Export limit exceeded: 336807 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 336807 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (336807 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-28014 | 2 Themerex, Wordpress | 2 Translogic, Wordpress | 2026-03-06 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Translogic translogic allows PHP Local File Inclusion.This issue affects Translogic: from n/a through <= 1.2.11. | ||||
| CVE-2026-27123 | 2026-03-06 | N/A | ||
| Reason: This candidate was issued in error. | ||||
| CVE-2025-12107 | 1 Wso2 | 2 Identity Server, Wso2 Identity Server | 2026-03-06 | 8.4 High |
| Due to the use of a vulnerable third-party Velocity template engine, a malicious actor with admin privilege may inject and execute arbitrary template syntax within server-side templates. Successful exploitation of this vulnerability could allow a malicious actor with admin privilege to inject and execute arbitrary template code on the server, potentially leading to remote code execution, data manipulation, or unauthorized access to sensitive information. | ||||
| CVE-2026-26998 | 1 Traefik | 1 Traefik | 2026-03-06 | 4.4 Medium |
| Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.38 and 3.6.9, there is a potential vulnerability in Traefik managing the ForwardAuth middleware responses. When Traefik is configured to use the ForwardAuth middleware, the response body from the authentication server is read entirely into memory without any size limit. There is no maxResponseBodySize configuration to restrict the amount of data read from the authentication server response. If the authentication server returns an unexpectedly large or unbounded response body, Traefik will allocate unlimited memory, potentially causing an out-of-memory (OOM) condition that crashes the process. This results in a denial of service for all routes served by the affected Traefik instance. This issue has been patched in versions 2.11.38 and 3.6.9. | ||||
| CVE-2026-26999 | 1 Traefik | 1 Traefik | 2026-03-06 | 7.5 High |
| Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.38 and 3.6.9, there is a potential vulnerability in Traefik managing TLS handshake on TCP routers. When Traefik processes a TLS connection on a TCP router, the read deadline used to bound protocol sniffing is cleared before the TLS handshake is completed. When a TLS handshake read error occurs, the code attempts a second handshake with different connection parameters, silently ignoring the initial error. A remote unauthenticated client can exploit this by sending an incomplete TLS record and stopping further data transmission, causing the TLS handshake to stall indefinitely and holding connections open. By opening many such stalled connections in parallel, an attacker can exhaust file descriptors and goroutines, degrading availability of all services on the affected entrypoint. This issue has been patched in versions 2.11.38 and 3.6.9. | ||||
| CVE-2026-29054 | 1 Traefik | 1 Traefik | 2026-03-06 | 7.5 High |
| Traefik is an HTTP reverse proxy and load balancer. From version 2.11.9 to 2.11.37 and from version 3.1.3 to 3.6.8, there is a potential vulnerability in Traefik managing the Connection header with X-Forwarded headers. When Traefik processes HTTP/1.1 requests, the protection put in place to prevent the removal of Traefik-managed X-Forwarded headers (such as X-Real-Ip, X-Forwarded-Host, X-Forwarded-Port, etc.) via the Connection header does not handle case sensitivity correctly. The Connection tokens are compared case-sensitively against the protected header names, but the actual header deletion operates case-insensitively. As a result, a remote unauthenticated client can use lowercase Connection tokens (e.g. Connection: x-real-ip) to bypass the protection and trigger the removal of Traefik-managed forwarded identity headers. This issue has been patched in versions 2.11.38 and 3.6.9. | ||||
| CVE-2026-27023 | 1 Twenty | 1 Twenty | 2026-03-06 | 5 Medium |
| Twenty is an open source CRM. Prior to version 1.18, the SSRF protection in SecureHttpClientService validated request URLs at the request level but did not validate redirect targets. An authenticated user who could control outbound request URLs (e.g., webhook endpoints, image URLs) could bypass private IP blocking by redirecting through an attacker-controlled server. This issue has been patched in version 1.18. | ||||
| CVE-2026-27723 | 1 Opf | 1 Openproject | 2026-03-06 | 4.3 Medium |
