Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,724
Quick preset (or use dates below)
Clear Filters
Showing 10,621 - 10,640 of 14,108 CVEs
CVE-2019-25498 HIGH - 8.2

Simple Job Script contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the landing_location parameter. Attackers can send POST requests to the searched endpoint with malicious SQL payloads to bypass authentication ...

Vendor: niteosoft
Product: Simple Job Script
Published: Mar 04, 2026
Source: NVD
CVE-2026-3520 HIGH - 7.5

Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.1 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing stack overflow. Users should upgrade to version 2.1.1 to receive a patch. No ...

Vendor: npm
Product: multer
Published: Mar 04, 2026
Source: NVD
CVE-2026-29069 HIGH - 5.3

Craft is a content management system (CMS). Prior to 5.9.0-beta.2 and 4.17.0-beta.2, the actionSendActivationEmail() endpoint is accessible to unauthenticated users and does not require a permission check for pending users. An attacker with no prior access can trigger activation emails for any pendi...

Vendor: craftcms
Product: cms
Published: Mar 04, 2026
Source: NVD
CVE-2025-15558 HIGH - 8.0

Docker CLI for Windows searches for plugin binaries in C:\ProgramData\Docker\cli-plugins, a directory that does not exist by default. A low-privileged attacker can create this directory and place malicious CLI plugin binaries (docker-compose.exe, docker-buildx.exe, etc.) that are executed when a vic...

Vendor: Docker
Product: Docker CLI, Compose
Published: Mar 04, 2026
Source: NVD
CVE-2026-26673 HIGH - 7.5

An issue in DJI Mavic Mini, Spark, Mavic Air, Mini, Mini SE 0.1.00.0500 and below allows a remote attacker to cause a denial of service via the DJI Enhanced-WiFi transmission subsystem

Vendor: dji
Product: mavic_mini_firmware
Published: Mar 04, 2026
Source: NVD
CVE-2026-26514 HIGH - 7.5

An Argument Injection vulnerability exists in bird-lg-go before commit 6187a4e. The traceroute module uses shlex.Split to parse user input without validation, allowing remote attackers to inject arbitrary flags (e.g., -w, -q) via the q parameter. This can be exploited to cause a Denial of Service (D...

Vendor: xddxdd
Product: bird-lg-go
Published: Mar 04, 2026
Source: NVD
CVE-2025-59785 HIGH - 7.2

Improper validation of API end-point in 2N Access Commander version 3.4.2 and prior allows attacker to bypass password policy for backup file encryption. This vulnerability can only be exploited after authenticating with administrator privileges.

Vendor: 2N Telekomunikace a.s.
Product: 2N Access Commander
Published: Mar 04, 2026
Source: NVD
CVE-2025-59784 HIGH - 7.2

2N Access Commander version 3.4.1 and prior is vulnerable to log pollution. Certain parameters sent over API may be included in the logs without prior validation or sanitisation. This vulnerability can only be exploited after authenticating with administrator privileges.

Vendor: 2N Telekomunikace a.s.
Product: 2N Access Commander
Published: Mar 04, 2026
Source: NVD
CVE-2025-59783 HIGH - 7.2

API endpoint for user synchronization in 2N Access Commander version 3.4.1 did not have a sufficient input validation allowing for OS command injection. This vulnerability can only be exploited after authenticating with administrator privileges.

Vendor: 2N Telekomunikace a.s.
Product: 2N Access Commander
Published: Mar 04, 2026
Source: NVD
CVE-2025-70341 HIGH - 7.8

Insecure permissions in App-Auto-Patch v3.4.2 create a race condition which allows attackers to write arbitrary files.

Vendor: app-auto-patch
Product: app-auto-patch
Published: Mar 04, 2026
Source: NVD
CVE-2023-7337 HIGH - 7.5

The JS Help Desk – AI-Powered Support & Ticketing System plugin for WordPress is vulnerable to SQL Injection via the 'js-support-ticket-token-tkstatus' cookie in version 2.8.2 due to an incomplete fix for CVE-2023-50839 where a second sink was left with insufficient escaping on the use...

Published: Mar 04, 2026
Source: NVD
CVE-2026-3094 HIGH - 7.8

Delta Electronics CNCSoft-G2 lacks proper validation of the user-supplied file. If a user opens a malicious file, an attacker can leverage this vulnerability to execute code in the context of the current process.

Vendor: deltaww
Product: cncsoft-g2
Published: Mar 04, 2026
Source: NVD
CVE-2026-2747 HIGH - 7.5

SEPPmail Secure Email Gateway before version 15.0.1 decrypts inline PGP messages without isolating them from surrounding unencrypted content, allowing exposure of sensitive information to an unauthorized actor.

Vendor: seppmail
Product: seppmail
Published: Mar 04, 2026
Source: NVD
CVE-2026-27444 HIGH - 7.5

SEPPmail Secure Email Gateway before version 15.0.1 incorrectly interprets email addresses in the email headers, causing an interpretation conflict with other mail infrastructure that allows an attacker to fake the source of the email or decrypt it.

Vendor: SEPPmail
Product: Secure Email Gateway
Published: Mar 04, 2026
Source: NVD
CVE-2026-27443 HIGH - 7.5

SEPPmail Secure Email Gateway before version 15.0.1 does not properly sanitize the headers from S/MIME protected MIME entities, allowing an attacker to control trusted headers.

Vendor: SEPPmail
Product: Secure Email Gateway
Published: Mar 04, 2026
Source: NVD
CVE-2026-27442 HIGH - 7.5

The GINA web interface in SEPPmail Secure Email Gateway before version 15.0.1 does not properly check attachment filenames in GINA-encrypted emails, allowing an attacker to access files on the gateway.

Vendor: SEPPmail
Product: Secure Email Gateway
Published: Mar 04, 2026
Source: NVD
CVE-2026-28774 HIGH - 8.8

An OS Command Injection vulnerability exists in the web-based Traceroute diagnostic utility of International Datacasting Corporation (IDC) SFX Series SuperFlex SatelliteReceiver Web Management Interface version 101. An authenticated attacker can inject arbitrary shell metacharacters (such as the pip...

Vendor: International Datacasting Corporation (IDC)
Product: SFX Series SuperFlex SatelliteReceiver Web Management Interface
Published: Mar 04, 2026
Source: NVD
CVE-2026-28773 HIGH - 8.8

The web-based Ping diagnostic utility (/IDC_Ping/main.cgi) in International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite  Receiver Web Management Interface version 101 is vulnerable to OS Command Injection. The application insecurely parses the `IPaddr` parameter. An authenticated at...

Vendor: International Datacasting Corporation (IDC)
Product: SFX Series SuperFlex SatelliteReceiver Web Management Interface
Published: Mar 04, 2026
Source: NVD
CVE-2026-28770 HIGH - 8.8

Improper neutralization of special elements in the /IDC_Logging/checkifdone.cgi script in International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver Web management Interface version 101 allows for XML Injection. The application reflects un-sanitized user input from the `file...

Vendor: International Datacasting Corporation (IDC)
Product: SFX Series SuperFlex Satellite Receiver Web management interface
Published: Mar 04, 2026
Source: NVD
CVE-2026-2025 HIGH - 7.5

The Mail Mint WordPress plugin before 1.19.5 does not have authorization in one of its REST API endpoint, allowing unauthenticated users to call it and retrieve the email addresses of users on the blog

Published: Mar 04, 2026
Source: NVD