Export limit exceeded: 336986 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 336986 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (336986 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-3211 | 1 Drupal | 1 Theme Negotiation By Rules | 2026-03-26 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Drupal Theme Negotiation by Rules allows Cross Site Request Forgery.This issue affects Theme Negotiation by Rules: from 0.0.0 before 1.2.1. | ||||
| CVE-2026-3210 | 1 Drupal | 1 Material Icons | 2026-03-26 | 5.3 Medium |
| Incorrect Authorization vulnerability in Drupal Material Icons allows Forceful Browsing.This issue affects Material Icons: from 0.0.0 before 2.0.4. | ||||
| CVE-2026-33397 | 2026-03-26 | N/A | ||
| The Angular SSR is a server-rise rendering tool for Angular applications. Versions on the 22.x branch prior to 22.0.0-next.2, the 21.x branch prior to 21.2.3, and the 20.x branch prior to 20.3.21 have an Open Redirect vulnerability in `@angular/ssr` due to an incomplete fix for CVE-2026-27738. While the original fix successfully blocked multiple leading slashes (e.g., `///`), the internal validation logic fails to account for a single backslash (`\`) bypass. When an Angular SSR application is deployed behind a proxy that passes the `X-Forwarded-Prefix` header, an attacker provides a value starting with a single backslash, the internal validation failed to flag the single backslash as invalid, the application prepends a leading forward slash, resulting in a `Location` header containing the URL, and modern browsers interpret the `/\` sequence as `//`, treating it as a protocol-relative URL and redirecting the user to the attacker-controlled domain. Furthermore, the response lacks the `Vary: X-Forwarded-Prefix` header, allowing the malicious redirect to be stored in intermediate caches (Web Cache Poisoning). Versions 22.0.0-next.2, 21.2.3, and 20.3.21 contain a patch. Until the patch is applied, developers should sanitize the `X-Forwarded-Prefix` header in their `server.ts` before the Angular engine processes the request. | ||||
| CVE-2026-33287 | 1 Harttle | 1 Liquidjs | 2026-03-26 | 7.5 High |
| LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, the `replace_first` filter in LiquidJS uses JavaScript's `String.prototype.replace()` which interprets `$&` as a back reference to the matched substring. The filter only charges `memoryLimit` for the input string length, not the amplified output. An attacker can achieve exponential memory amplification (up to 625,000:1) while staying within the `memoryLimit` budget, leading to denial of service. Version 10.25.1 patches the issue. | ||||
| CVE-2026-32519 | 2 Bitapps, Wordpress | 2 Bit Smtp, Wordpress | 2026-03-26 | 9 Critical |
| Incorrect Privilege Assignment vulnerability in Bit Apps Bit SMTP bit-smtp allows Privilege Escalation.This issue affects Bit SMTP: from n/a through <= 1.2.2. | ||||
| CVE-2026-32503 | 2 Creativews, Wordpress | 2 Trendustry, Wordpress | 2026-03-26 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CreativeWS Trendustry trendustry allows PHP Local File Inclusion.This issue affects Trendustry: from n/a through <= 1.1.4. | ||||
| CVE-2026-32499 | 2 Quantumcloud, Wordpress | 2 Chatbot, Wordpress | 2026-03-26 | 9.3 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in QuantumCloud ChatBot chatbot allows Blind SQL Injection.This issue affects ChatBot: from n/a through <= 7.7.9. | ||||
| CVE-2026-31920 | 2 Devteam Haywoodtech, Wordpress | 2 Product Rearrange For Woocommerce, Wordpress | 2026-03-26 | 9.3 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Devteam HaywoodTech Product Rearrange for WooCommerce products-rearrange-woocommerce allows Blind SQL Injection.This issue affects Product Rearrange for WooCommerce: from n/a through <= 1.2.2. | ||||
| CVE-2026-31913 | 2 Whitebox-studio, Wordpress | 2 Scape, Wordpress | 2026-03-26 | 8.6 High |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Whitebox-Studio Scape scape allows Path Traversal.This issue affects Scape: from n/a through < 1.5.16. | ||||
| CVE-2026-30162 | 2026-03-26 | N/A | ||
| Cross Site Scripting (xss) vulnerability in Timo 2.0.3 via crafted links in the title field. | ||||
| CVE-2026-2348 | 1 Drupal | 1 Quick Edit | 2026-03-26 | 5.4 Medium |
| Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Quick Edit allows Cross-Site Scripting (XSS).This issue affects Quick Edit: from 0.0.0 before 1.0.5, from 2.0.0 before 2.0.1. | ||||
| CVE-2026-29934 | 2026-03-26 | N/A | ||
| A reflected cross-site scripting (XSS) vulnerability in the /admin/menus component of Lightcms v2.0 allows attackers to execute arbitrary Javascript in the context of the user's browser via modifying the referer value in the request header. | ||||
| CVE-2026-29933 | 2026-03-26 | N/A | ||
| A reflected cross-site scripting (XSS) vulnerability in the /index/login.html component of YZMCMS v7.4 allows attackers to execute arbitrary Javascript in the context of the user's browser via modifying the referrer value in the request header. | ||||
| CVE-2026-28857 | 1 Apple | 4 Ios And Ipados, Macos, Safari and 1 more | 2026-03-26 | 6.5 Medium |
| The issue was addressed with improved memory handling. This issue is fixed in Safari 26.4, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4. Processing maliciously crafted web content may lead to an unexpected process crash. | ||||
| CVE-2026-28816 | 1 Apple | 1 Macos | 2026-03-26 | 4 Medium |
| A path handling issue was addressed with improved validation. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. An app may be able to delete files for which it does not have permission. | ||||
| CVE-2026-28298 | 2026-03-26 | 5.9 Medium | ||
| SolarWinds Observability Self-Hosted was found to be affected by a stored cross-site scripting vulnerability, which when exploited, can lead to unintended script execution. | ||||
| CVE-2026-28297 | 2026-03-26 | 6.1 Medium | ||
| SolarWinds Observability Self-Hosted was found to be affected by a stored cross-site scripting vulnerability, which when exploited, can lead to unintended script execution. | ||||
| CVE-2026-27663 | 2026-03-26 | 6.5 Medium | ||
| A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions < V26.10), RTUM85 RTU Base (All versions < V26.10). The affected application contains denial-of-service (DoS) vulnerability. The remote operation mode is susceptible to a resource exhaustion condition when subjected to a high volume of requests. Sending multiple requests can exhaust resources, preventing parameterization and requiring a reset or reboot to restore functionality. | ||||
| CVE-2026-27084 | 2 Themerex, Wordpress | 2 Buisson, Wordpress | 2026-03-26 | 9.8 Critical |
| Deserialization of Untrusted Data vulnerability in ThemeREX Buisson buisson allows Object Injection.This issue affects Buisson: from n/a through <= 1.1.11. | ||||
| CVE-2026-27080 | 2 Mikado-themes, Wordpress | 2 Deston, Wordpress | 2026-03-26 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Deston deston allows PHP Local File Inclusion.This issue affects Deston: from n/a through <= 1.0. | ||||