Export limit exceeded: 334439 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (334439 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-61638 | 2 Mediawiki, Wikimedia | 2 Mediawiki, Parsoid | 2026-03-16 | 4.8 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Parsoid. This vulnerability is associated with program files includes/parser/Sanitizer.Php, src/Core/Sanitizer.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1; Parsoid: from * before 0.16.6, 0.20.4, 0.21.1. | ||||
| CVE-2025-61639 | 2 Mediawiki, Wikimedia | 2 Mediawiki, Mediawiki | 2026-03-16 | 4.8 Medium |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/logging/ManualLogEntry.Php, includes/recentchanges/RecentChangeFactory.Php, includes/recentchanges/RecentChangeStore.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. | ||||
| CVE-2025-61640 | 2 Mediawiki, Wikimedia | 2 Mediawiki, Mediawiki | 2026-03-16 | 4.8 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Rcfilters/ui/RclToOrFromWidget.Js. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. | ||||
| CVE-2025-13650 | 1 Microcom | 1 Zeusweb | 2026-03-16 | 6.1 Medium |
| An attacker with access to the web application ZeusWeb of the provider Microcom (in this case, registration is not necessary, but the action must be performed) who has the vulnerable software could introduce arbitrary JavaScript by injecting an XSS payload into the ‘Surname’ parameter of the ‘Create Account’ operation at the URL: https://zeus.microcom.es:4040/index.html?zeus6=true . This issue affects ZeusWeb: 6.1.31. | ||||
| CVE-2026-31979 | 1 Himmelblau-idm | 1 Himmelblau | 2026-03-16 | 8.8 High |
| Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. Prior to 3.1.0 and 2.3.8, the himmelblaud-tasks daemon, running as root, writes Kerberos cache files under /tmp/krb5cc_<uid> without symlink protections. Since commit 87a51ee, PrivateTmp is explicitly removed from the tasks daemon's systemd hardening, exposing it to the host /tmp. A local user can exploit this via symlink attacks to chown or overwrite arbitrary files, achieving local privilege escalation. This vulnerability is fixed in 3.1.0 and 2.3.8. | ||||
| CVE-2025-8587 | 2 Akce, Akceyazilim | 2 Skspro, Skspro | 2026-03-16 | 8.6 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AKCE Software Technology R&D Industry and Trade Inc. SKSPro allows SQL Injection.This issue affects SKSPro: through 07012026. | ||||
| CVE-2026-3494 | 2 Amazon, Mariadb | 6 Aurora, Aurora Mysql, Rds For Mariadb and 3 more | 2026-03-16 | 4.3 Medium |
| In MariaDB server version through 11.8.5, when server audit plugin is enabled with server_audit_events variable configured with QUERY_DCL, QUERY_DDL, or QUERY_DML filtering, if an authenticated database user invokes a SQL statement prefixed with double-hyphen (—) or hash (#) style comments, the statement is not logged. | ||||
| CVE-2025-62501 | 1 Tp-link | 2 Archer Ax53, Archer Ax53 Firmware | 2026-03-16 | 8.1 High |
| SSH Hostkey misconfiguration vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows attackers to obtain device credentials through a specially crafted man‑in‑the‑middle (MITM) attack. This could enable unauthorized access if captured credentials are reused.This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. | ||||
| CVE-2026-3935 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2026-03-16 | 4.3 Medium |
| Incorrect security UI in WebAppInstalls in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2026-3938 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2026-03-16 | 6.5 Medium |
| Insufficient policy enforcement in Clipboard in Google Chrome prior to 146.0.7680.71 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low) | ||||
| CVE-2025-9290 | 1 Tp-link | 114 Beam Bridge 5 Ur, Beam Bridge 5 Ur Firmware, Dr3220v-4g and 111 more | 2026-03-16 | 5.9 Medium |
| An authentication weakness was identified in Omada Controllers, Gateways and Access Points, controller-device adoption due to improper handling of random values. Exploitation requires advanced network positioning and allows an attacker to intercept adoption traffic and forge valid authentication through offline precomputation, potentially exposing sensitive information and compromising confidentiality. | ||||
| CVE-2026-4040 | 1 Openclaw | 1 Openclaw | 2026-03-16 | 3.3 Low |
| A vulnerability was identified in OpenClaw up to 2026.2.17. This issue affects the function tools.exec.safeBins of the component File Existence Handler. The manipulation leads to information exposure through discrepancy. The attack needs to be performed locally. Upgrading to version 2026.2.19-beta.1 is capable of addressing this issue. The identifier of the patch is bafdbb6f112409a65decd3d4e7350fbd637c7754. Upgrading the affected component is advised. | ||||
| CVE-2025-9289 | 1 Tp-link | 10 Oc200, Oc200 Firmware, Oc220 and 7 more | 2026-03-16 | 4.7 Medium |
