Export limit exceeded: 336880 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 336880 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (336880 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-31994 | 2 Microsoft, Openclaw | 2 Windows, Openclaw | 2026-03-25 | 7.1 High |
| OpenClaw versions prior to 2026.2.19 contain a local command injection vulnerability in Windows scheduled task script generation due to unsafe handling of cmd metacharacters and expansion-sensitive characters in gateway.cmd files. Local attackers with control over service script generation arguments can inject arbitrary commands by providing metacharacter-only values or CR/LF sequences that execute unintended code in the scheduled task context. | ||||
| CVE-2026-31995 | 2 Microsoft, Openclaw | 2 Windows, Openclaw | 2026-03-25 | 5.3 Medium |
| OpenClaw versions 2026.1.21 prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension's Windows shell fallback mechanism that allows attackers to inject arbitrary commands through tool-provided arguments. When spawn failures trigger shell fallback with shell: true, attackers can exploit cmd.exe command interpretation to execute malicious commands by controlling workflow arguments. | ||||
| CVE-2026-31997 | 1 Openclaw | 1 Openclaw | 2026-03-25 | 6 Medium |
| OpenClaw versions prior to 2026.3.1 fail to pin executable identity for non-path-like argv[0] tokens in system.run approvals, allowing post-approval executable rebind attacks. Attackers can modify PATH resolution after approval to execute a different binary than the operator approved, enabling arbitrary command execution. | ||||
| CVE-2026-31999 | 1 Openclaw | 1 Openclaw | 2026-03-25 | 6.3 Medium |
| OpenClaw versions 2026.2.26 prior to 2026.3.1 on Windows contain a current working directory injection vulnerability in wrapper resolution for .cmd/.bat files that allows attackers to influence execution behavior through cwd manipulation. Remote attackers can exploit improper shell execution fallback mechanisms to achieve command execution integrity loss by controlling the current working directory during wrapper resolution. | ||||
| CVE-2026-1276 | 2 Ibm, Linux | 2 Qradar Security Information And Event Manager, Linux Kernel | 2026-03-25 | 5.4 Medium |
| IBM QRadar SIEM 7.5.0 through 7.5.0 Update Package 14 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | ||||
| CVE-2025-15051 | 2 Ibm, Linux | 2 Qradar Security Information And Event Manager, Linux Kernel | 2026-03-25 | 5.4 Medium |
| IBM QRadar SIEM 7.5.0 through 7.5.0 Update Package 14 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality. | ||||
| CVE-2025-13995 | 2 Ibm, Linux | 2 Qradar Security Information And Event Manager, Linux Kernel | 2026-03-25 | 5 Medium |
| IBM QRadar SIEM 7.5.0 through 7.5.0 Update Package 14 could allow an attacker with access to one tenant to access hostname data from another tenant's account. | ||||
| CVE-2025-36051 | 2 Ibm, Linux | 2 Qradar Security Information And Event Manager, Linux Kernel | 2026-03-25 | 6.2 Medium |
| IBM QRadar SIEM 7.5.0 through 7.5.0 Update Package 14 stores potentially sensitive information in configuration files that could be read by a local user. | ||||
| CVE-2026-1238 | 2 Veronalabs, Wordpress | 2 Slimstat Analytics, Wordpress | 2026-03-25 | 7.2 High |
| The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fh' (fingerprint) parameter in all versions up to, and including, 5.3.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-28073 | 2 Tipsandtricks-hq, Wordpress | 2 Wp Emember, Wordpress | 2026-03-25 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tips and Tricks HQ WP eMember allows Reflected XSS.This issue affects WP eMember: from n/a through v10.2.2. | ||||
| CVE-2026-28070 | 2 Tipsandtricks-hq, Wordpress | 2 Wp Emember, Wordpress | 2026-03-25 | 5.3 Medium |
| Missing Authorization vulnerability in Tips and Tricks HQ WP eMember allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP eMember: from n/a through v10.2.2. | ||||
| CVE-2026-28044 | 2 Wordpress, Wp Media | 2 Wordpress, Wp Rocket | 2026-03-25 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Media WP Rocket allows Stored XSS.This issue affects WP Rocket: from n/a through 3.19.4. | ||||
| CVE-2026-27542 | 2 Rymera Web Co Pty Ltd., Wordpress | 2 Woocommerce Wholesale Lead Capture, Wordpress | 2026-03-25 | 9.8 Critical |
| Incorrect Privilege Assignment vulnerability in Rymera Web Co Pty Ltd. Woocommerce Wholesale Lead Capture allows Privilege Escalation.This issue affects Woocommerce Wholesale Lead Capture: from n/a through 2.0.3.1. | ||||
| CVE-2026-27540 | 2 Rymera Web Co Pty Ltd., Wordpress | 2 Woocommerce Wholesale Lead Capture, Wordpress | 2026-03-25 | 9 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in Rymera Web Co Pty Ltd. Woocommerce Wholesale Lead Capture allows Using Malicious Files.This issue affects Woocommerce Wholesale Lead Capture: from n/a through 2.0.3.1. | ||||
| CVE-2026-27413 | 2 Cozmoslabs, Wordpress | 2 Profile Builder, Wordpress | 2026-03-25 | 9.3 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozmoslabs Profile Builder Pro allows Blind SQL Injection.This issue affects Profile Builder Pro: from n/a through 3.13.9. | ||||
| CVE-2006-10002 | 1 Toddr | 2 Xml::parser, Xml\ | 2026-03-25 | 9.8 Critical |
| XML::Parser versions through 2.45 for Perl could overflow the pre-allocated buffer size cause a heap corruption (double free or corruption) and crashes. A :utf8 PerlIO layer, parse_stream() in Expat.xs could overflow the XML input buffer because Perl's read() returns decoded characters while SvPV() gives back multi-byte UTF-8 bytes that can exceed the pre-allocated buffer size. This can cause heap corruption (double free or corruption) and crashes. | ||||
| CVE-2026-3029 | 1 Artifex | 1 Pymupdf | 2026-03-25 | 7.5 High |
| A path traversal and arbitrary file write vulnerability exist in the embedded get function in '_main_.py' in PyMuPDF version, 1.26.5. | ||||
| CVE-2026-26933 | 2 Elastic, Elasticsearch | 2 Packetbeat, Packetbeat | 2026-03-25 | 5.7 Medium |
| Improper Validation of Array Index (CWE-129) in multiple protocol parser components in Packetbeat can lead Denial of Service via Input Data Manipulation (CAPEC-153). An attacker with the ability to send specially crafted, malformed network packets to a monitored network interface can trigger out-of-bounds read operations, resulting in application crashes or resource exhaustion. This requires the attacker to be positioned on the same network segment as the Packetbeat deployment or to control traffic routed to monitored interfaces. | ||||
| CVE-2026-26939 | 1 Elastic | 1 Kibana | 2026-03-25 | 6.5 Medium |
| Missing Authorization (CWE-862) in Kibana’s server-side Detection Rule Management can lead to Unauthorized Endpoint Response Action Configuration (host isolation, process termination, and process suspension) via CAPEC-1 (Accessing Functionality Not Properly Constrained by ACLs). This requires an authenticated attacker with rule management privileges. | ||||
| CVE-2026-26940 | 1 Elastic | 1 Kibana | 2026-03-25 | 6.5 Medium |
| Improper Validation of Specified Quantity in Input (CWE-1284) in the Timelion visualization plugin in Kibana can lead Denial of Service via Excessive Allocation (CAPEC-130). The vulnerability allows an authenticated user to send a specially crafted Timelion expression that overwrites internal series data properties with an excessively large quantity value. | ||||