Export limit exceeded: 334963 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (334963 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-2376 | 2 Mirror-registry, Redhat | 3 Quay, Mirror Registry, Quay | 2026-03-12 | 4.9 Medium |
| A flaw was found in mirror-registry where an authenticated user can trick the system into accessing unintended internal or restricted systems by providing malicious web addresses. When the application processes these addresses, it automatically follows redirects without verifying the final destination, allowing attackers to route requests to systems they should not have access to. | ||||
| CVE-2026-32062 | 1 Openclaw | 2 Openclaw, Voice-call | 2026-03-12 | 7.5 High |
| OpenClaw versions2026.2.21-2 prior to 2026.2.22 and @openclaw/voice-call versions 2026.2.21 prior to 2026.2.22 accept media-stream WebSocket upgrades before stream validation, allowing unauthenticated clients to establish connections. Remote attackers can hold idle pre-authenticated sockets open to consume connection resources and degrade service availability for legitimate streams. | ||||
| CVE-2026-3429 | 2 Keycloak, Redhat | 5 Keycloak, Build Keycloak, Jboss Enterprise Application Platform and 2 more | 2026-03-12 | 4.2 Medium |
| A flaw was identified in the Account REST API of Keycloak that allows a user authenticated at a lower security level to perform sensitive actions intended only for higher-assurance sessions. Specifically, an attacker who has already obtained a victim’s password can delete the victim’s registered MFA/OTP credential without first proving possession of that factor. The attacker can then register their own MFA device, effectively taking full control of the account. This weakness undermines the intended protection provided by multi-factor authentication. | ||||
| CVE-2026-20162 | 1 Splunk | 2 Splunk Cloud Platform, Splunk Enterprise | 2026-03-12 | 6.3 Medium |
| In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.9, and 9.3.9, and Splunk Cloud Platform versions below 10.2.2510.4, 10.1.2507.15, 10.0.2503.11, and 9.3.2411.123, a low-privileged user who does not hold the "admin" or "power" Splunk roles could craft a malicious payload when creating a View (Settings - User Interface - Views) at the `/manager/launcher/data/ui/views/_new` endpoint leading to a Stored Cross-Site Scripting (XSS) through a path traversal vulnerability. This could result in execution of unauthorized JavaScript code in the browser of a user. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will. | ||||
| CVE-2026-3904 | 1 The Gnu C Library | 1 Glibc | 2026-03-12 | 6.2 Medium |
| Calling NSS-backed functions that support caching via nscd may call the nscd client side code and in the GNU C Library version 2.36 under high load on x86_64 systems, the client may call memcmp on inputs that are concurrently modified by other processes or threads and crash. The nscd client in the GNU C Library uses the memcmp function with inputs that may be concurrently modified by another thread, potentially resulting in spurious cache misses, which in itself is not a security issue. However in the GNU C Library version 2.36 an optimized implementation of memcmp was introduced for x86_64 which could crash when invoked with such undefined behaviour, turning this into a potential crash of the nscd client and the application that uses it. This implementation was backported to the 2.35 branch, making the nscd client in that branch vulnerable as well. Subsequently, the fix for this issue was backported to all vulnerable branches in the GNU C Library repository. It is advised that distributions that may have cherry-picked the memcpy SSE2 optimization in their copy of the GNU C Library, also apply the fix to avoid the potential crash in the nscd client. | ||||
| CVE-2026-30903 | 1 Zoom Communications | 1 Zoom Workplace | 2026-03-12 | 9.6 Critical |
| External Control of File Name or Path in the Mail feature of Zoom Workplace for Windows before 6.6.0 may allow an unauthenticated user to conduct an escalation of privilege via network access. | ||||
| CVE-2026-30902 | 1 Zoom | 1 Workplace | 2026-03-12 | 7.8 High |
| Improper Privilege Management in certain Zoom Clients for Windows may allow an authenticated user to conduct an escalation of privilege via local access. | ||||
| CVE-2026-31863 | 1 Anyproto | 3 Anytype-cli, Anytype-heart, Anytype-ts | 2026-03-12 | 3.6 Low |
