Export limit exceeded: 339044 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (339044 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-33346 | 1 Openemr | 1 Openemr | 2026-03-20 | 8.7 High |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, a stored cross-site scripting (XSS) vulnerability in the patient portal payment flow allows a patient portal user to persist arbitrary JavaScript that executes in the browser of a staff member who reviews the payment submission. The payload is stored via `portal/lib/paylib.php` and rendered without escaping in `portal/portal_payment.php`. Version 8.0.0.2 fixes the issue. | ||||
| CVE-2026-33304 | 1 Openemr | 1 Openemr | 2026-03-20 | 6.5 Medium |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, an authorization bypass in the dated reminders log allows any authenticated non-admin user to view reminder messages belonging to other users, including associated patient names and free-text message content, by crafting a GET request with arbitrary user IDs in the `sentTo[]` or `sentBy[]` parameters. Version 8.0.0.2 fixes the issue. | ||||
| CVE-2026-33303 | 1 Openemr | 1 Openemr | 2026-03-20 | 5.4 Medium |
| OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.2 are vulnerable to stored cross-site scripting (XSS) via unescaped `portal_login_username` in the portal credential print view. A patient portal user can set their login username to an XSS payload, which then executes in a clinic staff member's browser when they open the "Create Portal Login" page for that patient. This crosses from the patient session context into the staff/admin session context. Version 8.0.0.2 fixes the issue. | ||||
| CVE-2026-32753 | 1 Freescout Helpdesk | 1 Freescout | 2026-03-20 | N/A |
| FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. In versions 1.8.208 and below, bypasses of the attachment view logic and SVG sanitizer make it possible to upload and render an SVG that runs malicious JavaScript. An extension of .png with content type of image/svg+xml is allowed, and a fallback mechanism on invalid XML leads to unsafe sanitization. The application restricts which uploaded files are rendered inline: only files considered "safe" are displayed in the browser; others are served with Content-Disposition: attachment. This decision is based on two checks: the file extension (e.g. .png is allowed, while .svg may not be) and the declared Content-Type (e.g. image/* is allowed). By using a filename with an allowed extension (e.g. xss.png) and a Content-Type of image/svg+xml, an attacker can satisfy both checks and cause the server to treat the upload as a safe image and render it inline, even though the body is SVG and can contain scripted behavior. Any authenticated user can set up a specific URL, and whenever another user or administrator visits it, XSS can perform any action on their behalf. This issue has been fixed in version 1.8.209. | ||||
| CVE-2026-32750 | 1 Siyuan | 1 Siyuan | 2026-03-20 | 6.8 Medium |
| SiYuan is a personal knowledge management system. In versions 3.6.0 and below, POST /api/import/importStdMd passes the localPath parameter directly to model.ImportFromLocalPath with zero path validation. The function recursively reads every file under the given path and permanently stores their content as SiYuan note documents in the workspace database, making them searchable and accessible to all workspace users. Data persists in the workspace database across restarts and is accessible to Publish Service Reader accounts. Combined with the renderSprig SQL injection ( separate advisory ), a non-admin user can then read all imported secrets without any additional privileges. This issue has been fixed in version 3.6.1. | ||||
| CVE-2026-32749 | 1 Siyuan | 1 Siyuan | 2026-03-20 | 7.6 High |
| SiYuan is a personal knowledge management system. In versions 3.6.0 and below, POST /api/import/importSY and POST /api/import/importZipMd write uploaded archives to a path derived from the multipart filename field without sanitization, allowing an admin to write files to arbitrary locations outside the temp directory - including system paths that enable RCE. This can lead to aata destruction by overwriting workspace or application files, and for Docker containers running as root (common default), this grants full container compromise. This issue has been fixed in version 3.6.1. | ||||
| CVE-2026-32747 | 1 Siyuan | 1 Siyuan | 2026-03-20 | 6.8 Medium |
| SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the globalCopyFiles API eads source files using filepath.Abs() with no workspace boundary check, relying solely on util.IsSensitivePath() whose blocklist omits /proc/, /run/secrets/, and home directory dotfiles. An admin can copy /proc/1/environ or Docker secrets into the workspace and read them via the standard file API. An admin can exfiltrate any file readable by the SiYuan process that falls outside the incomplete blocklist. In containerized deployments this includes all injected secrets and environment variables - a common pattern for passing credentials to containers. The exfiltrated files are then accessible via the standard workspace file API and persist until manually deleted. This issue has been fixed in version 3.6.1. | ||||
| CVE-2026-30924 | 1 Autobrr | 1 Qui | 2026-03-20 | N/A |
| qui is a web interface for managing qBittorrent instances. Versions 1.14.1 and below use a permissive CORS policy that reflects arbitrary origins while also returning Access-Control-Allow-Credentials: true, effectively allowing any external webpage to make authenticated requests on behalf of a logged-in user. An attacker can exploit this by tricking a victim into loading a malicious webpage, which silently interacts with the application using the victim's session and potentially exfiltrating sensitive data such as API keys and account credentials, or even achieving full system compromise through the built-in External Programs manager. Exploitation requires that the victim access the application via a non-localhost hostname and load an attacker-controlled webpage, making highly targeted social-engineering attacks the most likely real-world scenario. This issue was not fixed at the time of publication. | ||||
