Export limit exceeded: 327491 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 327491 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (327491 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-28075 | 2026-03-05 | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in p-themes Porto porto allows Reflected XSS.This issue affects Porto: from n/a through <= 7.6.2. | ||||
| CVE-2024-11831 | 1 Redhat | 34 Acm, Advanced Cluster Security, Ansible Automation Platform and 31 more | 2026-03-05 | 5.4 Medium |
| A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package. | ||||
| CVE-2026-27736 | 1 Bigbluebutton | 1 Bigbluebutton | 2026-03-05 | 6.1 Medium |
| BigBlueButton is an open-source virtual classroom. In versions on the 3.x branch prior to 3.0.20, the string received with errorRedirectUrl lacks validation, using it directly in the respondWithRedirect function leads to an Open Redirect vulnerability. BigBlueButton 3.0.20 patches the issue. No known workarounds are available. | ||||
| CVE-2026-24415 | 1 Devcode | 1 Openstamanager | 2026-03-05 | 6.1 Medium |
| OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contains Reflected XSS vulnerabilities in invoice/order/contract modification modals. The application fails to properly sanitize user-supplied input from the righe GET parameter before reflecting it in HTML output.The $_GET['righe'] parameter is directly echoed into the HTML value attribute without any sanitization using htmlspecialchars() or equivalent functions. This allows an attacker to break out of the attribute context and inject arbitrary HTML/JavaScript. | ||||
| CVE-2026-28287 | 2026-03-05 | N/A | ||
| FreePBX is an open source IP PBX. From versions 16.0.17.2 to before 16.0.20 and from version 17.0.2.4 to before 17.0.5, multiple command injection vulnerabilities exist in the recordings module. This issue has been patched in versions 16.0.20 and 17.0.5. | ||||
| CVE-2026-28284 | 2026-03-05 | N/A | ||
| FreePBX is an open source IP PBX. Prior to versions 16.0.10 and 17.0.5, the FreePBX logfiles module contains several authenticated SQL injection vulnerabilities. This issue has been patched in versions 16.0.10 and 17.0.5. | ||||
| CVE-2026-28210 | 2026-03-05 | N/A | ||
| FreePBX is an open source IP PBX. Prior to versions 16.0.49 and 17.0.7, FreePBX module cdr (Call Data Record) is vulnerable to SQL query injection. This issue has been patched in versions 16.0.49 and 17.0.7. | ||||
| CVE-2026-28209 | 2026-03-05 | N/A | ||
| FreePBX is an open source IP PBX. From versions 16.0.17.2 to before 16.0.20 and from version 17.0.2.4 to before 17.0.5, a command injection vulnerability exists in FreePBX when using the ElevenLabs Text-to-Speech (TTS) engine in the recordings module. This issue has been patched in versions 16.0.20 and 17.0.5. | ||||
| CVE-2025-66168 | 1 Apache | 3 Activemq, Activemq All Module, Activemq Mqtt Module | 2026-03-05 | 5.4 Medium |
| Apache ActiveMQ does not properly validate the remaining length field which may lead to an overflow during the decoding of malformed packets. When this integer overflow occurs, ActiveMQ may incorrectly compute the total Remaining Length and subsequently misinterpret the payload as multiple MQTT control packets which makes the broker susceptible to unexpected behavior when interacting with non-compliant clients. This behavior violates the MQTT v3.1.1 specification, which restricts Remaining Length to a maximum of 4 bytes. The scenario occurs on established connections after the authentication process. Brokers that are not enabling mqtt transport connectors are not impacted. This issue affects Apache ActiveMQ: before 5.19.2, 6.0.0 to 6.1.8, and 6.2.0 Users are recommended to upgrade to version 5.19.2, 6.1.9, or 6.2.1, which fixes the issue. | ||||
| CVE-2026-28077 | 2026-03-05 | N/A | ||
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Vapester vapester allows PHP Local File Inclusion.This issue affects Vapester: from n/a through <= 1.1.10. | ||||
