPress theatre allows Stored XSS.This issue affects Theater for WordPress: from n/a through <= 0.19.

Vendor: Jeroen Schmit
Product: Theater for WordPress
Published: Mar 05, 2026
Source: NVD
CVE-2025-68515 MEDIUM - 5.8

Insertion of Sensitive Information Into Sent Data vulnerability in Roland Murg WP Booking System wp-booking-system allows Retrieve Embedded Sensitive Data.This issue affects WP Booking System: from n/a through <= 2.0.19.12.

Vendor: Roland Murg
Product: WP Booking System
Published: Mar 05, 2026
Source: NVD
CVE-2026-3523 MEDIUM - 4.9

The Apocalypse Meow plugin for WordPress is vulnerable to SQL Injection via the 'type' parameter in all versions up to, and including, 22.1.0. This is due to a flawed logical operator in the type validation check on line 261 of ajax.php — the condition uses `&&` (AND) instead of `|...

Published: Mar 05, 2026
Source: NVD
CVE-2026-3034 MEDIUM - 6.4

The OoohBoi Steroids for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _ob_spacerat_link, _ob_bbad_link, and _ob_teleporter_link URL parameters in all versions up to, and including, 2.1.24. This makes it possible for authenticated attackers, with Contributor-lev...

Published: Mar 05, 2026
Source: NVD
CVE-2026-2899 MEDIUM - 6.5

The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.1.17. This is due to the `deleteFile()` method in the `Uploader` class lacking nonce verification and capability checks. The AJAX action is registered via `addPublicAj...

Published: Mar 05, 2026
Source: NVD
CVE-2026-26033 MEDIUM - 6.7

UPS Multi-UPS Management Console (MUMC) version 01.06.0001 (A03) contains an Unquoted Search Path or Element (CWE-428) vulnerability, which allows a user with write access to a directory on the system drive to execute arbitrary code with SYSTEM privileges.

Vendor: Dell Inc.
Product: UPS Multi-UPS Management Console (MUMC)
Published: Mar 05, 2026
Source: NVD
CVE-2026-29125 MEDIUM - 4.7

IDC SFX2100 Satalite Recievers set the `/etc/resolv.conf` file to be world-writable by any local user, allowing DNS resolver tampering that can redirect network communications, facilitate man-in-the-middle attacks, and cause denial of service.

Vendor: International Datacasting Corporation
Product: SFX2100 Satellite Receiver
Published: Mar 05, 2026
Source: NVD
CVE-2026-29122 MEDIUM - 5.5

International Data Casting (IDC) SFX2100 satellite receiver comes with the `/bin/date` utility installed with the setuid bit set. This configuration grants elevated privileges to any local user who can execute the binary. A local actor is able to use the GTFObins resource to preform privileged file ...

Vendor: International Datacasting Corporation
Product: SFX2100 Satellite Receiver
Published: Mar 05, 2026
Source: NVD
CVE-2026-29791 MEDIUM - 4.9

Agentgateway is an open source data plane for agentic AI connectivity within or across any agent framework or environment. Prior to version 0.12.0, when converting MCP tools/call request to OpenAPI request, input path, query, and header values are not sanitized. This issue has been patched in versio...

Vendor: go
Product: github.com/agentgateway/agentgateway
Published: Mar 05, 2026
Source: GitHub
CVE-2026-29780 MEDIUM - 5.5

eml_parser serves as a python module for parsing eml files and returning various information found in the e-mail as well as computed information. Prior to version 2.0.1, the official example script examples/recursively_extract_attachments.py contains a path traversal vulnerability that allows arbitr...

Vendor: pip
Product: eml-parser
Published: Mar 05, 2026
Source: GitHub
CVE-2025-41257 MEDIUM - 4.8

Suprema’s BioStar 2 in version 2.9.11.6 allows users to set new password without providing the current one. Exploiting this flaw combined with other vulnerabilities can lead to unauthorized account access and potential system compromise.

Vendor: Suprema
Product: BioStar 2
Published: Mar 04, 2026
Source: NVD
CVE-2026-29188 MEDIUM - 9.1

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.1, a broken access control vulnerability in the TUS protocol DELETE endpoint allows authenticated users with only Create permission...

Vendor: go
Product: github.com/filebrowser/filebrowser/v2
Published: Mar 04, 2026
Source: GitHub
CVE-2026-27898 MEDIUM - 5.4

Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to version 1.35.4, an authenticated regular user can specify another user’s cipher_id and call "PUT /api/ciphers/{id}/partial" Even though the standard retrieval API correctly de...

Vendor: dani-garcia
Product: vaultwarden
Published: Mar 04, 2026
Source: NVD
CVE-2026-27801 MEDIUM - 5.9

Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Vaultwarden versions 1.34.3 and prior are susceptible to a 2FA bypass when performing protected actions. An attacker who gains authenticated access to a user’s account can exploit this bypass to...

Vendor: dani-garcia
Product: vaultwarden
Published: Mar 04, 2026
Source: NVD
CVE-2026-22040 MEDIUM - 5.3

NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In version 0.24.6, by generating a combined traffic pattern of high-frequency publishes and rapid reconnect/kick-out using the same ClientID and massive subscribe/unsubscribe jitter, it is possible to reliably trigger heap memory ...

Vendor: nanomq
Product: nanomq
Published: Mar 04, 2026
Source: NVD
CVE-2026-29038 MEDIUM - 6.1

changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, there is a reflected cross-site scripting (XSS) vulnerability identified in the /rss/tag/ endpoint of changedetection.io. The tag_uuid path parameter is reflected directly in the HTTP response body with...

Vendor: pip
Product: changedetection.io
Published: Mar 04, 2026
Source: GitHub