Export limit exceeded: 10749 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10749 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-50518 | 1 Linux | 1 Linux Kernel | 2026-03-17 | 7.8 High |
| In the Linux kernel, the following vulnerability has been resolved: parisc: Fix locking in pdc_iodc_print() firmware call Utilize pdc_lock spinlock to protect parallel modifications of the iodc_dbuf[] buffer, check length to prevent buffer overflow of iodc_dbuf[], drop the iodc_retbuf[] buffer and fix some wrong indentings. | ||||
| CVE-2020-5849 | 1 Unraid | 1 Unraid | 2026-03-17 | 7.5 High |
| Unraid 6.8.0 allows authentication bypass. | ||||
| CVE-2025-9904 | 1 Canon | 5 Generic Plus Lips4 Printer Driver, Generic Plus Lipslx Printer Driver, Generic Plus Pcl6 Printer Driver and 2 more | 2026-03-16 | 5.3 Medium |
| Unallocated memory access vulnerability in print processing of Generic Plus PCL6 Printer Driver / Generic Plus UFR II Printer Driver / Generic Plus LIPS4 Printer Driver / Generic Plus LIPSLX Printer Driver / Generic Plus PS Printer Driver / UFRII LT Printer Driver / CARPS2 Printer Driver / Generic FAX Driver / LIPS4 Printer Driver / LIPSLX Printer Driver / UFR II Printer Driver / PS Printer Driver / PCL6 Printer Driver | ||||
| CVE-2025-62166 | 1 Freshrss | 1 Freshrss | 2026-03-13 | 7.5 High |
| FreshRSS is a free, self-hostable RSS aggregator. Prior 1.28.0, a bug in the auth logic related to master authentication tokens, this restriction is bypassed. Usually only the default user's feed should be viewable if anonymous viewing is enabled, and feeds of other users should be private. This vulnerability is fixed in 1.28.0. | ||||
| CVE-2026-28433 | 1 Misskey | 1 Misskey | 2026-03-13 | 4.3 Medium |
| Misskey is an open source, federated social media platform. All Misskey servers running versions 10.93.0 and later, but prior to 2026.3.1, contain a vulnerability that allows importing other users' data due to lack of ownership validation. The impact of this vulnerability is estimated to be relatively low, as bad actors would require the ID corresponding to the target file for import. This vulnerability is fixed in 2026.3.1. | ||||
| CVE-2025-70037 | 1 Linagora | 1 Twake | 2026-03-13 | 6.1 Medium |
| An issue pertaining to CWE-601: URL Redirection to Untrusted Site was discovered in linagora Twake v2023.Q1.1223. This allows attackers to obtain sensitive information and execute arbitrary code. | ||||
| CVE-2026-28512 | 1 Pocket-id | 2 Pocket-id, Pocket Id | 2026-03-13 | 7.1 High |
| Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. From 2.0.0 to before 2.4.0, a flaw in callback URL validation allowed crafted redirect_uri values containing URL userinfo (@) to bypass legitimate callback pattern checks. If an attacker can trick a user into opening a malicious authorization link, the authorization code may be redirected to an attacker-controlled host. This vulnerability is fixed in 2.4.0. | ||||
| CVE-2026-30927 | 1 Admidio | 1 Admidio | 2026-03-13 | 5.4 Medium |
| Admidio is an open-source user management solution. Prior to 5.0.6, in modules/events/events_function.php, the event participation logic allows any user who can participate in an event to register OTHER users by manipulating the user_uuid GET parameter. The condition uses || (OR), meaning if possibleToParticipate() returns true (event is open for participation), ANY user - not just leaders - can specify a different user_uuid and register/cancel participation for that user. The code then operates on $user->getValue('usr_id') (the target user from user_uuid) rather than the current user. This vulnerability is fixed in 5.0.6. | ||||
| CVE-2025-22444 | 1 Intel | 1 Uefi Firmware | 2026-03-13 | N/A |
| Exposure of resource to wrong sphere in the UEFI PdaSmm module for some Intel(R) reference platforms may allow an information disclosure. System software adversary with a privileged user combined with a high complexity attack may enable data exposure. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (none) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | ||||
| CVE-2025-69534 | 1 Python-markdown | 1 Markdown | 2026-03-13 | 7.5 High |
| Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like sequences can cause html.parser.HTMLParser to raise an unhandled AssertionError during Markdown parsing. Because Python-Markdown does not catch this exception, any application that processes attacker-controlled Markdown may crash. This enables remote, unauthenticated Denial of Service in web applications, documentation systems, CI/CD pipelines, and any service that renders untrusted Markdown. The issue was acknowledged by the vendor and fixed in version 3.8.1. This issue causes a remote Denial of Service in any application parsing untrusted Markdown, and can lead to Information Disclosure through uncaught exceptions. | ||||
| CVE-2025-69653 | 1 Bellard | 1 Quickjs | 2026-03-12 | 6.5 Medium |
| A crafted JavaScript input can trigger an internal assertion failure in QuickJS release 2025-09-13, fixed in commit 1dbba8a88eaa40d15a8a9b70bb1a0b8fb5b552e6 (2025-12-11), in file gc_decref_child in quickjs.c, when executed with the qjs interpreter using the -m option. This leads to an abort (SIGABRT) during garbage collection and causes a denial-of-service. | ||||
| CVE-2025-36227 | 2 Ibm, Linux | 3 Aspera Faspex, Aspera Faspex 5, Linux Kernel | 2026-03-12 | 5.4 Medium |
| IBM Aspera Faspex 5 5.0.0 through 5.0.14.3 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. | ||||
| CVE-2025-13213 | 2 Ibm, Linux | 2 Aspera Orchestrator, Linux Kernel | 2026-03-12 | 5.4 Medium |
| IBM Aspera Orchestrator 3.0.0 through 4.1.2 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking | ||||
| CVE-2023-5868 | 2 Postgresql, Redhat | 22 Postgresql, Advanced Cluster Security, Codeready Linux Builder Eus and 19 more | 2026-03-12 | 4.3 Medium |
| A memory disclosure vulnerability was found in PostgreSQL that allows remote users to access sensitive information by exploiting certain aggregate function calls with 'unknown'-type arguments. Handling 'unknown'-type values from string literals without type designation can disclose bytes, potentially revealing notable and confidential information. This issue exists due to excessive data output in aggregate function calls, enabling remote users to read some portion of system memory. | ||||
| CVE-2025-9520 | 1 Tp-link | 1 Omada Controller | 2026-03-11 | 6.8 Medium |
| An IDOR vulnerability exists in Omada Controllers that allows an attacker with Administrator permissions to manipulate requests and potentially hijack the Owner account. | ||||
| CVE-2025-15114 | 2 Ksenia Security, Kseniasecurity | 3 Lares 4.0 Home Automation, Lares, Lares Firmware | 2026-03-11 | 9.8 Critical |
| Ksenia Security lares (legacy model) Home Automation version 1.6 contains a critical security flaw that exposes the alarm system PIN in the 'basisInfo' XML file after authentication. Attackers can retrieve the PIN from the server response to bypass security measures and disable the alarm system without additional authentication. | ||||
| CVE-2025-15112 | 2 Ksenia Security, Kseniasecurity | 3 Lares 4.0 Home Automation, Lares, Lares Firmware | 2026-03-11 | 5.4 Medium |
| Ksenia Security lares (legacy model) version 1.6 contains a URL redirection vulnerability in the 'cmdOk.xml' script that allows attackers to manipulate the 'redirectPage' GET parameter. Attackers can craft malicious links that redirect authenticated users to arbitrary websites when clicking on a specially constructed link hosted on a trusted domain. | ||||
| CVE-2026-30825 | 1 Hoppscotch | 1 Hoppscotch | 2026-03-11 | 0 Low |
| hoppscotch is an open source API development ecosystem. Prior to version 2026.2.1, the DELETE /v1/access-tokens/revoke endpoint allows any authenticated user to delete any other user's PAT by providing its ID, with no ownership verification. This issue has been patched in version 2026.2.1. | ||||
| CVE-2025-41760 | 2 Mbs, Mbs-solutions | 7 Ubr-01 Mk Ii, Ubr-02, Ubr-lon and 4 more | 2026-03-11 | 4.9 Medium |
| An administrator may attempt to block all traffic by configuring a pass filter with an empty table. However, in UBR, an empty list does not enforce any restrictions and allows all network traffic to pass unfiltered. | ||||
| CVE-2025-41759 | 2 Mbs, Mbs-solutions | 7 Ubr-01 Mk Ii, Ubr-02, Ubr-lon and 4 more | 2026-03-11 | 4.9 Medium |
| An administrator may attempt to block all networks by specifying "\*" or "all" as the network identifier. However, these values are not supported and do not trigger any validation error. Instead, they are silently interpreted as network 0 which results in no networks being blocked at all. | ||||