Total
113 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-25783 | 1 Mattermost | 1 Mattermost Server | 2026-03-18 | N/A | 4.3 MEDIUM |
| Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly validate User-Agent header tokens which allows an authenticated attacker to cause a request panic via a specially crafted User-Agent header. Mattermost Advisory ID: MMSA-2026-00586 | |||||
| CVE-2026-2092 | 2026-03-18 | N/A | 7.7 HIGH | ||
| A flaw was found in Keycloak. Keycloak's Security Assertion Markup Language (SAML) broker endpoint does not properly validate encrypted assertions when the overall SAML response is not signed. An attacker with a valid signed SAML assertion can exploit this by crafting a malicious SAML response. This allows the attacker to inject an encrypted assertion for an arbitrary principal, leading to unauthorized access and potential information disclosure. | |||||
| CVE-2026-2454 | 1 Mattermost | 1 Mattermost Server | 2026-03-18 | N/A | 5.8 MEDIUM |
| Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to handle incorrectly reported array lengths which allows malicious user to cause OOM errors and crash the server via sending corrupted msgpack frames within websocket messages to calls plugin. Mattermost Advisory ID: MMSA-2025-00537 | |||||
| CVE-2026-26115 | 1 Microsoft | 5 Sql Server 2016, Sql Server 2017, Sql Server 2019 and 2 more | 2026-03-13 | N/A | 8.8 HIGH |
| Improper validation of specified type of input in SQL Server allows an authorized attacker to elevate privileges over a network. | |||||
| CVE-2026-25179 | 1 Microsoft | 14 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 11 more | 2026-03-13 | N/A | 7.0 HIGH |
| Improper validation of specified type of input in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2026-20074 | 2026-03-12 | N/A | 7.4 HIGH | ||
| A vulnerability in the Intermediate System-to-Intermediate System (IS-IS) multi-instance routing feature of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to cause the IS-IS process to restart unexpectedly. This vulnerability is due to insufficient input validation of ingress IS-IS packets. An attacker could exploit this vulnerability by sending crafted IS-IS packets to an affected device after forming an adjacency. A successful exploit could allow the attacker to cause the IS-IS process to restart unexpectedly, resulting in a temporary loss of connectivity to advertised networks and a denial of service (DoS) condition. Note: The IS-IS protocol is a routing protocol. To exploit this vulnerability, an attacker must be Layer 2-adjacent to the affected device and must have formed an adjacency. | |||||
| CVE-2026-29788 | 1 Wikitide | 1 Tsportal | 2026-03-11 | N/A | 7.5 HIGH |
| TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 30, conversion of empty strings to null allows disguising DPA reports as genuine self-deletion reports. This issue has been patched in version 30. | |||||
| CVE-2025-53627 | 1 Meshtastic | 1 Meshtastic Firmware | 2026-02-26 | N/A | 5.3 MEDIUM |
| Meshtastic is an open source mesh networking solution. The Meshtastic firmware (starting from version 2.5) introduces asymmetric encryption (PKI) for direct messages, but when the `pki_encrypted` flag is missing, the firmware silently falls back to legacy AES-256-CTR channel encryption. This was an intentional decision to maintain backwards compatibility. However, the end-user applications, like Web app, iOS/Android app, and applications built on top of Meshtastic using the SDK, did not have a way to differentiate between end-to-end encrypted DMs and the legacy DMs. This creates a downgrade attack path where adversaries who know a shared channel key can craft and inject spoofed direct messages that are displayed as if they were PKC encrypted. Users are not given any feedback of whether a direct message was decrypted with PKI or with legacy symmetric encryption, undermining the expected security guarantees of the PKI rollout. Version 2.7.15 fixes this issue. | |||||
| CVE-2025-8556 | 2026-02-25 | N/A | 3.7 LOW | ||
| A flaw was found in CIRCL's implementation of the FourQ elliptic curve. This vulnerability allows an attacker to compromise session security via low-order point injection and incorrect point validation during Diffie-Hellman key exchange. | |||||
