Export limit exceeded: 327578 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (327578 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-29000 | 1 Pac4j | 1 Pac4j | 2026-03-05 | 10 Critical |
| pac4j-jwt versions prior to 4.5.9, 5.7.9, and 6.3.3 contain an authentication bypass vulnerability in JwtAuthenticator when processing encrypted JWTs that allows remote attackers to forge authentication tokens. Attackers who possess the server's RSA public key can create a JWE-wrapped PlainJWT with arbitrary subject and role claims, bypassing signature verification to authenticate as any user including administrators. | ||||
| CVE-2026-26417 | 2026-03-05 | N/A | ||
| A broken access control vulnerability in the password reset functionality of Tata Consultancy Services Cognix Recon Client v3.0 allows authenticated users to reset passwords of arbitrary user accounts via crafted requests. | ||||
| CVE-2025-66024 | 1 Xwiki-contrib | 1 Application-blog-ui | 2026-03-05 | N/A |
| The XWiki blog application allows users of the XWiki platform to create and manage blog posts. Versions prior to 9.15.7 are vulnerable to Stored Cross-Site Scripting (XSS) via the Blog Post Title. The vulnerability arises because the post title is injected directly into the HTML <title> tag without proper escaping. An attacker with permissions to create or edit blog posts can inject malicious JavaScript into the title field. This script will execute in the browser of any user (including administrators) who views the blog post. This leads to potential session hijacking or privilege escalation. The vulnerability has been patched in the blog application version 9.15.7 by adding missing escaping. No known workarounds are available. | ||||
| CVE-2026-28124 | 2026-03-05 | 8.1 High | ||
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Notarius notarius allows PHP Local File Inclusion.This issue affects Notarius: from n/a through <= 1.9. | ||||
| CVE-2026-28119 | 2026-03-05 | 8.1 High | ||
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Nirvana nirvana allows PHP Local File Inclusion.This issue affects Nirvana: from n/a through <= 2.6. | ||||
| CVE-2026-28117 | 2026-03-05 | 8.1 High | ||
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes smart SEO smartSEO allows PHP Local File Inclusion.This issue affects smart SEO: from n/a through <= 2.9. | ||||
| CVE-2026-28112 | 2026-03-05 | 7.1 High | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup AllInOne - Banner Rotator all-in-one-bannerRotator allows Reflected XSS.This issue affects AllInOne - Banner Rotator: from n/a through <= 3.8. | ||||
| CVE-2026-27801 | 1 Dani-garcia | 1 Vaultwarden | 2026-03-05 | 8.8 High |
| Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Vaultwarden versions 1.34.3 and prior are susceptible to a 2FA bypass when performing protected actions. An attacker who gains authenticated access to a user’s account can exploit this bypass to perform protected actions such as accessing the user’s API key or deleting the user’s vault and organisations the user is an admin/owner of . This issue has been patched in version 1.35.0. | ||||
| CVE-2026-26695 | 2 Carmelo, Code-projects | 2 Simple Student Alumni System, Simple Student Alumni System | 2026-03-05 | 9.8 Critical |
| code-projects Simple Student Alumni System v1.0 is vulnerable to SQL Injection in /TracerStudy/recordstudent_edit.php. | ||||
| CVE-2026-26377 | 2026-03-05 | N/A | ||
| Cross Site Scripting vulnerability in Koha 25.11 and before allows a remote attacker to execute arbitrary code via the News function. | ||||
| CVE-2026-24113 | 1 Tenda | 2 W20e, W20e Firmware | 2026-03-05 | 9.8 Critical |
| An issue was discovered in Tenda W20E V4.0br_V15.11.0.6. Attackers may exploit the vulnerability by controlling the value of `nptr`. When this value is passed into the `getMibPrefix` function and concatenated using `sprintf` without proper size validation, it could lead to a buffer overflow vulnerability. | ||||
| CVE-2026-24111 | 1 Tenda | 2 W20e, W20e Firmware | 2026-03-05 | 9.8 Critical |
| An issue was discovered in Tenda W20E V4.0br_V15.11.0.6. Attackers may exploit the vulnerability by specifying the value of `userInfo`. When `userInfo` is passed into the `addAuthUser` function and processed by `sscanf` without size validation, it could lead to buffer overflow. | ||||
| CVE-2026-24109 | 1 Tenda | 2 W20e, W20e Firmware | 2026-03-05 | 9.8 Critical |
| An issue was discovered in Tenda W20E V4.0br_V15.11.0.6. Attackers may exploit the vulnerability by controlling the value of `picName`. When this value is used in `sprintf` without validating variable sizes, it could lead to a buffer overflow vulnerability. | ||||
| CVE-2026-1678 | 2026-03-05 | 9.4 Critical | ||
| dns_unpack_name() caches the buffer tailroom once and reuses it while appending DNS labels. As the buffer grows, the cached size becomes incorrect, and the final null terminator can be written past the buffer. With assertions disabled (default), a malicious DNS response can trigger an out-of-bounds write when CONFIG_DNS_RESOLVER is enabled. | ||||
| CVE-2025-70226 | 1 Dlink | 1 Dir-513 | 2026-03-05 | 9.8 Critical |
| Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime parameter to goform/formEasySetupWizard. | ||||
| CVE-2025-70225 | 1 Dlink | 1 Dir-513 | 2026-03-05 | 9.8 Critical |
| Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curtime parameter to the goform/formEasySetupWWConfig component | ||||
| CVE-2025-70222 | 1 Dlink | 1 Dir-513 | 2026-03-05 | 9.8 Critical |
| Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime parameter to goform/formLogin,goform/getAuthCode. | ||||
| CVE-2025-70221 | 1 Dlink | 1 Dir-513 | 2026-03-05 | 9.8 Critical |
| Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime parameter to goform/formLogin. | ||||
| CVE-2025-70219 | 1 Dlink | 1 Dir-513 | 2026-03-05 | 9.8 Critical |
| Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the goform/formDeviceReboot. | ||||
| CVE-2025-70218 | 1 Dlink | 1 Dir-513 | 2026-03-05 | 9.8 Critical |
| Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via POST to the goform/formAdvFirewall component. | ||||