Total
3532 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-21667 | 2026-03-12 | N/A | 9.9 CRITICAL | ||
| A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server. | |||||
| CVE-2026-3268 | 1 Psi-probe | 1 Psi Probe | 2026-03-12 | 5.5 MEDIUM | 5.4 MEDIUM |
| A vulnerability was detected in psi-probe PSI Probe up to 5.3.0. The affected element is an unknown function of the file psi-probe-core/src/main/java/psiprobe/controllers/sessions/RemoveSessAttributeController.java of the component Session Attribute Handler. Performing a manipulation results in improper access controls. The attack can be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-30966 | 1 Parseplatform | 1 Parse-server | 2026-03-11 | N/A | 10.0 CRITICAL |
| Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.7 and 8.6.20, Parse Server's internal tables, which store Relation field mappings such as role memberships, can be directly accessed via the REST API or GraphQL API by any client using only the application key. No master key is required. An attacker can create, read, update, or delete records in any internal relationship table. Exploiting this allows the attacker to inject themselves into any Parse Role, gaining all permissions associated with that role, including full read, write, and delete access to classes protected by role-based Class-Level Permissions (CLP). Similarly, writing to any such table that backs a Relation field used in a pointerFields CLP bypasses that access control. This vulnerability is fixed in 9.5.2-alpha.7 and 8.6.20. | |||||
| CVE-2026-0108 | 1 Google | 1 Android | 2026-03-11 | N/A | 4.0 MEDIUM |
| The register protection of the PowerVR GPU is incorrectly configured. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2026-30962 | 1 Parseplatform | 1 Parse-server | 2026-03-11 | N/A | 6.5 MEDIUM |
| Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.6 and 8.6.19, the validation for protected fields only checks top-level query keys. By wrapping a query constraint on a protected field inside a logical operator, the check is bypassed entirely. This allows any authenticated user to query on protected fields to extract field values. All Parse Server deployments have default protected fields and are vulnerable. This vulnerability is fixed in 9.5.2-alpha.6 and 8.6.19. | |||||
| CVE-2025-66509 | 1 Laradashboard | 1 Lara Dashboard | 2026-03-11 | N/A | 9.8 CRITICAL |
| LaraDashboard is an all-In-one solution to start a Laravel Application. In 2.3.0 and earlier, the password reset flow trusts the Host header, allowing attackers to redirect the administrator’s reset token to an attacker-controlled server. This can be combined with the module installation process to automatically execute the ServiceProvider::boot() method, enabling arbitrary PHP code execution. | |||||
| CVE-2026-22628 | 2026-03-11 | N/A | 5.3 MEDIUM | ||
| An improper access control vulnerability in Fortinet FortiSwitchAXFixed 1.0.0 through 1.0.1 may allow an authenticated admin to execute system commands via a specifically crafted SSH config file. | |||||
| CVE-2026-2742 | 2026-03-11 | N/A | N/A | ||
| An authentication bypass vulnerability exists in Vaadin 14.0.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.7 and 25.0.0 through 25.0.1, applications using Spring Security due to inconsistent path pattern matching of reserved framework paths. Accessing the /VAADIN endpoint without a trailing slash bypasses security filters, and allowing unauthenticated users to trigger framework initialization and create sessions without proper authorization. Users of affected versions using Spring Security should upgrade as follows: 14.0.0-14.14.0 upgrade to 14.14.1, 23.0.0-23.6.6 to 23.6.7, 24.0.0 - 24.9.7 to 24.9.8, and 25.0.0-25.0.1 upgrade to 25.0.2 or newer. Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24, 25 version. | |||||
| CVE-2026-23660 | 2026-03-11 | N/A | 7.8 HIGH | ||
| Improper access control in Azure Portal Windows Admin Center allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2026-31815 | 2026-03-11 | N/A | 5.3 MEDIUM | ||
| Unicorn adds modern reactive component functionality to your Django templates. Prior to 0.67.0, component state manipulation is possible in django-unicorn due to missing access control checks during property updates and method calls. An attacker can bypass the intended _is_public protection to modify internal attributes such as template_name or trigger protected methods. This vulnerability is fixed in 0.67.0. | |||||
| CVE-2026-31834 | 2026-03-11 | N/A | 7.2 HIGH | ||
