Export limit exceeded: 341213 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (341213 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-0953 | 2 Themeum, Wordpress | 2 Tutor Lms, Wordpress | 2026-03-11 | 9.8 Critical |
| The Tutor LMS Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 3.9.5 via the Social Login addon. This is due to the plugin failing to verify that the email provided in the authentication request matches the email from the validated OAuth token. This makes it possible for unauthenticated attackers to log in as any existing user, including administrators, by supplying a valid OAuth token from their own account along with the victim's email address. | ||||
| CVE-2026-30870 | 1 Powersync-ja | 2 Powersync-service, Powersync-service-sync-rules | 2026-03-11 | 6.5 Medium |
| PowerSync Service is the server-side component of the PowerSync sync engine. In version 1.20.0, when using new sync streams with config.edition: 3, certain subquery filters were ignored when determining which data to sync to users. Depending on the sync stream configuration, this could result in authenticated users syncing data that should have been restricted. Only queries that gate synchronization using subqueries without partitioning the result set are affected. This vulnerability is fixed in 1.20.1. | ||||
| CVE-2026-29773 | 1 Kubewarden | 1 Kubewarden-controller | 2026-03-11 | 4.3 Medium |
| Kubewarden is a policy engine for Kubernetes. Kubewarden cluster operators can grant permissions to users to deploy namespaced AdmissionPolicies and AdmissionPolicyGroups in their Namespaces. One of Kubewarden promises is that configured users can deploy namespaced policies in a safe manner, without privilege escalation. An attacker with privileged "AdmissionPolicy" create permissions (which isn't the default) could make use of 3 deprecated host-callback APIs: kubernetes/ingresses, kubernetes/namespaces, kubernetes/services. The attacker can craft a policy that exercises these deprecated API calls and would allow them read access to Ingresses, Namespaces, and Services resources respectively. This attack is read-only, there is no write capability and no access to Secrets, ConfigMaps, or other resource types beyond these three. | ||||
| CVE-2025-69615 | 1 Deutsche Telekom | 1 Account Management Portal | 2026-03-11 | 9.1 Critical |
| Incorrect Access Control via missing 2FA rate-limiting allowing unlimited brute-force retries and full MFA bypass with no user interaction required. Affected Product: Deutsche Telekom AG Telekom Account Management Portal, versions before 2025-10-24, fixed 2025-11-03. | ||||
| CVE-2026-3089 | 1 Actual | 1 Actual Sync Server | 2026-03-11 | N/A |
| Actual Sync Server allows authenticated users to upload files through POST /sync/upload-user-file. In versions prior to 26.3.0, improper validation of the user-controlled x-actual-file-id header means that traversal segments (../) can escape the intended directory and write files outside userFiles.This issue affects prior versions of Actual Sync Server 26.3.0. | ||||
| CVE-2026-3585 | 2 Stellarwp, Wordpress | 2 The Events Calendar, Wordpress | 2026-03-11 | 7.5 High |
| The The Events Calendar plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 6.15.17 via the 'ajax_create_import' function. This makes it possible for authenticated attackers, with Author-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. | ||||
| CVE-2026-3288 | 1 Kubernetes | 1 Ingress-nginx | 2026-03-11 | 8.8 High |
| A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/rewrite-target` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.) | ||||
| CVE-2025-41710 | 2 Janitza, Weidmueller | 4 Umg 96rm-e 230v(5222062), Umg 96rm-e 24v(5222063), Energy Meter 750-230 (2540910000) and 1 more | 2026-03-11 | 6.5 Medium |
| An unauthenticated remote attacker may use hardcodes credentials to get access to the previously activated FTP Server with limited read and write privileges. | ||||
| CVE-2026-1286 | 1 Schneider-electric | 1 Foxboro Dcs | 2026-03-11 | N/A |
| CWE-502: Deserialization of untrusted data vulnerability exists that could lead to loss of confidentiality, integrity and potential remote code execution on workstation when an admin authenticated user opens a malicious project file. | ||||
