Export limit exceeded: 338724 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (338724 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-3511 | 2026-03-19 | 8.6 High | ||
| Improper Restriction of XML External Entity Reference vulnerability in XMLUtils.java in Slovensko.Digital Autogram allows remote unauthenticated attacker to conduct SSRF (Server Side Request Forgery) attacks and obtain unauthorized access to local files on filesystems running the vulnerable application. Successful exploitation requires the victim to visit a specially crafted website that sends request containing a specially crafted XML document to /sign endpoint of the local HTTP server run by the application. | ||||
| CVE-2026-32944 | 1 Parse Community | 1 Parse Server | 2026-03-19 | N/A |
| Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.21 and 8.6.45, an unauthenticated attacker can crash the Parse Server process by sending a single request with deeply nested query condition operators. This terminates the server and denies service to all connected clients. Starting in version 9.6.0-alpha.21 and 8.6.45, a depth limit for query condition operator nesting has been added via the `requestComplexity.queryDepth` server option. The option is disabled by default to avoid a breaking change. To mitigate, upgrade and set the option to a value appropriate for your app. No known workarounds are available. | ||||
| CVE-2026-32737 | 1 Ctfer-io | 1 Romeo | 2026-03-19 | N/A |
| Romeo gives the capability to reach high code coverage of Go ≥1.20 apps by helping to measure code coverage for functional and integration tests within GitHub Actions. Prior to version 0.2.1, due to a mis-written NetworkPolicy, a malicious actor can pivot from the "hardened" namespace to any Pod out of it. This breaks the security-by-default property expected as part of the deployment program, leading to a potential lateral movement. Removing the `inter-ns` NetworkPolicy patches the vulnerability in version 0.2.1. If updates are not possible in production environments, manually delete `inter-ns` and update as soon as possible. Given one's context, delete the failing network policy that should be prefixed by `inter-ns-` in the target namespace. | ||||
| CVE-2026-32736 | 1 Hytalemodding | 1 Wiki | 2026-03-19 | 4.3 Medium |
| The Hytale Modding Wiki is a free service for Hytale mods to host their documentation & wikis. An Insecure Direct Object Reference (IDOR) vulnerability in versions of the wiki prior to 1.0.0 exposes mod authors' personal information - including full names and email addresses - to any authenticated user who visits a mod page. Any user who creates an account can access sensitive author details by simply navigating to a mod's page via its slug. Version 1.0.0 fixes the issue. | ||||
| CVE-2026-29607 | 1 Openclaw | 1 Openclaw | 2026-03-19 | 6.4 Medium |
| OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in allow-always wrapper persistence that allows attackers to bypass approval checks by persisting wrapper-level allowlist entries instead of validating inner executable intent. Remote attackers can approve benign wrapped system.run commands and subsequently execute different payloads without approval, enabling remote code execution on gateway and node-host execution flows. | ||||
| CVE-2006-10002 | 2026-03-19 | N/A | ||
| XML::Parser versions through 2.47 for Perl could overflow the pre-allocated buffer size cause a heap corruption (double free or corruption) and crashes. A :utf8 PerlIO layer, parse_stream() in Expat.xs could overflow the XML input buffer because Perl's read() returns decoded characters while SvPV() gives back multi-byte UTF-8 bytes that can exceed the pre-allocated buffer size. This can cause heap corruption (double free or corruption) and crashes. | ||||
| CVE-2006-10003 | 2026-03-19 | N/A | ||
| XML::Parser versions through 2.47 for Perl has an off-by-one heap buffer overflow in st_serial_stack. In the case (stackptr == stacksize - 1), the stack will NOT be expanded. Then the new value will be written at location (++stackptr), which equals stacksize and therefore falls just outside the allocated buffer. The bug can be observed when parsing an XML file with very deep element nesting | ||||
| CVE-2026-31993 | 1 Openclaw | 1 Openclaw | 2026-03-19 | 4.8 Medium |
