Export limit exceeded: 336352 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (336352 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-28210 | 2026-03-05 | N/A | ||
| FreePBX is an open source IP PBX. Prior to versions 16.0.49 and 17.0.7, FreePBX module cdr (Call Data Record) is vulnerable to SQL query injection. This issue has been patched in versions 16.0.49 and 17.0.7. | ||||
| CVE-2026-28284 | 2026-03-05 | N/A | ||
| FreePBX is an open source IP PBX. Prior to versions 16.0.10 and 17.0.5, the FreePBX logfiles module contains several authenticated SQL injection vulnerabilities. This issue has been patched in versions 16.0.10 and 17.0.5. | ||||
| CVE-2026-28287 | 2026-03-05 | N/A | ||
| FreePBX is an open source IP PBX. From versions 16.0.17.2 to before 16.0.20 and from version 17.0.2.4 to before 17.0.5, multiple command injection vulnerabilities exist in the recordings module. This issue has been patched in versions 16.0.20 and 17.0.5. | ||||
| CVE-2026-28536 | 2026-03-05 | 9.6 Critical | ||
| Authentication bypass vulnerability in the device authentication module. Impact: Successful exploitation of this vulnerability will affect integrity and confidentiality. | ||||
| CVE-2026-2893 | 2026-03-05 | 6.5 Medium | ||
| The Page and Post Clone plugin for WordPress is vulnerable to SQL Injection via the 'meta_key' parameter in the content_clone() function in all versions up to, and including, 6.3. This is due to insufficient escaping on the user-supplied meta_key value and insufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The injection is second-order: the malicious payload is stored as a post meta key and executed when the post is cloned. | ||||
| CVE-2026-29052 | 2026-03-05 | N/A | ||
| The Calendar module for HumHub enables users to create one-time or recurring events, manage attendee invitations, and efficiently track all scheduled activities. Prior to version 1.8.11, a Stored Cross-Site Scripting (XSS) vulnerability in the Event Types of the HumHub Calendar module impacts users viewing events created by an administrative account. This issue has been patched in version 1.8.11. | ||||
| CVE-2026-29053 | 2026-03-05 | 7.7 High | ||
| Ghost is a Node.js content management system. From version 0.7.2 to 6.19.0, specifically crafted malicious themes can execute arbitrary code on the server running Ghost. This issue has been patched in version 6.19.1. | ||||
| CVE-2025-68435 | 1 Nicotsx | 1 Zerobyte | 2026-03-05 | 9.1 Critical |
| Zerobyte is a backup automation tool Zerobyte versions prior to 0.18.5 and 0.19.0 contain an authentication bypass vulnerability where authentication middleware is not properly applied to API endpoints. This results in certain API endpoints being accessible without valid session credentials. This is dangerous for those who have exposed Zerobyte to be used outside of their internal network. A fix has been applied in both version 0.19.0 and 0.18.5. If immediate upgrade is not possible, restrict network access to the Zerobyte instance to trusted networks only using firewall rules or network segmentation. This is only a temporary mitigation; upgrading is strongly recommended. | ||||
| CVE-2025-14691 | 1 Mayan-edms | 1 Mayan Edms | 2026-03-05 | 4.3 Medium |
| A vulnerability was detected in Mayan EDMS up to 4.10.1. The affected element is an unknown function of the file /authentication/. The manipulation results in cross site scripting. The attack may be performed from remote. The exploit is now public and may be used. Upgrading to version 4.10.2 is sufficient to fix this issue. You should upgrade the affected component. The vendor confirms that this is "[f]ixed in version 4.10.2". Furthermore, that "[b]ackports for older versions in process and will be out as soon as their respective CI pipelines complete." | ||||
| CVE-2025-14692 | 1 Mayan-edms | 1 Mayan Edms | 2026-03-05 | 4.3 Medium |
| A flaw has been found in Mayan EDMS up to 4.10.1. The impacted element is an unknown function of the file /authentication/. This manipulation causes open redirect. It is possible to initiate the attack remotely. The exploit has been published and may be used. Upgrading to version 4.10.2 is sufficient to resolve this issue. The affected component should be upgraded. The vendor confirms that this is "[f]ixed in version 4.10.2". Furthermore, that "[b]ackports for older versions in process and will be out as soon as their respective CI pipelines complete." | ||||