| OpenProject is an open-source, web-based project management software. Prior to versions 17.0.5 and 17.1.2, an attacker can create wiki pages belonging to unpermitted projects through an improperly authenticated request. This issue has been patched in versions 17.0.5 and 17.1.2. | ||||
| CVE-2026-24457 | 1 Eclipse | 1 Openmq | 2026-03-06 | 9.1 Critical |
| An unsafe parsing of OpenMQ's configuration, allows a remote attacker to read arbitrary files from a MQ Broker's server. A full exploitation could read unauthorized files of the OpenMQ’s host OS. In some scenarios RCE could be achieved. | ||||
| CVE-2026-27944 | 1 0xjacky | 1 Nginx-ui | 2026-03-06 | 9.8 Critical |
| Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows an unauthenticated attacker to download a full system backup containing sensitive data (user credentials, session tokens, SSL private keys, Nginx configurations) and decrypt it immediately. This issue has been patched in version 2.3.3. | ||||
| CVE-2025-7375 | 1 Tp-link | 1 Eap610 V3 | 2026-03-06 | N/A |
| A denial-of-service (DoS) vulnerability was identified in Omada EAP610 v3. An attacker with adjacent network access can send crafted requests to cause the device’s HTTP service to crash. This results in temporary service unavailability until the device is rebooted. This issue affects Omada EAP610 firmware versions prior to 1.6.0. | ||||
| CVE-2025-36018 | 2 Ibm, Linux | 2 Concert, Linux Kernel | 2026-03-06 | 6.5 Medium |
| IBM Concert 1.0.0 through 2.1.0 for Z hub component is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. | ||||
| CVE-2025-33089 | 1 Ibm | 1 Concert | 2026-03-06 | 6.5 Medium |
| IBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information or perform unauthorized actions due to the use of hard coded user credentials. | ||||
| CVE-2026-2620 | 1 Huace | 1 Monitoring And Early Warning System | 2026-03-06 | 7.3 High |
| A weakness has been identified in Huace Monitoring and Early Warning System 2.2. Affected by this issue is some unknown functionality of the file /Web/SysManage/ProjectRole.aspx. Executing a manipulation of the argument ID can lead to sql injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-22762 | 1 Dell | 3 Avamar Server, Avamar Virtual Edition, Powerprotect Dp Series Appliance (idpa) | 2026-03-06 | 6.5 Medium |
| Dell Avamar Server and Avamar Virtual Edition, versions prior to 19.10 SP1 with CHF338912, contain an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in the Security. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to arbitrary file delete. | ||||
| CVE-2025-13327 | 1 Redhat | 2 Ai Inference Server, Openshift Ai | 2026-03-06 | 6.3 Medium |
| A flaw was found in uv. This vulnerability allows an attacker to execute malicious code during package resolution or installation via specially crafted ZIP (Zipped Information Package) archives that exploit parsing differentials, requiring user interaction to install an attacker-controlled package. | ||||
| CVE-2026-2252 | 1 Xerox | 1 Freeflow Core | 2026-03-06 | 7.5 High |
| An XML External Entity (XXE) vulnerability allows malicious user to perform Server-Side Request Forgery (SSRF) via crafted XML input containing malicious external entity references. This issue affects Xerox FreeFlow Core versions up to and including 8.0.7. Please consider upgrading to FreeFlow Core version 8.1.0 via the software available on - https://www.support.xerox.com/en-us/product/core/downloads | ||||
| CVE-2025-11252 | 2 Signum Technology Promotion And Training, Signumtte | 2 Windesk.fm, Windesk.fm | 2026-03-06 | 9.8 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Signum Technology Promotion and Training Inc. Windesk.Fm allows SQL Injection.This issue affects windesk.Fm: through 27022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-2750 | 1 Centreon | 1 Centreon Open Tickets On Central Server | 2026-03-06 | 9.1 Critical |
| Improper Input Validation vulnerability in Centreon Centreon Open Tickets on Central Server on Linux (Centreon Open Tickets modules).This issue affects Centreon Open Tickets on Central Server: from all before 25.10; 24.10;24.04. | ||||
| CVE-2026-2749 | 1 Centreon | 1 Open Tickets | 2026-03-06 | 9.9 Critical |
| Vulnerability in Centreon Centreon Open Tickets on Central Server on Linux (Centroen Open Ticket modules).This issue affects Centreon Open Tickets on Central Server: from all before 25.10.3, 24.10.8, 24.04.7. | ||||