| CVE-2026-28282 | 1 Discourse | 1 Discourse | 2026-03-20 | N/A |
| Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a security flaw in the discourse-policy plugin which allowed a user with policy creation permission to gain membership access to any private/restricted groups. Once membership to a private/restricted group has been obtained, the user will be able to read private topics that only the group has access to. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, review all policies for the use of `add-users-to-group` and temporarily remove the attribute from the policy. Alternatively, disable the discourse-policy plugin by disabling the `policy_enabled` site setting. | ||||
| CVE-2026-27491 | 1 Discourse | 1 Discourse | 2026-03-20 | N/A |
| Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a type coercion issue in a post actions API endpoint allowed non-staff users to issue warnings to other users. Warnings are a staff-only moderation feature. The vulnerability required the attacker to be a logged-in user and to send a specifically crafted request. No data exposure or privilege escalation beyond the ability to create unauthorized user warnings was possible. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available. | ||||
| CVE-2026-25744 | 1 Openemr | 1 Openemr | 2026-03-20 | 6.5 Medium |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, the encounter vitals API accepts an `id` in the request body and treats it as an UPDATE. There is no verification that the vital belongs to the current patient or encounter. An authenticated user with encounters/notes permission can overwrite any patient's vitals by supplying another patient's vital `id`, leading to medical record tampering. Version 8.0.0.2 fixes the issue. | ||||
| CVE-2026-23658 | 1 Microsoft | 2 Azure Devops, Azure Devops Msazure | 2026-03-20 | 8.6 High |
| Insufficiently protected credentials in Azure DevOps allows an unauthorized attacker to elevate privileges over a network. | ||||
| CVE-2026-30711 | 1 Devome | 1 Grr | 2026-03-20 | N/A |
| Devome GRR v4.5.0 was discovered to contain multiple authenticated SQL injection vulnerabilities in the include/session.inc.php file via the referer and user-agent. | ||||
| CVE-2026-4395 | 1 Wolfssl | 1 Wolfssl | 2026-03-20 | N/A |
| Heap-based buffer overflow in the KCAPI ECC code path of wc_ecc_import_x963_ex() in wolfSSL wolfcrypt allows a remote attacker to write attacker-controlled data past the bounds of the pubkey_raw buffer via a crafted oversized EC public key point. The WOLFSSL_KCAPI_ECC code path copies the input to key->pubkey_raw (132 bytes) using XMEMCPY without a bounds check, unlike the ATECC code path which includes a length validation. This can be triggered during TLS key exchange when a malicious peer sends a crafted ECPoint in ServerKeyExchange. | ||||
| CVE-2026-3547 | 1 Wolfssl | 1 Wolfssl | 2026-03-20 | 7.5 High |
| Out-of-bounds read in ALPN parsing due to incomplete validation. wolfSSL 5.8.4 and earlier contained an out-of-bounds read in ALPN handling when built with ALPN enabled (HAVE_ALPN / --enable-alpn). A crafted ALPN protocol list could trigger an out-of-bounds read, leading to a potential process crash (denial of service). Note that ALPN is disabled by default, but is enabled for these 3rd party compatibility features: enable-apachehttpd, enable-bind, enable-curl, enable-haproxy, enable-hitch, enable-lighty, enable-jni, enable-nginx, enable-quic. | ||||
| CVE-2026-33355 | 1 Discourse | 1 Discourse | 2026-03-20 | 6.5 Medium |
| Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the `/private-posts` endpoint did not apply post-type visibility filtering, allowing regular PM participants to see whisper posts in PM topics they had access to. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available. | ||||
| CVE-2026-32751 | 1 Siyuan | 1 Siyuan | 2026-03-20 | N/A |
| SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the mobile file tree (MobileFiles.ts) renders notebook names via innerHTML without HTML escaping when processing renamenotebook WebSocket events. The desktop version (Files.ts) properly uses escapeHtml() for the same operation. An authenticated user who can rename notebooks can inject arbitrary HTML/JavaScript that executes on any mobile client viewing the file tree. Since Electron is configured with nodeIntegration: true and contextIsolation: false, the injected JavaScript has full Node.js access, escalating stored XSS to full remote code execution. The mobile layout is also used in the Electron desktop app when the window is narrow, making this exploitable on desktop as well. This issue has been fixed in version 3.6.1. | ||||
| CVE-2026-32038 | 1 Openclaw | 1 Openclaw | 2026-03-20 | 9.8 Critical |
| OpenClaw before 2026.2.24 contains a sandbox network isolation bypass vulnerability that allows trusted operators to join another container's network namespace. Attackers can configure the docker.network parameter with container:<id> values to reach services in target container namespaces and bypass network hardening controls. | ||||
| CVE-2026-32035 | 1 Openclaw | 1 Openclaw | 2026-03-20 | 5.9 Medium |
| OpenClaw versions prior to 2026.3.2 fail to pass the senderIsOwner flag when processing Discord voice transcripts in agentCommand, causing the flag to default to true. Non-owner voice participants can exploit this omission to access owner-only tools including gateway and cron functionality in mixed-trust channels. | ||||
| CVE-2026-32034 | 1 Openclaw | 1 Openclaw | 2026-03-20 | 6.8 Medium |
| OpenClaw versions prior to 2026.2.21 contain an authentication bypass vulnerability in the Control UI when allowInsecureAuth is explicitly enabled and the gateway is exposed over plaintext HTTP, allowing attackers to bypass device identity and pairing verification. An attacker with leaked or intercepted credentials can obtain high-privilege Control UI access by exploiting the lack of secure authentication enforcement over unencrypted HTTP connections. | ||||