Total
13056 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-20020 | 1 Cisco | 2 Adaptive Security Appliance Software, Secure Firewall Threat Defense | 2026-03-05 | 6.8 Medium |
| A vulnerability in the OSPF protocol of Cisco Secure Firewall ASA Software and Cisco Secure FTD Software could allow an unauthenticated, adjacent attacker to cause an affected device to reload unexpectedly, resulting in a DoS condition. If OSPF authentication is enabled, the attacker must know the secret key to exploit this vulnerability. This vulnerability is due to insufficient input validation when processing OSPF update packets. An attacker could exploit this vulnerability by sending crafted OSPF update packets. A successful exploit could allow the attacker to create a buffer overflow, causing the affected device to reload, resulting in a DoS condition. | ||||
| CVE-2026-27443 | 1 Seppmail | 2 Seppmail, Seppmail Secure Email Gateway | 2026-03-05 | 7.5 High |
| SEPPmail Secure Email Gateway before version 15.0.1 does not properly sanitize the headers from S/MIME protected MIME entities, allowing an attacker to control trusted headers. | ||||
| CVE-2026-3204 | 1 Devolutions | 2 Devolutions Server, Server | 2026-03-05 | 9.8 Critical |
| Improper input validation in the error message page in Devolutions Server 2025.3.16 and earlier allows remote attackers to spoof the displayed error message via a specially crafted URL. | ||||
| CVE-2026-2590 | 1 Devolutions | 1 Remote Desktop Manager | 2026-03-05 | 9.8 Critical |
| Improper enforcement of the Disable password saving in vaults setting in the connection entry component in Devolutions Remote Desktop Manager 2025.3.30 and earlier allows an authenticated user to persist credentials in vault entries, potentially exposing sensitive information to other users, by creating or editing certain connection types while password saving is disabled. | ||||
| CVE-2011-10020 | 2026-03-05 | N/A | ||
| Kaillera Server version 0.86 is vulnerable to a denial-of-service condition triggered by sending a malformed UDP packet after the initial handshake. Once a client sends a valid HELLO0.83 packet and receives a response, any subsequent malformed packet causes the server to crash and become unresponsive. This flaw stems from improper input validation in the server’s UDP packet handler, allowing unauthenticated remote attackers to disrupt service availability. | ||||
| CVE-2025-34101 | 1 Plex | 1 Media Server Firmware | 2026-03-05 | N/A |
| An unauthenticated command injection vulnerability exists in Serviio Media Server versions 1.4 through 1.8 on Windows, in the /rest/action API endpoint exposed by the console component (default port 23423). The checkStreamUrl method accepts a VIDEO parameter that is passed unsanitized to a call to cmd.exe, enabling arbitrary command execution under the privileges of the web server. No authentication is required to exploit this issue, as the REST API is exposed by default and lacks access controls. | ||||
| CVE-2026-27818 | 2 Terria, Terriajs | 2 Terriajs-server, Terriajs-server | 2026-03-04 | 7.5 High |
| TerriaJS-Server is a NodeJS Express server for TerriaJS, a library for building web-based geospatial data explorers. A validation bug in versions prior to 4.0.3 allows an attacker to proxy domains not explicitly allowed in the `proxyableDomains` configuration. Version 4.0.3 fixes the issue. | ||||
| CVE-2024-55020 | 1 Weintek | 4 Cmt-3072xh2, Cmt-3072xh2 Firmware, Cmt3072xh and 1 more | 2026-03-04 | 9.8 Critical |
| A command injection vulnerability in the DHCP activation feature of Weintek cMT-3072XH2 easyweb Web Version v2.1.53, OS v20231011 allows attackers to execute arbitrary commands with root privileges. | ||||
| CVE-2026-28421 | 1 Vim | 1 Vim | 2026-03-04 | 5.3 Medium |
| Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue. | ||||
| CVE-2025-62816 | 1 Samsung | 15 Exynos, Exynos 1280, Exynos 1280 Firmware and 12 more | 2026-03-04 | 5.5 Medium |
| An issue was discovered in Samsung Mobile Processor Exynos 1280, 2200, 1380, 1480, 2400, 1580, and 2500. Unvalidated VS4L_VERTEXIOC_BOOTUP input leads to a denial of service. | ||||
| CVE-2025-67484 | 2 Mediawiki, Wikimedia | 2 Mediawiki, Mediawiki | 2026-03-03 | 4.7 Medium |
| Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiFormatXml.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1. | ||||
