Export limit exceeded: 336926 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (336926 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-28287 | 2 Freepbx, Sangoma | 2 Security-reporting, Freepbx | 2026-03-09 | 8.8 High |
| FreePBX is an open source IP PBX. From versions 16.0.17.2 to before 16.0.20 and from version 17.0.2.4 to before 17.0.5, multiple command injection vulnerabilities exist in the recordings module. This issue has been patched in versions 16.0.20 and 17.0.5. | ||||
| CVE-2026-28717 | 1 Acronis | 1 Acronis Cyber Protect 17 | 2026-03-09 | N/A |
| Local privilege escalation due to improper directory permissions. The following products are affected: Acronis Cyber Protect 17 (Windows) before build 41186. | ||||
| CVE-2026-28721 | 1 Acronis | 1 Acronis Cyber Protect 17 | 2026-03-09 | N/A |
| Local privilege escalation due to improper soft link handling. The following products are affected: Acronis Cyber Protect 17 (Windows) before build 41186. | ||||
| CVE-2026-28722 | 1 Acronis | 1 Acronis Cyber Protect 17 | 2026-03-09 | N/A |
| Local privilege escalation due to improper soft link handling. The following products are affected: Acronis Cyber Protect 17 (Windows) before build 41186. | ||||
| CVE-2025-66203 | 1 Lemon8866 | 1 Streamvault | 2026-03-09 | 10 Critical |
| StreamVault is a video download integration solution. Prior to version 251126, a Remote Code Execution (RCE) vulnerability exists in the stream-vault application (SpiritApplication). The application allows administrators to configure yt-dlp arguments via the /admin/api/saveConfig endpoint without sufficient validation. These arguments are stored globally and subsequently used in YtDlpUtil.java when constructing the command line to execute yt-dlp. This issue has been patched in version 251126. | ||||
| CVE-2025-7014 | 2 Qr Menu Pro Smart Menu Systems, Qrmenumpro | 2 Menu Panel, Menu Panel | 2026-03-09 | 5.7 Medium |
| Session Fixation vulnerability in QR Menu Pro Smart Menu Systems Menu Panel allows Session Hijacking.This issue affects Menu Panel: through 29012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2023-31044 | 1 Nokia | 2 Impact, Impact Mobile | 2026-03-09 | 2 Low |
| An issue was discovered in Nokia Impact before Mobile 23_FP1. In Impact DM 19.11 onwards, a remote authenticated user, using the Add Campaign functionality, can inject a malicious payload within the Campaign Name. This data can be exported to a CSV file. Attackers can populate data fields that may attempt data exfiltration or other malicious activity when automatically executed by the spreadsheet software. | ||||
| CVE-2025-67485 | 2 Machphy, Mad-proxy | 2 Mad-proxy, Mad-proxy | 2026-03-09 | 5.3 Medium |
| mad-proxy is a Python-based HTTP/HTTPS proxy server for detection and blocking of malicious web activity using custom security policies. Versions 0.3 and below allow attackers to bypass HTTP/HTTPS traffic interception rules, potentially exposing sensitive traffic. This issue does not have a fix at the time of publication. | ||||
| CVE-2026-28392 | 1 Openclaw | 1 Openclaw | 2026-03-09 | 7.5 High |
| OpenClaw versions prior to 2026.2.14 contain a privilege escalation vulnerability in the Slack slash-command handler that incorrectly authorizes any direct message sender when dmPolicy is set to open (must be configured). Attackers can execute privileged slash commands via direct message to bypass allowlist and access-group restrictions. | ||||
| CVE-2026-28393 | 1 Openclaw | 1 Openclaw | 2026-03-09 | 7.7 High |
| OpenClaw versions 2.0.0-beta3 prior to 2026.2.14 contain a path traversal vulnerability in hook transform module loading that allows arbitrary JavaScript execution. The hooks.mappings[].transform.module parameter accepts absolute paths and traversal sequences, enabling attackers with configuration write access to load and execute malicious modules with gateway process privileges. | ||||
| CVE-2026-28711 | 1 Acronis | 1 Acronis Cyber Protect 17 | 2026-03-09 | N/A |
| Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis Cyber Protect 17 (Windows) before build 41186. | ||||
| CVE-2026-28724 | 1 Acronis | 1 Acronis Cyber Protect 17 | 2026-03-09 | N/A |
| Unauthorized data access due to insufficient access control validation. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186. | ||||
| CVE-2026-28725 | 1 Acronis | 1 Acronis Cyber Protect 17 | 2026-03-09 | N/A |
| Sensitive information disclosure due to improper configuration of a headless browser. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186. | ||||
| CVE-2025-11790 | 1 Acronis | 1 Cyber Protect Cloud Agent | 2026-03-09 | N/A |
| Credentials are not deleted from Acronis Agent after plan revocation. The following products are affected: Acronis Cyber Protect Cloud Agent (Linux, macOS, Windows) before build 41124. | ||||
| CVE-2026-28680 | 1 Ghostfolio | 1 Ghostfolio | 2026-03-09 | 9.3 Critical |
| Ghostfolio is an open source wealth management software. Prior to version 2.245.0, an attacker can exploit the manual asset import feature to perform a full-read SSRF, allowing them to exfiltrate sensitive cloud metadata (IMDS) or probe internal network services. This issue has been patched in version 2.245.0. | ||||
| CVE-2025-70949 | 1 Perfood | 1 Couchauth | 2026-03-09 | 7.5 High |
| An observable timing discrepancy in @perfood/couch-auth v0.26.0 allows attackers to access sensitive information via a timing side-channel. | ||||
| CVE-2026-29188 | 1 Filebrowser | 1 Filebrowser | 2026-03-09 | 9.1 Critical |
| File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.1, a broken access control vulnerability in the TUS protocol DELETE endpoint allows authenticated users with only Create permission to delete arbitrary files and directories within their scope, bypassing the intended Delete permission restriction. Any multi-user deployment where administrators explicitly restrict file deletion for certain users is affected. This issue has been patched in version 2.61.1. | ||||
| CVE-2025-70614 | 1 Opencode Systems | 1 Ussd Gateway | 2026-03-09 | 8.1 High |
| OpenCode Systems OC Messaging / USSD Gateway OC Release 6.32.2 contains a broken access control vulnerability in the web-based control panel allowing authenticated low-privileged attackers to gain to access to arbitrary SMS messages via a crafted company or tenant identifier parameter. | ||||
| CVE-2026-28277 | 1 Langchain-ai | 1 Langgraph | 2026-03-09 | 6.8 Medium |
| LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). In version 1.0.9 and prior, LangGraph checkpointers can load msgpack-encoded checkpoints that reconstruct Python objects during deserialization. If an attacker can modify checkpoint data in the backing store (for example, after a database compromise or other privileged write access to the persistence layer), they can potentially supply a crafted payload that triggers unsafe object reconstruction when the checkpoint is loaded. No known patch is public. | ||||
| CVE-2025-70948 | 1 Perfood | 1 Couchauth | 2026-03-09 | 9.3 Critical |
| A host header injection vulnerability in the mailer component of @perfood/couch-auth v0.26.0 allows attackers to obtain reset tokens and execute an account takeover via spoofing the HTTP Host header. | ||||