Export limit exceeded: 337705 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (337705 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-70973 | 1 Scadabr | 1 Scadabr | 2026-03-11 | 4.8 Medium |
| ScadaBR 1.12.4 is vulnerable to Session Fixation. The application assigns a JSESSIONID session cookie to unauthenticated users and does not regenerate the session identifier after successful authentication. As a result, a session created prior to login becomes authenticated once the victim logs in, allowing an attacker who knows the session ID to hijack an authenticated session. | ||||
| CVE-2026-0953 | 2 Themeum, Wordpress | 2 Tutor Lms, Wordpress | 2026-03-11 | 9.8 Critical |
| The Tutor LMS Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 3.9.5 via the Social Login addon. This is due to the plugin failing to verify that the email provided in the authentication request matches the email from the validated OAuth token. This makes it possible for unauthenticated attackers to log in as any existing user, including administrators, by supplying a valid OAuth token from their own account along with the victim's email address. | ||||
| CVE-2026-1919 | 2 Arraytics, Wordpress | 2 Booktics – Booking Calendar For Appointments And Service Businesses, Wordpress | 2026-03-11 | 5.3 Medium |
| The Booking Calendar for Appointments and Service Businesses – Booktics plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple REST API endpoints in all versions up to, and including, 1.0.16. This makes it possible for unauthenticated attackers to query sensitive data. | ||||
| CVE-2026-1920 | 2 Arraytics, Wordpress | 2 Booktics – Booking Calendar For Appointments And Service Businesses, Wordpress | 2026-03-11 | 5.3 Medium |
| The Booking Calendar for Appointments and Service Businesses – Booktics plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'Extension_Controller::update_item_permissions_check' function in all versions up to, and including, 1.0.16. This makes it possible for unauthenticated attackers to install addon plugins. | ||||
| CVE-2026-22614 | 1 Eaton | 1 Easysoft | 2026-03-11 | 6.1 Medium |
| The encryption mechanism used in Eaton's EasySoft project file was insecure and susceptible to brute force attacks, an attacker with access to this file and the local host machine could potentially read the sensitive information stored and tamper with the project file. This security issue has been fixed in the latest version of Eaton EasySoft which is available on the Eaton download centre. | ||||
| CVE-2026-24309 | 1 Sap | 1 Netweaver Application Server For Abap | 2026-03-11 | 6.4 Medium |
| Due to missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker could execute specific ABAP function module to read, modify or insert entries into the database configuration table of the ABAP system. This unauthorized content change could lead to reduced system performance or interruptions. The vulnerability has low impact on the application's integrity and availability, with no effect on confidentiality. | ||||
| CVE-2026-24310 | 1 Sap | 1 Netweaver Application Server For Abap | 2026-03-11 | 3.5 Low |
| Due to missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker could execute specific ABAP function module and read the sensitive information from database catalog of the ABAP system. This vulnerability has low impact on the application's confidentiality with no effect on the integrity and availability. | ||||
| CVE-2026-24311 | 1 Sap Se | 1 Sap Customer Checkout 2.0 | 2026-03-11 | 5.6 Medium |
| The SAP Customer Checkout application exhibits certain design characteristics that involve locally storing operational data using reversible protection mechanisms. Access to this data, combined with user?initiated interaction, may allow modifications to occur without validation. Such changes could affect system behaviour during startup, resulting in a high impact on the application's confidentiality and integrity, with a low impact on availability. | ||||
| CVE-2026-24313 | 1 Sap Se | 1 Sap Solution Tools Plug-in (st-pi) | 2026-03-11 | 5 Medium |
| SAP Solution Tools Plug-In (ST-PI) contains a function module that does not perform the necessary authorization checks for authenticated users, allowing system information to be disclosed. This vulnerability has a low impact on confidentiality and does not affect integrity or availability. | ||||
| CVE-2026-24317 | 1 Sap Se | 1 Sap Gui For Windows With Active Guixt | 2026-03-11 | 5 Medium |
| SAP GUI for Windows allows DLL files to be loaded from arbitrary directories within the application. An unauthenticated attacker could exploit this vulnerability by persuading a victim to place a malicious DLL within one of these directories. The malicious command is executed in the victim user's context provided GuiXT is enabled. This vulnerability has a low impact on confidentiality, integrity, and availability. | ||||
| CVE-2026-25045 | 1 Budibase | 1 Budibase | 2026-03-11 | N/A |