| Umbraco is an ASP.NET CMS. From 15.3.1 to before 16.5.1 and 17.2.2, A privilege escalation vulnerability has been identified in Umbraco CMS. Under certain conditions, authenticated backoffice users with permission to manage users, may be able to elevate their privileges due to insufficient authorization enforcement when modifying user group memberships. The affected functionality does not properly validate whether a user has sufficient privileges to assign highly privileged roles. This vulnerability is fixed in 16.5.1 and 17.2.2. | |||||
| CVE-2026-29188 | 1 Filebrowser | 1 Filebrowser | 2026-03-10 | N/A | 9.1 CRITICAL |
| File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.1, a broken access control vulnerability in the TUS protocol DELETE endpoint allows authenticated users with only Create permission to delete arbitrary files and directories within their scope, bypassing the intended Delete permission restriction. Any multi-user deployment where administrators explicitly restrict file deletion for certain users is affected. This issue has been patched in version 2.61.1. | |||||
| CVE-2026-3748 | 1 Bytedesk | 1 Bytedesk | 2026-03-10 | 6.5 MEDIUM | 6.3 MEDIUM |
| A security flaw has been discovered in Bytedesk up to 1.3.9. This affects the function uploadFile of the file source-code/src/main/java/com/bytedesk/core/upload/UploadRestController.java of the component SVG File Handler. Performing a manipulation results in unrestricted upload. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. Upgrading to version 1.4.5.1 is able to mitigate this issue. The patch is named 975e39e4dd527596987559f56c5f9f973f64eff7. Upgrading the affected component is recommended. | |||||
| CVE-2026-3749 | 1 Bytedesk | 1 Bytedesk | 2026-03-10 | 6.5 MEDIUM | 6.3 MEDIUM |
| A weakness has been identified in Bytedesk up to 1.3.9. This vulnerability affects the function handleFileUpload of the file source-code/src/main/java/com/bytedesk/core/upload/UploadRestService.java of the component SVG File Handler. Executing a manipulation can lead to unrestricted upload. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 1.4.5.1 is able to resolve this issue. This patch is called 975e39e4dd527596987559f56c5f9f973f64eff7. It is recommended to upgrade the affected component. | |||||
| CVE-2026-26417 | 1 Tcs | 1 Cognix Platform | 2026-03-10 | N/A | 8.1 HIGH |
| A broken access control vulnerability in the password reset functionality of Tata Consultancy Services Cognix Recon Client v3.0 allows authenticated users to reset passwords of arbitrary user accounts via crafted requests. | |||||
| CVE-2026-3796 | 1 Qianxin | 1 Qax Internet Control Gateway | 2026-03-10 | 4.3 MEDIUM | 5.3 MEDIUM |
| A weakness has been identified in Qi-ANXIN QAX Virus Removal up to 2025-10-22. The affected element is the function ZwTerminateProcess in the library QKSecureIO_Imp.sys of the component Mini Filter Driver. Executing a manipulation can lead to improper access controls. The attack is restricted to local execution. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-3797 | 1 Tiandy | 2 Video Surveillance System, Video Surveillance System Firmware | 2026-03-10 | 6.5 MEDIUM | 6.3 MEDIUM |
| A security vulnerability has been detected in Tiandy Video Surveillance System 视频监控平台 7.17.0. The impacted element is the function uploadFile of the file /src/com/tiandy/easy7/core/rest/CLS_REST_File.java. The manipulation of the argument fileName leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-1742 | 1 Iptime | 2 A8004t, A8004t Firmware | 2026-03-10 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability was identified in EFM ipTIME A8004T 14.18.2. Affected by this vulnerability is the function commit_vpncli_file_upload of the file /cgi/timepro.cgi of the component VPN Service. Such manipulation leads to unrestricted upload. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-26418 | 1 Tcs | 1 Cognix Platform | 2026-03-10 | N/A | 7.5 HIGH |
| Missing authentication and authorization in the web API of Tata Consultancy Services Cognix Recon Client v3.0 allows remote attackers to access application functionality without restriction via the network. | |||||
| CVE-2026-27723 | 1 Openproject | 1 Openproject | 2026-03-10 | N/A | 4.3 MEDIUM |
| OpenProject is an open-source, web-based project management software. Prior to versions 17.0.5 and 17.1.2, an attacker can create wiki pages belonging to unpermitted projects through an improperly authenticated request. This issue has been patched in versions 17.0.5 and 17.1.2. | |||||