| A Cross-Site Scripting (XSS) vulnerability was identified in a parameter in Omada Controllers due to improper input sanitization. Exploitation requires advanced conditions, such as network positioning or emulating a trusted entity, and user interaction by an authenticated administrator. If successful, an attacker could execute arbitrary JavaScript in the administrator’s browser, potentially exposing sensitive information and compromising confidentiality. | ||||
| CVE-2026-4039 | 1 Openclaw | 1 Openclaw | 2026-03-16 | 6.3 Medium |
| A vulnerability was determined in OpenClaw 2026.2.19-2. This vulnerability affects the function applySkillConfigenvOverrides of the component Skill Env Handler. Executing a manipulation can lead to code injection. It is possible to launch the attack remotely. Upgrading to version 2026.2.21-beta.1 is able to resolve this issue. This patch is called 8c9f35cdb51692b650ddf05b259ccdd75cc9a83c. It is recommended to upgrade the affected component. | ||||
| CVE-2026-25996 | 2 Inspektor-gadget, Linuxfoundation | 2 Inspektor-gadget, Inspektor Gadget | 2026-03-16 | 9.8 Critical |
| Inspektor Gadget is a set of tools and framework for data collection and system inspection on Kubernetes clusters and Linux hosts using eBPF. String fields from eBPF events in columns output mode are rendered to the terminal without any sanitization of control characters or ANSI escape sequences. Therefore, a maliciously forged – partially or completely – event payload, coming from an observed container, might inject the escape sequences into the terminal of ig operators, with various effects. The columns output mode is the default when running ig run interactively. | ||||
| CVE-2026-32116 | 2 Magic-wormhole, Magic-wormhole Project | 2 Magic-wormhole, Magic Wormhole | 2026-03-16 | 8.1 High |
| Magic Wormhole makes it possible to get arbitrary-sized files and directories from one computer to another. From 0.21.0 to before 0.23.0, receiving a file (wormhole receive) from a malicious party could result in overwriting critical local files, including ~/.ssh/authorized_keys and .bashrc. This could be used to compromise the receiver's computer. Only the sender of the file (the party who runs wormhole send) can mount the attack. Other parties (including the transit/relay servers) are excluded by the wormhole protocol. This vulnerability is fixed in 0.23.0. | ||||
| CVE-2026-24905 | 2 Inspektor-gadget, Linuxfoundation | 2 Inspektor-gadget, Inspektor Gadget | 2026-03-16 | 7.8 High |
| Inspektor Gadget is a set of tools and framework for data collection and system inspection on Kubernetes clusters and Linux hosts using eBPF. The `ig` binary provides a subcommand for image building, used to generate custom gadget OCI images. A part of this functionality is implemented in the file `inspektor-gadget/cmd/common/image/build.go`. The `Makefile.build` file is the Makefile template employed during the building process. This file includes user-controlled data in an unsafe fashion, specifically some parameters are embedded without an adequate escaping in the commands inside the Makefile. Prior to version 0.48.1, this implementation is vulnerable to command injection: an attacker able to control values in the `buildOptions` structure would be able to execute arbitrary commands during the building process. An attacker able to exploit this vulnerability would be able to execute arbitrary command on the Linux host where the `ig` command is launched, if images are built with the `--local` flag or on the build container invoked by `ig`, if the `--local` flag is not provided. The `buildOptions` structure is extracted from the YAML gadget manifest passed to the `ig image build` command. Therefore, the attacker would need a way to control either the full `build.yml` file passed to the `ig image build` command, or one of its options. Typically, this could happen in a CI/CD scenario that builds untrusted gadgets to verify correctness. Version 0.48.1 fixes the issue. | ||||
| CVE-2025-15553 | 2026-03-16 | N/A | ||
| Non-working logout functionality in Truesec’s LAPSWebUI before version 2.4 allows an attacker with access to a workstation to escalate their privileges via disclosure of local admin password. | ||||
| CVE-2026-32061 | 1 Openclaw | 1 Openclaw | 2026-03-16 | 4.4 Medium |
| OpenClaw versions prior to 2026.2.17 contain a path traversal vulnerability in the $include directive resolution that allows reading arbitrary local files outside the config directory boundary. Attackers with config modification capabilities can exploit this by specifying absolute paths, traversal sequences, or symlinks to access sensitive files readable by the OpenClaw process user, including API keys and credentials. | ||||
| CVE-2026-0918 | 1 Tp-link | 7 Tapo, Tapo C220, Tapo C220 Firmware and 4 more | 2026-03-16 | 7.5 High |
| The Tapo C220 v1 and C520WS v2 cameras’ HTTP service does not safely handle POST requests containing an excessively large Content-Length header. The resulting failed memory allocation triggers a NULL pointer dereference, causing the main service process to crash. An unauthenticated attacker can repeatedly crash the service, causing temporary denial of service. The device restarts automatically, and repeated requests can keep it unavailable. | ||||