Export limit exceeded: 336060 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (336060 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-7713 | 2 Global Interactive Design Media Software, Globalmedya | 2 Content Management System, Content Management System | 2026-03-10 | 7.5 High |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Global Interactive Design Media Software Inc. Content Management System (CMS) allows XSS Through HTTP Headers.This issue affects Content Management System (CMS): through 21072025. | ||||
| CVE-2026-29191 | 1 Zitadel | 1 Zitadel | 2026-03-10 | 9.3 Critical |
| ZITADEL is an open source identity management platform. From version 4.0.0 to 4.11.1, a vulnerability in Zitadel's login V2 interface was discovered that allowed a possible account takeover via XSS in /saml-post Endpoint. This issue has been patched in version 4.12.0. | ||||
| CVE-2026-29192 | 1 Zitadel | 1 Zitadel | 2026-03-10 | 7.7 High |
| ZITADEL is an open source identity management platform. From version 4.0.0 to 4.11.1, a vulnerability in Zitadel's login V2 interface was discovered that allowed a possible account takeover via Default URI Redirect. This issue has been patched in version 4.12.0. | ||||
| CVE-2026-29193 | 1 Zitadel | 1 Zitadel | 2026-03-10 | 8.2 High |
| ZITADEL is an open source identity management platform. From version 4.0.0 to 4.12.0, a vulnerability in Zitadel's login V2 UI allowed users to bypass login behavior and security policies and self-register new accounts or sign in using password even if corresponding options were disabled in their organizaton. This issue has been patched in version 4.12.1. | ||||
| CVE-2026-1616 | 1 Redhat | 2 Open Security Issue Management, Osim | 2026-03-10 | 7.5 High |
| The $uri$args concatenation in nginx configuration file present in Open Security Issue Management (OSIM) prior v2025.9.0 allows path traversal attacks via query parameters. | ||||
| CVE-2026-30913 | 1 Flarum | 1 Nicknames | 2026-03-10 | 4.6 Medium |
| Flarum is open-source forum software. When the flarum/nicknames extension is enabled, a registered user can set their nickname to a string that email clients interpret as a hyperlink. The nickname is inserted verbatim into plain-text notification emails, and recipients may be misled into visiting attacker-controlled domains. | ||||
| CVE-2026-2364 | 1 Codesys | 1 Codesys Installer | 2026-03-10 | 7.3 High |
| If a legitimate user confirms a self-update prompt or initiate an installation of a CODESYS Development System, a low privileged local attacker can gain elevated rights due to a TOCTOU vulnerability in the CODESYS installer. | ||||
| CVE-2026-3803 | 1 Tenda | 2 I3, I3 Firmware | 2026-03-10 | 8.8 High |
| A vulnerability was identified in Tenda i3 1.0.0.6(2204). This affects the function formWifiMacFilterGet of the file /goform/WifiMacFilterGet. The manipulation of the argument index leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. | ||||
| CVE-2026-3790 | 2 Ahsanriaz26gmailcom, Sourcecodester | 2 Sales And Inventory System, Sales And Inventory System | 2026-03-10 | 6.3 Medium |
| A flaw has been found in SourceCodester Sales and Inventory System 1.0. Affected by this vulnerability is an unknown functionality of the file check_supplier_details.php of the component POST Parameter Handler. Executing a manipulation of the argument stock_name1 can lead to sql injection. The attack can be executed remotely. The exploit has been published and may be used. | ||||
| CVE-2025-36243 | 1 Ibm | 1 Concert | 2026-03-10 | 5.4 Medium |
| IBM Concert 1.0.0 through 2.1.0 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. | ||||
| CVE-2025-40905 | 1 Dbook | 2 Www::oauth, Www\ | 2026-03-10 | 7.3 High |
| WWW::OAuth 1.000 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions. | ||||
| CVE-2025-15444 | 2 Iamb, Perl | 2 Crypt\, Crypt::sodium::xs | 2026-03-10 | 9.8 Critical |
| Crypt::Sodium::XS module versions prior to 0.000042, for Perl, include a vulnerable version of libsodium libsodium <= 1.0.20 or a version of libsodium released before December 30, 2025 contains a vulnerability documented as CVE-2025-69277 https://www.cve.org/CVERecord?id=CVE-2025-69277 . The libsodium vulnerability states: In atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group. 0.000042 includes a version of libsodium updated to 1.0.20-stable, released January 3, 2026, which includes a fix for the vulnerability. | ||||