| CVE-2025-11158 | 1 Hitachi | 1 Vantara Pentaho Data Integration And Analytics | 2026-03-11 | 9.1 Critical |
| Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6, including 9.3.x and 8.3.x, do not restrict Groovy scripts in new PRPT reports published by users, allowing insertion of arbitrary scripts and leading to a RCE. | ||||
| CVE-2025-70973 | 1 Scadabr | 1 Scadabr | 2026-03-11 | 4.8 Medium |
| ScadaBR 1.12.4 is vulnerable to Session Fixation. The application assigns a JSESSIONID session cookie to unauthenticated users and does not regenerate the session identifier after successful authentication. As a result, a session created prior to login becomes authenticated once the victim logs in, allowing an attacker who knows the session ID to hijack an authenticated session. | ||||
| CVE-2025-13901 | 1 Schneider-electric | 2 Modicon M241/m251, Modicon M262 | 2026-03-11 | N/A |
| CWE-404 Improper Resource Shutdown or Release vulnerability exists that could cause partial Denial of Service on Machine Expert protocol when an unauthenticated attacker sends malicious payload to occupy active communication channels. | ||||
| CVE-2025-69614 | 1 Deutsche Telekom | 1 Account Management Portal | 2026-03-11 | 9.4 Critical |
| Incorrect Access Control via activation token reuse on the password-reset endpoint allowing unauthorized password resets and full account takeover. Affected Product: Deutsche Telekom AG Telekom Account Management Portal, versions before 2025-10-27, fixed 2025-10-31. | ||||
| CVE-2026-24309 | 1 Sap | 1 Netweaver Application Server For Abap | 2026-03-11 | 6.4 Medium |
| Due to missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker could execute specific ABAP function module to read, modify or insert entries into the database configuration table of the ABAP system. This unauthorized content change could lead to reduced system performance or interruptions. The vulnerability has low impact on the application's integrity and availability, with no effect on confidentiality. | ||||
| CVE-2026-24317 | 1 Sap Se | 1 Sap Gui For Windows With Active Guixt | 2026-03-11 | 5 Medium |
| SAP GUI for Windows allows DLL files to be loaded from arbitrary directories within the application. An unauthenticated attacker could exploit this vulnerability by persuading a victim to place a malicious DLL within one of these directories. The malicious command is executed in the victim user's context provided GuiXT is enabled. This vulnerability has a low impact on confidentiality, integrity, and availability. | ||||
| CVE-2026-27684 | 1 Sap Se | 1 Sap Netweaver (feedback Notification) | 2026-03-11 | 6.4 Medium |
| SAP NetWeaver Feedback Notifications Service contains a SQL injection vulnerability that allows an authenticated attacker to inject arbitrary SQL code through user-controlled input fields. The application concatenates these inputs directly into SQL queries without proper validation or escaping. As a result, an attacker can manipulate the WHERE clause logic and potentially gain unauthorized access to or modify database information. This vulnerability has no impact on integrity and low impact on the confidentiality and availability of the application. | ||||
| CVE-2026-27687 | 1 Sap Se | 2 Sap Erp Hcm Portugal, Sap S/4hana Hcm Portugal | 2026-03-11 | 5.8 Medium |
| Due to missing authorization check in SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal, a user with high privileges could access sensitive data belonging to another company. This vulnerability has a high impact on confidentiality and does not affect integrity and availability. | ||||
| CVE-2026-1508 | 2 Court Reservation, Wordpress | 2 Court Reservation, Wordpress | 2026-03-11 | 4.3 Medium |
| The Court Reservation WordPress plugin before 1.10.9 does not have CSRF check in place when deleting events, which could allow attackers to make a logged in admin delete them via a CSRF attack | ||||
| CVE-2025-70025 | 1 Benkeen | 1 Generatedata | 2026-03-11 | 6.1 Medium |
| An issue pertaining to CWE-79: Improper Neutralization of Input During Web Page Generation was discovered in benkeen generatedata 4.0.14. | ||||
| CVE-2025-70033 | 1 Sunbird-ed | 1 Sunbirded-portal | 2026-03-11 | 5.4 Medium |
| An issue pertaining to CWE-79: Improper Neutralization of Input During Web Page Generation was discovered in Sunbird-Ed SunbirdEd-portal v1.13.4. | ||||