Total
3567 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-70363 | 2026-03-09 | N/A | 7.5 HIGH | ||
| Incorrect access control in the REST API of Ibexa & Ciril GROUP eZ Platform / Ciril Platform 2.x allows unauthenticated attackers to access sensitive data via enumerating object IDs. | |||||
| CVE-2026-29077 | 1 Frappe | 1 Frappe | 2026-03-09 | N/A | 7.1 HIGH |
| Frappe is a full-stack web application framework. Prior to versions 15.98.0 and 14.100.0, due to a lack of validation when sharing documents, a user could share a document with a permission that they themselves didn't have. This issue has been patched in versions 15.98.0 and 14.100.0. | |||||
| CVE-2026-29060 | 1 Forceu | 1 Gokapi | 2026-03-09 | N/A | 5.0 MEDIUM |
| Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a registered user without privileges to create or modify file requests is able to create a short-lived API key that has the permission to do so. The user must be registered with Gokapi. If there are no users with access to the admin/upload menu, there is no impact. This issue has been patched in version 2.2.3. | |||||
| CVE-2026-28682 | 1 Forceu | 1 Gokapi | 2026-03-09 | N/A | 6.4 MEDIUM |
| Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the upload status SSE implementation on /uploadStatus publishes global upload state to any authenticated listener and includes file_id values that are not scoped to the requesting user. This issue has been patched in version 2.2.3. | |||||
| CVE-2026-29061 | 1 Forceu | 1 Gokapi | 2026-03-09 | N/A | 5.4 MEDIUM |
| Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a privilege escalation vulnerability in the user rank demotion logic allows a demoted user's existing API keys to retain ApiPermManageFileRequests and ApiPermManageLogs permissions, enabling continued access to upload-request management and log viewing endpoints after the user has been stripped of all privileges. This issue has been patched in version 2.2.3. | |||||
| CVE-2026-25702 | 1 Suse | 1 Linux Enterprise Server | 2026-03-09 | N/A | 7.3 HIGH |
| A Improper Access Control vulnerability in the kernel of SUSE SUSE Linux Enterprise Server 12 SP5 breaks nftables, causing firewall rules applied via nftables to not be effective.This issue affects SUSE Linux Enterprise Server: from 9e6d9d4601768c75fdb0bad3fbbe636e748939c2 before 9c294edb7085fb91650bc12233495a8974c5ff2d. | |||||
| CVE-2026-30859 | 1 Tencent | 1 Weknora | 2026-03-09 | N/A | 5.3 MEDIUM |
| WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.12, a broken access control vulnerability in the database query tool allows any authenticated tenant to read sensitive data belonging to other tenants, including API keys, model configurations, and private messages. The application fails to enforce tenant isolation on critical tables (models, messages, embeddings), enabling unauthorized cross-tenant data access with user-level authentication privileges. This issue has been patched in version 0.2.12. | |||||
| CVE-2026-30855 | 1 Tencent | 1 Weknora | 2026-03-09 | N/A | 8.8 HIGH |
| WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.3.2, an authorization bypass in tenant management endpoints of WeKnora application allows any authenticated user to read, modify, or delete any tenant by ID. Since account registration is open to the public, this vulnerability allows any unauthenticated attacker to register an account and subsequently exploit the system. This enables cross-tenant account takeover and destruction, making the impact critical. This issue has been patched in version 0.3.2. | |||||
| CVE-2026-3800 | 1 Oretnom23 | 1 Resort Reservation System | 2026-03-09 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability has been found in SourceCodester/janobe Resort Reservation System 1.0. Affected is the function doInsert of the file /controller.php?action=add. Such manipulation of the argument image leads to unrestricted upload. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-46691 | 1 Dell | 1 Premiercolor | 2026-03-09 | N/A | 7.8 HIGH |
| Dell PremierColor Panel Driver, versions prior to 1.0.0.1 A01, contains an Improper Access Control vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of Privileges. | |||||
