Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,748
Quick preset (or use dates below)
Clear Filters
Showing 10,621 - 10,640 of 14,604 CVEs
CVE-2026-2732 MEDIUM - 5.4

The Enable Media Replace plugin for WordPress is vulnerable to unauthorized modification of data due to an improper capability check on the 'RemoveBackGroundViewController::load' function in all versions up to, and including, 4.1.7. This makes it possible for authenticated attackers, with ...

Published: Mar 04, 2026
Source: NVD
CVE-2026-2363 MEDIUM - 6.5

The WP-Members Membership Plugin plugin for WordPress is vulnerable to SQL Injection via the 'order_by' attribute of the [wpmem_user_membership_posts] shortcode in all versions up to, and including, 3.5.5.1. This is due to insufficient escaping on the user supplied parameter and lack of su...

Published: Mar 04, 2026
Source: NVD
CVE-2026-28769 MEDIUM - 6.5

A path traversal vulnerability exists in the /IDC_Logging/checkifdone.cgi script in International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver Web management portal version 101. An authenticated attacker can manipulate the `file` parameter to traverse directories and enumera...

Vendor: International Datacasting Corporation (IDC)
Product: SFX Series SuperFlex Satellite Receiver Web management interface
Published: Mar 04, 2026
Source: NVD
CVE-2026-3242 MEDIUM - 4.8

In Concrete CMS below version 9.4.8, a rogue administrator can add stored XSS via the Switch Language block.  The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N.  Thanks M3dium for reporting.

Vendor: concretecms
Product: concrete_cms
Published: Mar 04, 2026
Source: NVD
CVE-2026-3241 MEDIUM - 4.8

In Concrete CMS below version 9.4.8, a stored cross-site scripting (XSS) vulnerability exists in the "Legacy Form" block. An authenticated user with permissions to create or edit forms (e.g., a rogue administrator) can inject a persistent JavaScript payload into the options of a multiple-c...

Vendor: concretecms
Product: concrete_cms
Published: Mar 04, 2026
Source: NVD
CVE-2026-3240 MEDIUM - 4.8

In Concrete CMS below version 9.4.8, a user with permission to edit a page with element Legacy form can perform a stored XSS attack towards high-privilege accounts via the Question field. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/...

Vendor: concretecms
Product: concrete_cms
Published: Mar 04, 2026
Source: NVD
CVE-2026-2994 MEDIUM - 6.8

Concrete CMS below version 9.4.8 is subject to CSRF by a Rogue Administrator using the Anti-Spam Allowlist Group Configuration via group_id parameter which can leads to a security bypass since changes are saved prior to checking the CSRF token. The Concrete CMS security team gave this vulnerability ...

Vendor: concretecms
Product: concrete_cms
Published: Mar 04, 2026
Source: NVD
CVE-2026-3244 MEDIUM - 4.8

In Concrete CMS below version 9.4.8, A stored cross-site scripting (XSS) vulnerability exists in the search block where page names and content are rendered without proper HTML encoding in search results. This allows authenticated, rogue administrators to inject malicious JavaScript through page name...

Vendor: concretecms
Product: concrete_cms
Published: Mar 04, 2026
Source: NVD
CVE-2026-2292 MEDIUM - 4.4

The Morkva UA Shipping plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.7.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions...

Published: Mar 04, 2026
Source: NVD
CVE-2026-2289 MEDIUM - 4.4

The Taskbuilder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 5.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and ab...

Published: Mar 04, 2026
Source: NVD
CVE-2026-1980 MEDIUM - 5.3

The WPBookit plugin for WordPress is vulnerable to unauthorized data disclosure due to a missing authorization check on the 'get_customer_list' route in all versions up to, and including, 1.0.8. This makes it possible for unauthenticated attackers to retrieve sensitive customer information...

Published: Mar 04, 2026
Source: NVD
CVE-2026-1651 MEDIUM - 6.5

The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to SQL Injection via the 'workflow_ids' parameter in all versions up to, and including, 5.9.16 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL quer...

Published: Mar 04, 2026
Source: NVD
CVE-2026-27600 MEDIUM - 5.0

HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, the notifier functionality allows authenticated users to specify arbitrary URLs to which the application sends HTTP POST requests. No validation or restriction is applied to the supplied host, IP address, or port. Although th...

Vendor: sysadminsmedia
Product: homebox
Published: Mar 03, 2026
Source: NVD
CVE-2026-26272 MEDIUM - 4.6

HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, a stored cross-site scripting (XSS) vulnerability exists in the item attachment upload functionality. The application does not properly validate or restrict uploaded file types, allowing an authenticated user to upload malici...

Vendor: sysadminsmedia
Product: homebox
Published: Mar 03, 2026
Source: NVD
CVE-2026-25590 MEDIUM - 4.5

The GLPI Inventory Plugin handles network discovery, inventory, software deployment, and data collection for GLPI agents. Prior to 1.6.6, there is a reflected XSS vulnerability in task jobs. This vulnerability is fixed in 1.6.6.

Vendor: glpi-project
Product: glpi-inventory-plugin
Published: Mar 03, 2026
Source: NVD
CVE-2026-3487 MEDIUM - 4.7

A vulnerability was found in itsourcecode College Management System 1.0. This issue affects some unknown processing of the file /admin/class-result.php. Performing a manipulation of the argument course_code results in sql injection. The attack can be initiated remotely. The exploit has been made pub...

Vendor: angeljudesuarez
Product: college_management_system
Published: Mar 03, 2026
Source: NVD
CVE-2026-21866 MEDIUM - 5.4

Dify is an open-source LLM app development platform. Prior to 1.11.2, Dify is vulnerable to a stored XSS issue when rendering Mermaid diagrams within chats. This occurs because Dify’s default Mermaid configuration uses securityLevel: loose, which allows potentially unsafe content to execute. This vu...

Vendor: langgenius
Product: dify
Published: Mar 03, 2026
Source: NVD
CVE-2026-29073 MEDIUM - 8.8

SiYuan is a personal knowledge management system. Prior to version 3.6.0, the /api/query/sql lets a user run sql directly, but it only checks basic auth, not admin rights, any logged-in user, even readers, can run any sql query on the database. This issue has been patched in version 3.6.0.

Vendor: go
Product: github.com/siyuan-note/siyuan/kernel
Published: Mar 03, 2026
Source: GitHub
CVE-2026-3486 MEDIUM - 4.7

A vulnerability has been found in itsourcecode College Management System 1.0. This vulnerability affects unknown code of the file /admin/student-fee.php. Such manipulation of the argument roll_no leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to ...

Vendor: angeljudesuarez
Product: college_management_system
Published: Mar 03, 2026
Source: NVD
CVE-2026-1713 MEDIUM - 5.5

IBM MQ 9.1.0.0 through 9.1.0.33 LTS, 9.2.0.0 through 9.2.0.40 LTS, 9.3.0.0 through 9.3.0.36 LTS, 9.30.0 through 9.3.5.1 CD, 9.4.0.0 through 9.4.0.17 LTS, and 9.4.0.0 through 9.4.4.1 CD

Vendor: ibm
Product: mq
Published: Mar 03, 2026
Source: NVD