| CVE-2026-2004 | 1 Postgresql | 1 Postgresql | 2026-02-20 | N/A | 8.8 HIGH |
| Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected. | |||||
| CVE-2026-2003 | 1 Postgresql | 1 Postgresql | 2026-02-20 | N/A | 4.3 MEDIUM |
| Improper validation of type "oidvector" in PostgreSQL allows a database user to disclose a few bytes of server memory. We have not ruled out viability of attacks that arrange for presence of confidential information in disclosed bytes, but they seem unlikely. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected. | |||||
| CVE-2025-20756 | 1 Mediatek | 38 Mt2735, Mt6833, Mt6833p and 35 more | 2026-02-17 | N/A | 6.5 MEDIUM |
| In Modem, there is a possible system crash due to a logic error. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01673749; Issue ID: MSV-4643. | |||||
| CVE-2026-24307 | 1 Microsoft | 1 365 Copilot | 2026-02-12 | N/A | 9.3 CRITICAL |
| Improper validation of specified type of input in M365 Copilot allows an unauthorized attacker to disclose information over a network. | |||||
| CVE-2026-20119 | 2026-02-05 | N/A | 7.5 HIGH | ||
| A vulnerability in the text rendering subsystem of Cisco TelePresence Collaboration Endpoint (CE) Software and Cisco RoomOS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient validation of input received by an affected device. An attacker could exploit this vulnerability by getting the affected device to render crafted text, for example, a crafted meeting invitation. As indicated in the CVSS score, no user interaction is required, such as accepting the meeting invitation. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition. | |||||
| CVE-2024-47504 | 1 Juniper | 4 Junos, Srx5400, Srx5600 and 1 more | 2026-01-26 | N/A | 7.5 HIGH |
| An Improper Validation of Specified Type of Input vulnerability in the packet forwarding engine (pfe) Juniper Networks Junos OS on SRX5000 Series allows an unauthenticated, network based attacker to cause a Denial of Service (Dos). When a non-clustered SRX5000 device receives a specifically malformed packet this will cause a flowd crash and restart. This issue affects Junos OS: * 22.1 releases 22.1R1 and later before 22.2R3-S5, * 22.3 releases before 22.3R3-S4, * 22.4 releases before 22.4R3-S4, * 23.2 releases before 23.2R2-S2, * 23.4 releases before 23.4R2-S1, * 24.2 releases before 24.2R1-S1, 24.2R2. Please note that the PR does indicate that earlier versions have been fixed as well, but these won't be adversely impacted by this. | |||||
| CVE-2025-6298 | 1 Axis | 1 Axis Os | 2026-01-21 | N/A | 6.7 MEDIUM |
| ACAP applications can gain elevated privileges due to improper input validation, potentially leading to privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application. | |||||
| CVE-2024-47261 | 1 Axis | 3 Axis Os, Axis Os 2022, Axis Os 2024 | 2026-01-14 | N/A | 4.3 MEDIUM |
| 51l3nc3, a member of the AXIS OS Bug Bounty Program, has found that the VAPIX API uploadoverlayimage.cgi did not have sufficient input validation to allow an attacker to upload files to block access to create image overlays in the web interface of the Axis device. | |||||
| CVE-2025-30027 | 1 Axis | 1 Axis Os | 2026-01-13 | N/A | 6.7 MEDIUM |
| An ACAP configuration file lacked sufficient input validation, which could allow for arbitrary code execution. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application. | |||||
| CVE-2025-13352 | 1 Mattermost | 1 Mattermost Server | 2025-12-29 | N/A | 3.0 LOW |
| Mattermost versions 10.11.x <= 10.11.6 and Mattermost GitHub plugin versions <=2.4.0 fail to validate plugin bot identity in reaction forwarding which allows attackers to hijack the GitHub reaction feature to make users add reactions to arbitrary GitHub objects via crafted notification posts. | |||||
| CVE-2025-12689 | 1 Mattermost | 1 Mattermost Server | 2025-12-29 | N/A | 6.5 MEDIUM |
| Mattermost versions 11.0.x <= 11.0.4, 10.12.x <= 10.12.2, 10.11.x <= 10.11.6 fail to check WebSocket request field for proper UTF-8 format, which allows attacker to crash Calls plug-in via sending malformed request. | |||||