| OpenClaw versions prior to 2026.2.22 contain an allowlist parsing mismatch vulnerability in the macOS companion app that allows authenticated operators to bypass exec approval checks. Attackers with operator.write privileges and a paired macOS beta node can craft shell-chain payloads that pass incomplete allowlist validation and execute arbitrary commands on the paired host. | ||||
| CVE-2026-28449 | 1 Openclaw | 1 Openclaw | 2026-03-19 | 4.8 Medium |
| OpenClaw versions prior to 2026.2.25 lack durable replay state for Nextcloud Talk webhook events, allowing valid signed webhook requests to be replayed without suppression. Attackers can capture and replay previously valid signed webhook requests to trigger duplicate inbound message processing and cause integrity or availability issues. | ||||
| CVE-2025-13995 | 1 Ibm | 1 Qradar Security Information And Event Manager | 2026-03-19 | 5 Medium |
| IBM QRadar SIEM 7.5.0 through 7.5.0 Update Package 14 could allow an attacker with access to one tenant to access hostname data from another tenant's account. | ||||
| CVE-2026-23251 | 1 Linux | 1 Linux Kernel | 2026-03-19 | 7.0 High |
| In the Linux kernel, the following vulnerability has been resolved: xfs: only call xf{array,blob}_destroy if we have a valid pointer Only call the xfarray and xfblob destructor if we have a valid pointer, and be sure to null out that pointer afterwards. Note that this patch fixes a large number of commits, most of which were merged between 6.9 and 6.10. | ||||
| CVE-2026-1276 | 1 Ibm | 1 Qradar Security Information And Event Manager | 2026-03-19 | 5.4 Medium |
| IBM QRadar SIEM 7.5.0 through 7.5.0 Update Package 14 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | ||||
| CVE-2026-32722 | 1 Bloomberg | 1 Memray | 2026-03-19 | 3.6 Low |
| Memray is a memory profiler for Python. Prior to Memray 1.19.2, Memray rendered the command line of the tracked process directly into generated HTML reports without escaping. Because there was no escaping, attacker-controlled command line arguments were inserted as raw HTML into the generated report. This allowed JavaScript execution when a victim opened the generated report in a browser. Version 1.19.2 fixes the issue. | ||||
| CVE-2026-2992 | 2 Iqonicdesign, Wordpress | 2 Kivicare – Clinic & Patient Management System (ehr), Wordpress | 2026-03-19 | 8.2 High |
| The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization on the `/wp-json/kivicare/v1/setup-wizard/clinic` REST API endpoint in all versions up to, and including, 4.1.2. This makes it possible for unauthenticated attackers to create a new clinic and a WordPress user with clinic admin privileges. | ||||
| CVE-2026-3479 | 1 Python | 1 Cpython | 2026-03-19 | N/A |
| pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals. | ||||
| CVE-2026-33003 | 1 Jenkins Project | 1 Jenkins Loadninja Plugin | 2026-03-19 | 4.3 Medium |
| Jenkins LoadNinja Plugin 2.1 and earlier stores LoadNinja API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. | ||||
| CVE-2026-30703 | 1 Shenzhen Yuner Yipu | 1 Wdr201a | 2026-03-19 | N/A |
| A command injection vulnerability exists in the web management interface of the WiFi Extender WDR201A (HW V2.1, FW LFMZX28040922V1.02). The adm.cgi endpoint improperly sanitizes user-supplied input provided to a command-related parameter in the sysCMD functionality. | ||||
| CVE-2026-30701 | 1 Shenzhen Yuner Yipu | 1 Wifi Extender Wdr201a | 2026-03-19 | N/A |
| The web interface of the WiFi Extender WDR201A (HW V2.1, FW LFMZX28040922V1.02) contains hardcoded credential disclosure mechanisms (in the form of Server Side Include) within multiple server-side web pages, including login.shtml and settings.shtml. These pages embed server-side execution directives that dynamically retrieve and expose the web administration password from non-volatile memory at runtime. | ||||
| CVE-2026-26948 | 1 Dell | 1 Integrated Dell Remote Access Controller 8 | 2026-03-19 | 4.9 Medium |
| Dell Integrated Dell Remote Access Controller 9, 14G versions prior to 7.00.00.174, 15G and 16G versions prior to 7.10.90.00, contain an Exposure of Sensitive System Information Due to Uncleared Debug Information vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to information disclosure. | ||||
| CVE-2026-26740 | 1 Giflib | 1 Giflib | 2026-03-19 | 8.2 High |
| Buffer Overflow vulnerability in giflib v.5.2.2 allows a remote attacker to cause a denial of service via the EGifGCBToExtension overwriting an existing Graphic Control Extension block without validating its allocated size. | ||||