| Anytype Heart is the middleware library for Anytype. The challenge-based authentication for the local gRPC client API can be bypassed, allowing an attacker to gain access without the 4-digit code. This vulnerability is fixed in anytype-heart 0.48.4, anytype-cli 0.1.11, and Anytype Desktop 0.54.5. | ||||
| CVE-2025-12690 | 1 Forcepoint | 1 Ngfw Engine | 2026-03-12 | N/A |
| Execution with unnecessary privileges in Forcepoint NGFW Engine allows local privilege escalation.This issue affects NGFW Engine through 6.10.19, through 7.3.0, through 7.2.4, through 7.1.10. | ||||
| CVE-2026-0520 | 1 Lenovo | 1 Filez | 2026-03-12 | 2.8 Low |
| A potential vulnerability was reported in the Lenovo FileZ Android application that, under certain conditions, could allow a local authenticated user to retrieve some sensitive data stored in a log file. | ||||
| CVE-2026-3496 | 2 Crocoblock, Wordpress | 2 Jetbooking, Wordpress | 2026-03-12 | 7.5 High |
| The JetBooking plugin for WordPress is vulnerable to SQL Injection via the 'check_in_date' parameter in all versions up to, and including, 4.0.3. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2026-3848 | 1 Gitlab | 1 Gitlab | 2026-03-12 | 5 Medium |
| GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to make unintended internal requests through proxy environments under certain conditions due to improper input validation in import functionality. | ||||
| CVE-2026-3013 | 1 Coppermine-gallery | 1 Coppermine Photo Gallery | 2026-03-12 | N/A |
| Coppermine Photo Gallery in versions 1.6.09 through 1.6.27 is vulnerable to path traversal. Unauthenticated remote attacker is able to exploit a vulnerable endpoint and construct payloads that allow to read content of any file accessible by the the web server process.This issue was fixed in version 1.6.28. | ||||
| CVE-2026-30900 | 1 Zoom | 1 Workplace | 2026-03-12 | 7.8 High |
| Improper Check of minimum version in update functionality of certain Zoom Clients for Windows may allow an authenticated user to conduct an escalation of privilege via local access. | ||||
| CVE-2026-31974 | 1 Opf | 1 Openproject | 2026-03-12 | 3 Low |
| OpenProject is an open-source, web-based project management software. Prior to 17.2.0, OpenProject SMTP test endpoint (POST /admin/settings/mail_notifications) accepts arbitrary host and port values and exhibits measurable differences in response behaviour depending on whether the target IP exists and whether the port is open. An attacker with access can use these timing and error distinctions to map internal hosts and identify which services/ports are reachable. Similarly, you can create webhooks in OpenProject and point them to arbitrary IPs, resulting in the same kind of SSRF issue which allows attackers to scan the internal network. This vulnerability is fixed in 17.2.0. | ||||
| CVE-2026-3946 | 1 Phpems | 1 Phpems | 2026-03-12 | 3.5 Low |
| A vulnerability was detected in PHPEMS 11.0. The affected element is an unknown function of the file /index.php?ask=app-ask. Performing a manipulation of the argument askcontent results in cross site scripting. The attack is possible to be carried out remotely. The exploit is now public and may be used. | ||||
| CVE-2026-32229 | 1 Jetbrains | 1 Hub | 2026-03-12 | 6.8 Medium |
| In JetBrains Hub before 2026.1 possible on sign-in account mismatch with non-SSO auth and 2FA disabled | ||||
| CVE-2026-30901 | 1 Zoom | 1 Rooms | 2026-03-12 | 7 High |
| Improper Input Validation in Zoom Rooms for Windows before 6.6.5 in Kiosk Mode may allow an authenticated user to conduct an escalation of privilege via local access. | ||||
| CVE-2026-3972 | 1 Tenda | 1 W3 | 2026-03-12 | 8.8 High |
| A vulnerability was found in Tenda W3 1.0.0.3(2204). Affected by this issue is the function formSetCfm of the file /goform/setcfm of the component HTTP Handler. The manipulation of the argument funcpara1 results in stack-based buffer overflow. The attack can only be performed from the local network. The exploit has been made public and could be used. | ||||
| CVE-2026-3099 | 2 Libsoup, Redhat | 2 Libsoup, Enterprise Linux | 2026-03-12 | 5.8 Medium |
| A flaw was found in Libsoup. The server-side digest authentication implementation in the SoupAuthDomainDigest class does not properly track issued nonces or enforce the required incrementing nonce-count (nc) attribute. This vulnerability allows a remote attacker to capture a single valid authentication header and replay it repeatedly. Consequently, the attacker can bypass authentication and gain unauthorized access to protected resources, impersonating the legitimate user. | ||||