| Budibase is a low code platform for creating internal tools, workflows, and admin panels. This issue is a combination of Vertical Privilege Escalation and IDOR (Insecure Direct Object Reference) due to missing server-side RBAC checks in the /api/global/users endpoints. A Creator-level user, who should have no permissions to manage users or organizational roles, can instead promote an App Viewer to Tenant Admin, demote a Tenant Admin to App Viewer, or modify the Owner’s account details and all orders (e.g., change name). This is because the API accepts these actions without validating the requesting role, a Creator can replay Owner-only requests using their own session tokens. This leads to full tenant compromise. | ||||
| CVE-2026-25960 | 1 Vllm-project | 1 Vllm | 2026-03-11 | 7.1 High |
| vLLM is an inference and serving engine for large language models (LLMs). The SSRF protection fix for CVE-2026-24779 add in 0.15.1 can be bypassed in the load_from_url_async method due to inconsistent URL parsing behavior between the validation layer and the actual HTTP client. The SSRF fix uses urllib3.util.parse_url() to validate and extract the hostname from user-provided URLs. However, load_from_url_async uses aiohttp for making the actual HTTP requests, and aiohttp internally uses the yarl library for URL parsing. This vulnerability in 0.17.0. | ||||
| CVE-2026-27686 | 1 Sap Se | 1 Sap Business Warehouse (service Api) | 2026-03-11 | 5.9 Medium |
| Due to a Missing Authorization Check in SAP Business Warehouse (Service API), an authenticated attacker could perform unauthorized actions via an affected RFC function module. Successful exploitation could enable unauthorized configuration and control changes, potentially disrupting request processing and causing denial of service. This results in low impact on integrity and high impact on availability, while confidentiality remains unaffected. | ||||
| CVE-2026-27687 | 1 Sap Se | 2 Sap Erp Hcm Portugal, Sap S/4hana Hcm Portugal | 2026-03-11 | 5.8 Medium |
| Due to missing authorization check in SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal, a user with high privileges could access sensitive data belonging to another company. This vulnerability has a high impact on confidentiality and does not affect integrity and availability. | ||||
| CVE-2026-27688 | 1 Sap | 1 Netweaver Application Server For Abap | 2026-03-11 | 5 Medium |
| Due to a missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker with user privileges could read Database Analyzer Log Files via a specific RFC function module. The attacker with the necessary privileges to execute this function module could potentially escalate their privileges and read the sensitive data, resulting in a limited impact on the confidentiality of the information stored. However, the integrity and availability of the system are not affected. | ||||
| CVE-2026-27689 | 1 Sap | 1 Supply Chain Management | 2026-03-11 | 7.7 High |
| Due to an uncontrolled resource consumption (Denial of Service) vulnerability, an authenticated attacker with regular user privileges and network access can repeatedly invoke a remote-enabled function module with an excessively large loop-control parameter. This triggers prolonged loop execution that consumes excessive system resources, potentially rendering the system unavailable. Successful exploitation results in a denial-of-service condition that impacts availability, while confidentiality and integrity remain unaffected. | ||||
| CVE-2026-28267 | 4 Digital Arts, Fujitsu, Inventit and 1 more | 11 Digitalarts@cloud Agent (for Windows), I-filter ブラウザー&クラウド Multiagent For Windows, I-フィルター 10 (windows Version Only) and 8 more | 2026-03-11 | N/A |
| Multiple i-フィルター products are configured with improper file access permission settings. Files may be created or overwritten in the system directory or backup directory by a non-administrative user. | ||||
| CVE-2026-28432 | 1 Misskey | 1 Misskey | 2026-03-11 | N/A |
| Misskey is an open source, federated social media platform. All Misskey servers prior to 2026.3.1 contain a vulnerability that allows bypassing HTTP signature verification. Although this is a vulnerability related to federation, it affects all servers regardless of whether federation is enabled or disabled. This vulnerability is fixed in 2026.3.1. | ||||
| CVE-2026-27685 | 1 Sap Se | 1 Sap Netweaver Enterprise Portal Administration | 2026-03-11 | 9.1 Critical |
| SAP NetWeaver Enterprise Portal Administration is vulnerable if a privileged user uploads untrusted or malicious content that, upon deserialization, could result in a high impact on the confidentiality, integrity, and availability of the host system. | ||||
| CVE-2026-29773 | 1 Kubewarden | 1 Kubewarden-controller | 2026-03-11 | 4.3 Medium |
| Kubewarden is a policy engine for Kubernetes. Kubewarden cluster operators can grant permissions to users to deploy namespaced AdmissionPolicies and AdmissionPolicyGroups in their Namespaces. One of Kubewarden promises is that configured users can deploy namespaced policies in a safe manner, without privilege escalation. An attacker with privileged "AdmissionPolicy" create permissions (which isn't the default) could make use of 3 deprecated host-callback APIs: kubernetes/ingresses, kubernetes/namespaces, kubernetes/services. The attacker can craft a policy that exercises these deprecated API calls and would allow them read access to Ingresses, Namespaces, and Services resources respectively. This attack is read-only, there is no write capability and no access to Secrets, ConfigMaps, or other resource types beyond these three. | ||||