| CVE-2025-70341 | 1 App-auto-patch | 1 App-auto-patch | 2026-03-05 | 7.8 High |
| Insecure permissions in App-Auto-Patch v3.4.2 create a race condition which allows attackers to write arbitrary files. | ||||
| CVE-2026-27012 | 1 Devcode | 1 Openstamanager | 2026-03-05 | 9.8 Critical |
| OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, a privilege escalation and authentication bypass vulnerability in OpenSTAManager allows any attacker to arbitrarily change a user's group (idgruppo) by directly calling modules/utenti/actions.php. This can promote an existing account (e.g. agent) into the Amministratori group as well as demote any user including existing administrators. | ||||
| CVE-2025-70616 | 2026-03-05 | N/A | ||
| A stack buffer overflow vulnerability exists in the Wincor Nixdorf wnBios64.sys kernel driver (version 1.2.0.0) in the IOCTL handler for code 0x80102058. The vulnerability is caused by missing bounds checking on the user-controlled Options parameter before copying data into a 40-byte stack buffer (Src[40]) using memmove. An attacker with local access can exploit this vulnerability by sending a crafted IOCTL request with Options > 40, causing a stack buffer overflow that may lead to kernel code execution, local privilege escalation, or denial of service (system crash). Additionally, the same IOCTL handler can leak kernel addresses and other sensitive stack data when reading beyond the buffer boundaries. | ||||
| CVE-2025-64736 | 2 Libbiosig Project, The Biosig Project | 2 Libbiosig, Libbiosig | 2026-03-05 | 6.1 Medium |
| An out-of-bounds read vulnerability exists in the ABF parsing functionality of The Biosig Project libbiosig 3.9.2 and Master Branch (5462afb0). A specially crafted .abf file can lead to an information leak. An attacker can provide a malicious file to trigger this vulnerability. | ||||
| CVE-2026-20777 | 2 Libbiosig Project, The Biosig Project | 2 Libbiosig, Libbiosig | 2026-03-05 | 8.1 High |
| A heap-based buffer overflow vulnerability exists in the Nicolet WFT parsing functionality of The Biosig Project libbiosig 3.9.2 and Master Branch (db9a9a63). A specially crafted .wft file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. | ||||
| CVE-2026-22891 | 2 Libbiosig Project, The Biosig Project | 2 Libbiosig, Libbiosig | 2026-03-05 | 9.8 Critical |
| A heap-based buffer overflow vulnerability exists in the Intan CLP parsing functionality of The Biosig Project libbiosig 3.9.2 and Master Branch (db9a9a63). A specially crafted Intan CLP file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. | ||||
| CVE-2026-22285 | 1 Dell | 2 Device Management Agent, Device Management Agent (ddma) | 2026-03-05 | 4.4 Medium |
| Dell Device Management Agent (DDMA), versions prior to 26.02, contain a Plaintext Storage of Password vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Unauthorized Access. | ||||
| CVE-2026-26478 | 1 Mobvoi | 3 Tichome Mini, Tichome Mini Firmware, Tichome Mini Smart Speaker | 2026-03-05 | 9.8 Critical |
| A shell command injection vulnerability in Mobvoi Tichome Mini smart speaker 012-18853 and 027-58389 allows remote attackers to send a specially crafted UDP datagram and execute arbitrary shell code as the root account. | ||||
| CVE-2026-26514 | 1 Xddxdd | 1 Bird-lg-go | 2026-03-05 | 7.5 High |
| An Argument Injection vulnerability exists in bird-lg-go before commit 6187a4e. The traceroute module uses shlex.Split to parse user input without validation, allowing remote attackers to inject arbitrary flags (e.g., -w, -q) via the q parameter. This can be exploited to cause a Denial of Service (DoS) by exhausting system resources. | ||||
| CVE-2026-26673 | 1 Dji | 8 Mavic Air, Mavic Mini, Mavic Mini Firmware and 5 more | 2026-03-05 | 7.5 High |
| An issue in DJI Mavic Mini, Spark, Mavic Air, Mini, Mini SE 0.1.00.0500 and below allows a remote attacker to cause a denial of service via the DJI Enhanced-WiFi transmission subsystem | ||||