Export limit exceeded: 75805 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (75805 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-41758 | 2 Mbs, Mbs-solutions | 7 Ubr-01 Mk Ii, Ubr-02, Ubr-lon and 4 more | 2026-03-11 | 8.8 High |
| A low-privileged remote attacker can exploit an arbitrary file write vulnerability in the wwupload.cgi endpoint. Due to path traversal this can lead to overwriting arbitrary files on the device and achieving a full system compromise. | ||||
| CVE-2025-41757 | 2 Mbs, Mbs-solutions | 7 Ubr-01 Mk Ii, Ubr-02, Ubr-lon and 4 more | 2026-03-11 | 8.8 High |
| A low-privileged remote attacker can abuse the backup restore functionality of UBR (ubr-restore) which runs with elevated privileges and does not validate the contents of the backup archive to create or overwrite arbitrary files anywhere on the system. | ||||
| CVE-2025-41756 | 2 Mbs, Mbs-solutions | 7 Ubr-01 Mk Ii, Ubr-02, Ubr-lon and 4 more | 2026-03-11 | 8.1 High |
| A low-privileged remote attacker can exploit the ubr-editfile method in wwwubr.cgi, an undocumented and unused API endpoint to write arbitrary files on the system. | ||||
| CVE-2025-41772 | 2 Mbs, Mbs-solutions | 7 Ubr-01 Mk Ii, Ubr-02, Ubr-lon and 4 more | 2026-03-11 | 7.5 High |
| An unauthenticated remote attacker can obtain valid session tokens because they are exposed in plaintext within the URL parameters of the wwwupdate.cgi endpoint in UBR. | ||||
| CVE-2026-27279 | 3 Adobe, Apple, Microsoft | 3 Substance 3d Stager, Macos, Windows | 2026-03-11 | 7.8 High |
| Substance3D - Stager versions 3.1.7 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | ||||
| CVE-2026-27277 | 3 Adobe, Apple, Microsoft | 3 Substance 3d Stager, Macos, Windows | 2026-03-11 | 7.8 High |
| Substance3D - Stager versions 3.1.7 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | ||||
| CVE-2026-27276 | 3 Adobe, Apple, Microsoft | 3 Substance 3d Stager, Macos, Windows | 2026-03-11 | 7.8 High |
| Substance3D - Stager versions 3.1.7 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | ||||
| CVE-2026-21289 | 1 Adobe | 4 Adobe Commerce, Commerce, Commerce B2b and 1 more | 2026-03-11 | 7.5 High |
| Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized view access of data. Exploitation of this issue does not require user interaction. | ||||
| CVE-2026-27220 | 3 Adobe, Apple, Microsoft | 6 Acrobat, Acrobat Dc, Acrobat Reader and 3 more | 2026-03-11 | 7.8 High |
| Acrobat Reader versions 24.001.30307, 24.001.30308, 25.001.21265 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | ||||
| CVE-2026-21309 | 1 Adobe | 4 Adobe Commerce, Commerce, Commerce B2b and 1 more | 2026-03-11 | 7.5 High |
| Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized view access of data. Exploitation of this issue does not require user interaction. | ||||
| CVE-2026-29186 | 2 Backstage, Linuxfoundation | 2 Backstage, Backstage Plugin-techdocs-node | 2026-03-11 | 7.7 High |
| Backstage is an open framework for building developer portals. Prior to version 1.14.3, this is a configuration bypass vulnerability that enables arbitrary code execution. The @backstage/plugin-techdocs-node package uses an allowlist to filter dangerous MkDocs configuration keys during the documentation build process. A gap in this allowlist allows attackers to craft an mkdocs.yml that causes arbitrary Python code execution, completely bypassing TechDocs' security controls. This issue has been patched in version 1.14.3. | ||||
| CVE-2026-28693 | 1 Imagemagick | 1 Imagemagick | 2026-03-11 | 8.1 High |
| ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, an integer overflow in DIB coder can result in out of bounds read or write. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41. | ||||
| CVE-2026-28691 | 1 Imagemagick | 1 Imagemagick | 2026-03-11 | 7.5 High |
| ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, an uninitialized pointer dereference vulnerability exists in the JBIG decoder due to a missing check. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41. | ||||
| CVE-2026-28678 | 1 Toxicbishop | 2 Dsa-with-tsx, Dsa Study Hub | 2026-03-11 | 8.1 High |
| DSA Study Hub is an interactive educational web application. Prior to commit d527fba, the user authentication system in server/routes/auth.js was found to be vulnerable to Insufficiently Protected Credentials. Authentication tokens (JWTs) were stored in HTTP cookies without cryptographic protection of the payload. This issue has been patched via commit d527fba. | ||||
| CVE-2026-30946 | 2 Parse Community, Parseplatform | 2 Parse Server, Parse-server | 2026-03-11 | 7.5 High |
| Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior 9.5.2-alpha.2 and 8.6.15, an unauthenticated attacker can exhaust Parse Server resources (CPU, memory, database connections) through crafted queries that exploit the lack of complexity limits in the REST and GraphQL APIs. All Parse Server deployments using the REST or GraphQL API are affected. This vulnerability is fixed in 9.5.2-alpha.2 and 8.6.15. | ||||
| CVE-2026-3336 | 2 Amazon, Aws | 3 Aws-lc-sys, Aws Libcrypto, Aws-lc | 2026-03-11 | 7.5 High |
| Improper certificate validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass certificate chain verification when processing PKCS7 objects with multiple signers, except the final signer. Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0. | ||||
| CVE-2026-30947 | 2 Parse Community, Parseplatform | 2 Parse Server, Parse-server | 2026-03-11 | 7.5 High |
| Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.3 and 8.6.16, class-level permissions (CLP) are not enforced for LiveQuery subscriptions. An unauthenticated or unauthorized client can subscribe to any LiveQuery-enabled class and receive real-time events for all objects, regardless of CLP restrictions. All Parse Server deployments that use LiveQuery with class-level permissions are affected. Data intended to be restricted by CLP is leaked to unauthorized subscribers in real time. This vulnerability is fixed in 9.5.2-alpha.3 and 8.6.16. | ||||
| CVE-2026-0109 | 1 Google | 1 Android | 2026-03-11 | 7.5 High |
| In dhd_tcpdata_info_get of dhd_ip.c, there is a possible Denial of Service due to a precondition check failure. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2026-0124 | 1 Google | 1 Android | 2026-03-11 | 7.8 High |
| There is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2026-27267 | 2 Adobe, Microsoft | 2 Illustrator, Windows | 2026-03-11 | 7.8 High |
| Illustrator versions 29.8.4, 30.1 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | ||||