Export limit exceeded: 340003 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (340003 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-33473 | 2026-03-24 | 5.7 Medium | ||
| Vikunja is an open-source self-hosted task management platform. Starting in version 0.13 and prior to version 2.2.1, any user that has enabled 2FA can have their TOTP reused during the standard 30 second validity window. Version 2.2.1 patches the issue. | ||||
| CVE-2026-20163 | 1 Splunk | 3 Splunk, Splunk Cloud Platform, Splunk Enterprise | 2026-03-24 | 8 High |
| In Splunk Enterprise versions below 10.2.0, 10.0.4, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, and 9.3.2411.124, a user who holds a role that contains the high-privilege capability `edit_cmd` could execute arbitrary shell commands using the `unarchive_cmd` parameter for the `/splunkd/__upload/indexing/preview` REST endpoint. | ||||
| CVE-2026-4645 | 1 Redhat | 10 Acm, Advanced Cluster Management For Kubernetes, Enterprise Linux and 7 more | 2026-03-24 | 7.5 High |
| A flaw was found in the `github.com/antchfx/xpath` component. A remote attacker could exploit this vulnerability by submitting crafted Boolean XPath expressions that evaluate to true. This can cause an infinite loop in the `logicalQuery.Select` function, leading to 100% CPU utilization and a Denial of Service (DoS) condition for the affected system. | ||||
| CVE-2026-33678 | 2026-03-24 | 8.1 High | ||
| Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, `TaskAttachment.ReadOne()` queries attachments by ID only (`WHERE id = ?`), ignoring the task ID from the URL path. The permission check in `CanRead()` validates access to the task specified in the URL, but `ReadOne()` loads a different attachment that may belong to a task in another project. This allows any authenticated user to download or delete any attachment in the system by providing their own accessible task ID with a target attachment ID. Attachment IDs are sequential integers, making enumeration trivial. Version 2.2.1 patches the issue. | ||||
| CVE-2026-33502 | 1 Wwbn | 1 Avideo | 2026-03-24 | 9.3 Critical |
| WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated server-side request forgery vulnerability in `plugin/Live/test.php` allows any remote user to make the AVideo server send HTTP requests to arbitrary URLs. This can be used to probe localhost/internal services and, when reachable, access internal HTTP resources or cloud metadata endpoints. Commit 1e6cf03e93b5a5318204b010ea28440b0d9a5ab3 contains a patch. | ||||
| CVE-2026-33507 | 1 Wwbn | 1 Avideo | 2026-03-24 | 8.8 High |
| WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/pluginImport.json.php` endpoint allows admin users to upload and install plugin ZIP files containing executable PHP code, but lacks any CSRF protection. Combined with the application explicitly setting `session.cookie_samesite = 'None'` for HTTPS connections, an unauthenticated attacker can craft a page that, when visited by an authenticated admin, silently uploads a malicious plugin containing a PHP webshell, achieving Remote Code Execution on the server. Commit d1bc1695edd9ad4468a48cea0df6cd943a2635f3 contains a patch. | ||||
| CVE-2026-0385 | 1 Microsoft | 2 Edge, Edge For Android | 2026-03-24 | 5 Medium |
| Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability | ||||
| CVE-2026-26133 | 1 Microsoft | 33 365 Copilot Android, 365 Copilot For Android, 365 Copilot For Ios and 30 more | 2026-03-24 | 7.1 High |
| AI command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network. | ||||
| CVE-2026-26144 | 1 Microsoft | 1 365 Apps | 2026-03-24 | 7.5 High |
| Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office Excel allows an unauthorized attacker to disclose information over a network. | ||||
| CVE-2026-26141 | 1 Microsoft | 1 Azure Automation Hybrid Worker Windows Extension | 2026-03-24 | 7.8 High |
| Improper authentication in Azure Arc allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2026-26130 | 2 Microsoft, Redhat | 2 Asp.net Core, Enterprise Linux | 2026-03-24 | 7.5 High |
| Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network. | ||||
| CVE-2026-26123 | 1 Microsoft | 3 Authenticator, Authenticator For Android, Authenticator For Ios | 2026-03-24 | 5.5 Medium |
| Cwe is not in rca categories in Microsoft Authenticator allows an unauthorized attacker to disclose information locally. | ||||
| CVE-2026-26118 | 1 Microsoft | 4 Azure Mcp Server, Azure Mcp Server Tools, Azure Mcp Server Tools 1 and 1 more | 2026-03-24 | 8.8 High |
| Server-side request forgery (ssrf) in Azure MCP Server allows an authorized attacker to elevate privileges over a network. | ||||
| CVE-2026-26117 | 1 Microsoft | 1 Arc Enabled Servers Azure Connected Machine Agent | 2026-03-24 | 7.8 High |
| Authentication bypass using an alternate path or channel in Azure Windows Virtual Machine Agent allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2026-26110 | 1 Microsoft | 9 365 Apps, Office, Office 2016 and 6 more | 2026-03-24 | 8.4 High |
| Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally. | ||||
| CVE-2026-26109 | 1 Microsoft | 13 365 Apps, Excel, Excel 2016 and 10 more | 2026-03-24 | 8.4 High |
| Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | ||||
| CVE-2026-26108 | 1 Microsoft | 11 365 Apps, Excel, Excel 2016 and 8 more | 2026-03-24 | 7.8 High |
| Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | ||||
| CVE-2026-26107 | 1 Microsoft | 11 365 Apps, Excel, Excel 2016 and 8 more | 2026-03-24 | 7.8 High |
| Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | ||||
| CVE-2026-26106 | 1 Microsoft | 3 Sharepoint Server, Sharepoint Server 2016, Sharepoint Server 2019 | 2026-03-24 | 8.8 High |
| Improper input validation in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | ||||
| CVE-2026-23665 | 1 Microsoft | 2 Azure Linux Virtual Machines Azure Diagnostics, Linux Diagnostic Extension | 2026-03-24 | 7.8 High |
| Heap-based buffer overflow in Azure Linux Virtual Machines allows an authorized attacker to elevate privileges locally. | ||||