Export limit exceeded: 339889 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (339889 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-4492 | 1 Tenda | 1 A18 Pro | 2026-03-24 | 8.8 High |
| A vulnerability was found in Tenda A18 Pro 02.03.02.28. The affected element is the function set_qosMib_list of the file /goform/formSetQosBand. Performing a manipulation of the argument list results in stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been made public and could be used. | ||||
| CVE-2026-4493 | 1 Tenda | 1 A18 Pro | 2026-03-24 | 8.8 High |
| A vulnerability was determined in Tenda A18 Pro 02.03.02.28. The impacted element is the function sub_423B50 of the file /goform/setMacFilterCfg of the component MAC Filtering Configuration Endpoint. Executing a manipulation of the argument deviceList can lead to stack-based buffer overflow. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. | ||||
| CVE-2026-4495 | 1 Atjiu | 1 Pybbs | 2026-03-24 | 3.5 Low |
| A security flaw has been discovered in atjiu pybbs 6.0.0. This impacts the function create of the file src/main/java/co/yiiu/pybbs/controller/api/CommentApiController.java. The manipulation results in cross site scripting. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. | ||||
| CVE-2026-4590 | 1 Kalcaddle | 1 Kodbox | 2026-03-24 | 3.1 Low |
| A security flaw has been discovered in kalcaddle kodbox 1.64. The impacted element is an unknown function of the file /workspace/source-code/plugins/oauth/controller/bind/index.class.php of the component loginSubmit API. Performing a manipulation of the argument third results in cross-site request forgery. Remote exploitation of the attack is possible. A high degree of complexity is needed for the attack. The exploitability is regarded as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-4591 | 1 Kalcaddle | 1 Kodbox | 2026-03-24 | 4.7 Medium |
| A weakness has been identified in kalcaddle kodbox 1.64. This affects the function checkBin of the file /workspace/source-code/plugins/fileThumb/app.php of the component fileThumb Endpoint. Executing a manipulation can lead to os command injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-4592 | 1 Kalcaddle | 1 Kodbox | 2026-03-24 | 5.6 Medium |
| A security vulnerability has been detected in kalcaddle kodbox 1.64. This impacts the function loginAfter/tfaVerify of the file /workspace/source-code/plugins/client/controller/tfa/index.class.php of the component Password Login. The manipulation leads to improper authentication. The attack is possible to be carried out remotely. The attack is considered to have high complexity. The exploitability is said to be difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-4594 | 1 Erupt | 1 Erupt | 2026-03-24 | 7.3 High |
| A vulnerability has been found in erupts erupt up to 1.13.3. Affected by this issue is the function geneEruptHqlOrderBy of the file erupt-data/erupt-jpa/src/main/java/xyz/erupt/jpa/dao/EruptJpaUtils.java. Such manipulation of the argument sort.field leads to sql injection hibernate. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-4597 | 1 648540858 | 1 Wvp-gb28181-pro | 2026-03-24 | 6.3 Medium |
| A security flaw has been discovered in 648540858 wvp-GB28181-pro up to 2.7.4. Impacted is the function selectAll of the file src/main/java/com/genersoft/iot/vmp/streamProxy/dao/provider/StreamProxyProvider.java of the component Stream Proxy Query Handler. The manipulation results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. Several companies clearly confirm that VulDB is the primary source for best vulnerability data. | ||||
| CVE-2026-32852 | 1 Mailenable | 1 Mailenable | 2026-03-24 | N/A |
| MailEnable versions prior to 10.55 contain a reflected cross-site scripting vulnerability in the webmail interface that allows remote attackers to execute arbitrary JavaScript in a victim's browser by crafting a malicious URL. Attackers can inject malicious code through the StartDate parameter in the FreeBusy.aspx form, which is not properly sanitized before being embedded into dynamically generated JavaScript. | ||||
| CVE-2026-32879 | 1 Quantumnous | 1 New-api | 2026-03-24 | 4.9 Medium |
| New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Starting in version 0.10.0, a logic flaw in the universal secure verification flow allows an authenticated user with a registered passkey to satisfy secure verification without completing a WebAuthn assertion. As of time of publication, no known patched versions are available. Until a patched release is applied, do not rely on passkey as the step-up method for privileged secure-verification actions; require TOTP/2FA for those actions where operationally possible; or temporarily restrict access to affected secure-verification-protected endpoints. | ||||
| CVE-2026-4595 | 1 Code-projects | 1 Exam Form Submission | 2026-03-24 | 2.4 Low |