| CVE-2025-67745 | 1 Aiven | 1 Myhoard | 2026-03-05 | 7.1 High |
| MyHoard is a daemon for creating, managing and restoring MySQL backups. Starting in version 1.0.1 and prior to version 1.3.0, in some cases, myhoard logs the whole backup info, including the encryption key. Version 1.3.0 fixes the issue. As a workaround, direct logs into /dev/null. | ||||
| CVE-2026-26709 | 1 Code-projects | 1 Simple Gym Management System | 2026-03-05 | 9.8 Critical |
| code-projects Simple Gym Management System v1.0 is vulnerable to SQL Injection in /gym/trainer_search.php. | ||||
| CVE-2020-9375 | 1 Tp-link | 2 Archer C5, Archer C50 | 2026-03-05 | 7.5 High |
| TP-Link Archer C50 V3 devices before Build 200318 Rel. 62209 allows remote attackers to cause a denial of service via a crafted HTTP Header containing an unexpected Referer field. | ||||
| CVE-2025-68481 | 2 Fastapi-users, Fastapi-users Project | 2 Fastapi-users, Fastapi Users | 2026-03-05 | 5.9 Medium |
| FastAPI Users allows users to quickly add a registration and authentication system to their FastAPI project. Prior to version 15.0.2, the OAuth login state tokens are completely stateless and carry no per-request entropy or any data that could link them to the session that initiated the OAuth flow. `generate_state_token()` is always called with an empty `state_data` dict, so the resulting JWT only contains the fixed audience claim plus an expiration timestamp. On callback, the library merely checks that the JWT verifies under `state_secret` and is unexpired; there is no attempt to match the state value to the browser that initiated the OAuth request, no correlation cookie, and no server-side cache. Any attacker can hit `/authorize`, capture the server-generated state, finish the upstream OAuth flow with their own provider account, and then trick a victim into loading `.../callback?code=<attacker_code>&state=<attacker_state>`. Because the state JWT is valid for any client for \~1 hour, the victim’s browser will complete the flow. This leads to login CSRF. Depending on the app’s logic, the login CSRF can lead to an account takeover of the victim account or to the victim user getting logged in to the attacker's account. Version 15.0.2 contains a patch for the issue. | ||||
| CVE-2025-14517 | 1 Yalantis | 1 Ucrop | 2026-03-05 | 5.3 Medium |
| A vulnerability was determined in Yalantis uCrop 2.2.11. This affects the function UCropActivity of the file AndroidManifest.xml. Executing manipulation can lead to improper export of android application components. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-14516 | 1 Yalantis | 1 Ucrop | 2026-03-05 | 6.3 Medium |
| A vulnerability was found in Yalantis uCrop 2.2.11. Affected by this issue is the function downloadFile of the file com.yalantis.ucrop.task.BitmapLoadTask.java of the component URL Handler. Performing manipulation results in server-side request forgery. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-59787 | 1 2n | 1 Access Commander | 2026-03-05 | 6.5 Medium |
| 2N Access Commander application version 3.4.2 and prior returns HTTP 500 Internal Server Error responses when receiving malformed or manipulated requests, indicating improper handling of invalid input and potential security or availability impacts. | ||||
| CVE-2025-15015 | 1 Ragic | 1 Enterprise Cloud Database | 2026-03-05 | 7.5 High |
| Enterprise Cloud Database developed by Ragic has a Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files. | ||||
| CVE-2025-15016 | 1 Ragic | 1 Enterprise Cloud Database | 2026-03-05 | 9.8 Critical |
| Enterprise Cloud Database developed by Ragic has a Hard-coded Cryptographic Key vulnerability, allowing unauthenticated remote attackers to exploit the fixed key to generate verification information and log into the system as any user. | ||||
| CVE-2018-5383 | 4 Apple, Google, Redhat and 1 more | 5 Iphone Os, Mac Os X, Android and 2 more | 2026-03-05 | 6.8 Medium |
| Bluetooth firmware or operating system software drivers in macOS versions before 10.13, High Sierra and iOS versions before 11.4, and Android versions before the 2018-06-05 patch may not sufficiently validate elliptic curve parameters used to generate public keys during a Diffie-Hellman key exchange, which may allow a remote attacker to obtain the encryption key used by the device. | ||||