| CVE-2025-7016 | 1 Akinsoft | 1 Qr Menu | 2026-03-09 | N/A | 8.0 HIGH |
| Improper Access Control vulnerability in Akın Software Computer Import Export Industry and Trade Ltd. QR Menu allows Authentication Abuse.This issue affects QR Menu: before s1.05.12. | |||||
| CVE-2025-70614 | 2026-03-09 | N/A | 8.1 HIGH | ||
| OpenCode Systems OC Messaging / USSD Gateway OC Release 6.32.2 contains a broken access control vulnerability in the web-based control panel allowing authenticated low-privileged attackers to gain to access to arbitrary SMS messages via a crafted company or tenant identifier parameter. | |||||
| CVE-2026-3668 | 2026-03-09 | 2.6 LOW | 3.1 LOW | ||
| A weakness has been identified in Freedom Factory dGEN1 up to 20260221. This affects the function AndroidEthereum of the component org.ethosmobile.webpwaemul. This manipulation causes improper access controls. Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is reported as difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-3209 | 2026-03-08 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability has been found in fosrl Pangolin up to 1.15.4-s.3. This affects the function verifyRoleAccess/verifyApiKeyRoleAccess of the component Role Handler. The manipulation leads to improper access controls. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. Upgrading to version 1.15.4-s.4 mitigates this issue. The identifier of the patch is 5e37c4e85fae68e756be5019a28ca903b161fdd5. Upgrading the affected component is advised. | |||||
| CVE-2025-15448 | 1 Cld378632668 | 1 Javamall | 2026-03-08 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in cld378632668 JavaMall up to 994f1e2b019378ec9444cdf3fce2d5b5f72d28f0. This impacts the function Upload of the file src/main/java/com/macro/mall/controller/MinioController.java. The manipulation results in unrestricted upload. It is possible to launch the attack remotely. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-1061 | 1 Xiweicheng | 1 Teamwork Management System | 2026-03-08 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was detected in xiweicheng TMS up to 2.28.0. Affected by this issue is the function Upload of the file src/main/java/com/lhjz/portal/controller/FileController.java. The manipulation of the argument filename results in unrestricted upload. The attack may be performed from remote. The exploit is now public and may be used. | |||||
| CVE-2026-1963 | 1 Wekan Project | 1 Wekan | 2026-03-06 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in WeKan up to 8.20. This affects an unknown function of the file models/attachments.js of the component Attachment Storage. The manipulation results in improper access controls. The attack may be launched remotely. Upgrading to version 8.21 mitigates this issue. The patch is identified as c413a7e860bc4d93fe2adcf82516228570bf382d. Upgrading the affected component is advised. | |||||
| CVE-2025-67510 | 1 Neuron-ai | 1 Neuron | 2026-03-06 | N/A | 9.4 CRITICAL |
| Neuron is a PHP framework for creating and orchestrating AI Agents. In versions 2.8.11 and below, the MySQLWriteTool executes arbitrary SQL provided by the caller using PDO::prepare() + execute() without semantic restrictions. This is consistent with the name (“write tool”), but in an LLM/agent context it becomes a high-risk capability: prompt injection or indirect prompt manipulation can cause execution of destructive queries such as DROP TABLE, TRUNCATE, DELETE, ALTER, or privilege-related statements (subject to DB permissions). Deployments that expose an agent with MySQLWriteTool enabled to untrusted input and/or run the tool with a DB user that has broad privileges are impacted. This issue is fixed in version 2.8.12. | |||||
| CVE-2026-0012 | 1 Google | 1 Android | 2026-03-06 | N/A | 6.2 MEDIUM |
| In setHideSensitive of ExpandableNotificationRow.java, there is a possible contact name leak due due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2025-48619 | 1 Google | 1 Android | 2026-03-06 | N/A | 8.4 HIGH |
| In multiple functions of ContentProvider.java, there is a possible way for an app with read-only access to truncate files due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||