| CVE-2025-67480 | 2 Mediawiki, Wikimedia | 2 Mediawiki, Mediawiki | 2026-03-03 | N/A |
| Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiQueryRevisionsBase.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1. | ||||
| CVE-2025-61652 | 1 Wikimedia | 1 Discussiontools | 2026-03-03 | N/A |
| Vulnerability in Wikimedia Foundation DiscussionTools.This issue affects DiscussionTools: from * before 1.43.4, 1.44.1. | ||||
| CVE-2026-2970 | 2 Datapizza, Datapizza-labs | 2 Datapizza Ai, Datapizza-ai | 2026-03-03 | 4.6 Medium |
| A vulnerability has been found in datapizza-labs datapizza-ai 0.0.2. Affected by this vulnerability is the function RedisCache of the file datapizza-ai-cache/redis/datapizza/cache/redis/cache.py. Such manipulation leads to deserialization. The attack requires being on the local network. A high complexity level is associated with this attack. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-1691 | 2 Adlered, Bolo-blog | 2 Bolo-solo, Bolo-solo | 2026-03-03 | 6.3 Medium |
| A vulnerability has been found in bolo-solo up to 2.6.4. This impacts the function importMarkdownsSync of the file src/main/java/org/b3log/solo/bolo/prop/BackupService.java of the component SnakeYAML. Such manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2026-27702 | 1 Budibase | 1 Budibase | 2026-03-02 | 9.9 Critical |
| Budibase is a low code platform for creating internal tools, workflows, and admin panels. Prior to version 3.30.4, an unsafe `eval()` vulnerability in Budibase's view filtering implementation allows any authenticated user (including free tier accounts) to execute arbitrary JavaScript code on the server. This vulnerability ONLY affects Budibase Cloud (SaaS) - self-hosted deployments use native CouchDB views and are not vulnerable. The vulnerability exists in `packages/server/src/db/inMemoryView.ts` where user-controlled view map functions are directly evaluated without sanitization. The primary impact comes from what lives inside the pod's environment: the `app-service` pod runs with secrets baked into its environment variables, including `INTERNAL_API_KEY`, `JWT_SECRET`, CouchDB admin credentials, AWS keys, and more. Using the extracted CouchDB credentials, we verified direct database access, enumerated all tenant databases, and confirmed that user records (email addresses) are readable. Version 3.30.4 contains a patch. | ||||
| CVE-2025-0178 | 1 Watchguard | 28 Firebox M270, Firebox M290, Firebox M370 and 25 more | 2026-03-02 | 6.1 Medium |
| Improper Input Validation vulnerability in WatchGuard Fireware OS allows an attacker to manipulate the value of the HTTP Host header in requests sent to the Web UI. An attacker could exploit this vulnerability to redirect users to malicious websites, poison the web cache, or inject malicious JavaScript into responses sent by the Web UI. This issue affects Fireware OS: from 12.0 up to and including 12.11. | ||||
| CVE-2026-26935 | 1 Elastic | 1 Kibana | 2026-03-02 | 6.5 Medium |
| Improper Input Validation (CWE-20) in the internal Content Connectors search endpoint in Kibana can lead Denial of Service via Input Data Manipulation (CAPEC-153) | ||||
| CVE-2026-27959 | 1 Koajs | 1 Koa | 2026-02-28 | 7.5 High |
| Koa is middleware for Node.js using ES2017 async functions. Prior to versions 3.1.2 and 2.16.4, Koa's `ctx.hostname` API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed Host header containing a `@` symbol is received, `ctx.hostname` returns `evil[.]com` - an attacker-controlled value. Applications using `ctx.hostname` for URL generation, password reset links, email verification URLs, or routing decisions are vulnerable to Host header injection attacks. Versions 3.1.2 and 2.16.4 fix the issue. | ||||
| CVE-2026-27590 | 1 Caddyserver | 1 Caddy | 2026-02-27 | 9.8 Critical |
| Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's FastCGI path splitting logic computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode because `strings.ToLower()` can change UTF-8 byte length for some characters. As a result, Caddy can derive an incorrect `SCRIPT_NAME`/`SCRIPT_FILENAME` and `PATH_INFO`, potentially causing a request that contains `.php` to execute a different on-disk file than intended (path confusion). In setups where an attacker can control file contents (e.g., upload features), this can lead to unintended PHP execution of non-.php files (potential RCE depending on deployment). Version 2.11.1 fixes the issue. | ||||