| CVE-2026-30848 | 2 Parse Community, Parseplatform | 2 Parse Server, Parse-server | 2026-03-10 | 3.7 Low |
| Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.8 and 9.5.0-alpha.8, the PagesRouter static file serving route is vulnerable to a path traversal attack that allows unauthenticated reading of files outside the configured pagesPath directory. The boundary check uses a string prefix comparison without enforcing a directory separator boundary. An attacker can use path traversal sequences to access files in sibling directories whose names share the same prefix as the pages directory (e.g. pages-secret starts with pages). This issue has been patched in versions 8.6.8 and 9.5.0-alpha.8. | ||||
| CVE-2026-30850 | 2 Parse Community, Parseplatform | 2 Parse Server, Parse-server | 2026-03-10 | 5.9 Medium |
| Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.9 and 9.5.0-alpha.9, the file metadata endpoint (GET /files/:appId/metadata/:filename) does not enforce beforeFind / afterFind file triggers. When these triggers are used as access-control gates, the metadata endpoint bypasses them entirely, allowing unauthorized access to file metadata. This issue has been patched in versions 8.6.9 and 9.5.0-alpha.9. | ||||
| CVE-2026-28410 | 2 Graphprotocol, Thegraph | 2 Contracts, Graph Protocol Contracts | 2026-03-10 | 8.1 High |
| The Graph is an indexing protocol for querying networks like Ethereum, IPFS, Polygon, and other blockchains. Prior to version 3.0.0, a flaw in the token vesting contracts allows users to access tokens that should still be locked according to their vesting schedule. This issue has been patched in version 3.0.0. | ||||
| CVE-2026-30854 | 2 Parse Community, Parseplatform | 2 Parse Server, Parse-server | 2026-03-10 | 5.3 Medium |
| Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.3.1-alpha.3 to before version 9.5.0-alpha.10, when graphQLPublicIntrospection is disabled, __type queries nested inside inline fragments (e.g. ... on Query { __type(name:"User") { name } }) bypass the introspection control, allowing unauthenticated users to perform type reconnaissance. __schema introspection is not affected. This issue has been patched in version 9.5.0-alpha.10. | ||||
| CVE-2026-30863 | 2 Parse Community, Parseplatform | 2 Parse Server, Parse-server | 2026-03-10 | 9.8 Critical |
| Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.10 and 9.5.0-alpha.11, the Google, Apple, and Facebook authentication adapters use JWT verification to validate identity tokens. When the adapter's audience configuration option is not set (clientId for Google/Apple, appIds for Facebook), JWT verification silently skips audience claim validation. This allows an attacker to use a validly signed JWT issued for a different application to authenticate as any user on the target Parse Server. This issue has been patched in versions 8.6.10 and 9.5.0-alpha.11. | ||||
| CVE-2026-1571 | 1 Tp-link | 3 Archer C50 V3, Archer C60, Archer C60 Firmware | 2026-03-10 | 6.1 Medium |
| User-controlled input is reflected into the HTML output without proper encoding on TP-Link Archer C60 v3, allowing arbitrary JavaScript execution via a crafted URL. An attacker could run script in the device web UI context, potentially enabling credential theft, session hijacking, or unintended actions if a privileged user is targeted. | ||||
| CVE-2026-27797 | 2 Homarr, Homarr-labs | 2 Homarr, Homarr | 2026-03-10 | 5.3 Medium |
| Homarr is an open-source dashboard. Prior to version 1.54.0, an unauthenticated Server-Side Request Forgery (SSRF) vulnerability allows a remote attacker to force the Homarr server to perform arbitrary outbound HTTP requests. This can be used as an internal network access primitive (e.g., reaching loopback/private ranges) from the Homarr host/container network context. This issue has been patched in version 1.54.0. | ||||
| CVE-2026-27796 | 2 Homarr, Homarr-labs | 2 Homarr, Homarr | 2026-03-10 | 5.3 Medium |
| Homarr is an open-source dashboard. Prior to version 1.54.0, the integration.all tRPC endpoint in Homarr is exposed as a publicProcedure, allowing unauthenticated users to retrieve a complete list of configured integrations. This metadata includes sensitive information such as internal service URLs, integration names, and service types. This issue has been patched in version 1.54.0. | ||||