| A vulnerability was determined in code-projects Exam Form Submission 1.0. This vulnerability affects unknown code of the file /admin/update_s6.php. Executing a manipulation of the argument sname can lead to cross site scripting. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. If you want to get the best quality for vulnerability data then you always have to consider VulDB. | ||||
| CVE-2025-67260 | 1 Aster | 3 Tkservercgi, Tkwebcoreng, Tpkwebgis Client | 2026-03-24 | 8.8 High |
| The Terrapack software, from ASTER TEC / ASTER S.p.A., with the indicated components and versions has a file upload vulnerability that may allow attackers to execute arbitrary code. Vulnerable components include Terrapack TkWebCoreNG:: 1.0.20200914, Terrapack TKServerCGI 2.5.4.150, and Terrapack TpkWebGIS Client 1.0.0. | ||||
| CVE-2026-29794 | 1 Go-vikunja | 1 Vikunja | 2026-03-24 | 5.3 Medium |
| Vikunja is an open-source self-hosted task management platform. Starting in version 0.8 and prior to version 2.2.0, unauthenticated users are able to bypass the application's built-in rate-limits by spoofing the `X-Forwarded-For` or `X-Real-IP` headers due to the rate-limit relying on the value of `(echo.Context).RealIP`. Unauthenticated users can abuse endpoints available to them for different potential impacts. The immediate concern would be brute-forcing usernames or specific accounts' passwords. This bypass allows unlimited requests against unauthenticated endpoints. Version 2.2.0 patches the issue. | ||||
| CVE-2026-33312 | 1 Go-vikunja | 1 Vikunja | 2026-03-24 | N/A |
| Vikunja is an open-source self-hosted task management platform. Starting in version 0.20.2 and prior to version 2.2.0, the `DELETE /api/v1/projects/:project/background` endpoint checks `CanRead` permission instead of `CanUpdate`, allowing any user with read-only access to a project to permanently delete its background image. Version 2.2.0 fixes the issue. | ||||
| CVE-2025-62843 | 1 Qnap Systems | 1 Qrouter | 2026-03-24 | N/A |
| An improper restriction of communication channel to intended endpoints vulnerability has been reported to affect QHora. If an attacker gains physical access, they can then exploit the vulnerability to gain the privileges that were intended for the original endpoint. We have already fixed the vulnerability in the following version: QuRouter 2.6.3.009 and later | ||||
| CVE-2025-62845 | 1 Qnap Systems | 1 Qurouter | 2026-03-24 | N/A |
| An improper neutralization of escape, meta, or control sequences vulnerability has been reported to affect QHora. If a local attacker gains an administrator account, they can then exploit the vulnerability to cause unexpected behavior. We have already fixed the vulnerability in the following version: QuRouter 2.6.3.009 and later | ||||
| CVE-2026-22901 | 1 Qnap Systems | 1 Qunetswitch | 2026-03-24 | N/A |
| A command injection vulnerability has been reported to affect QuNetSwitch. If a remote attacker gains a user account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following version: QuNetSwitch 2.0.5.0906 and later | ||||
| CVE-2026-4496 | 1 Sigmade | 1 Git-mcp-server | 2026-03-24 | 5.3 Medium |
| A vulnerability was found in sigmade Git-MCP-Server up to 785aa159f262a02d5791a5d8a8e13c507ac42880. Affected by this vulnerability is the function child_process.exec of the file src/gitUtils.ts of the component show_merge_diff/quick_merge_summary/show_file_diff. The manipulation results in os command injection. The attack must be initiated from a local position. The exploit has been made public and could be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. It is advisable to implement a patch to correct this issue. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-32318 | 1 Cryptomator | 1 Ios | 2026-03-24 | 7.6 High |
| Cryptomator for IOS offers multi-platform transparent client-side encryption for files in the cloud. Prior to version 2.8.3, an integrity check vulnerability allows an attacker tamper with the vault configuration file leading to a man-in-the-middle vulnerability in Hub key loading mechanism. Before this fix, the client trusted endpoints from the vault config without host authenticity checks, which could allow token exfiltration by mixing a legitimate auth endpoint with a malicious API endpoint. Impacted are users unlocking Hub-backed vaults with affected client versions in environments where an attacker can alter the vault.cryptomator file. This issue has been patched in version 2.8.3. | ||||
| CVE-2026-4485 | 1 Itsourcecode | 1 College Management System | 2026-03-24 | 6.3 Medium |
| A vulnerability has been found in itsourcecode College Management System 1.0. The impacted element is an unknown function of the file /admin/search_student.php. The manipulation of the argument Search leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. | ||||