Total
1982 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-1603 | 1 Ivanti | 1 Endpoint Manager | 2026-03-10 | N/A | 8.6 HIGH |
| An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthenticated attacker to leak specific stored credential data. | |||||
| CVE-2026-28472 | 1 Openclaw | 1 Openclaw | 2026-03-09 | N/A | 8.1 HIGH |
| OpenClaw versions prior to 2026.2.2 contain a vulnerability in the gateway WebSocket connect handshake in which it allows skipping device identity checks when auth.token is present but not validated. Attackers can connect to the gateway without providing device identity or pairing by exploiting the presence check instead of validation, potentially gaining operator access in vulnerable deployments. | |||||
| CVE-2026-23767 | 1 Epson | 48 Sb-h50, Sb-h50 Firmware, Tm-h6000v and 45 more | 2026-03-09 | N/A | 9.8 CRITICAL |
| ESC/POS, a printer control language designed by Seiko Epson Corporation, lacks mechanisms for user authentication and command authorization, does not provide controls to restrict sources or destinations of network communication, and transmits commands without encryption or integrity protection. | |||||
| CVE-2026-28458 | 1 Openclaw | 1 Openclaw | 2026-03-09 | N/A | 8.1 HIGH |
| OpenClaw version 2026.1.20 prior to 2026.2.1 contains a vulnerability in the Browser Relay (extension must be installed and enabled) /cdp WebSocket endpoint in which it does not require authentication tokens, allowing websites to connect via loopback and access sensitive data. Attackers can exploit this by connecting to ws://127.0.0.1:18792/cdp to steal session cookies and execute JavaScript in other browser tabs. | |||||
| CVE-2025-15509 | 1 Vivo | 1 Smartremote Module | 2026-03-09 | N/A | 4.3 MEDIUM |
| The SmartRemote module has insufficient restrictions on loading URLs, which may lead to some information leakage. | |||||
| CVE-2025-15567 | 1 Vivo | 1 Health Module | 2026-03-09 | N/A | 3.3 LOW |
| Insufficient protection mechanisms in the Health Module may lead to partial information disclosure. | |||||
| CVE-2026-22552 | 2026-03-09 | N/A | 9.4 CRITICAL | ||
| WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend. | |||||
| CVE-2026-26051 | 2026-03-09 | N/A | 9.4 CRITICAL | ||
| WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend. | |||||
| CVE-2026-27772 | 1 Ev.energy | 1 Ev.energy | 2026-03-05 | N/A | 9.4 CRITICAL |
| WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend. | |||||
| CVE-2026-27767 | 1 Swtchenergy | 1 Swtchenergy.com | 2026-03-05 | N/A | 9.4 CRITICAL |
| WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend. | |||||
| CVE-2026-27028 | 1 Mobility46 | 1 Mobility46.se | 2026-03-05 | N/A | 9.4 CRITICAL |
| WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend. | |||||
| CVE-2026-25851 | 1 Chargemap | 1 Chargemap.com | 2026-03-05 | N/A | 9.4 CRITICAL |
| WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend. | |||||
| CVE-2026-24731 | 1 Ev2go | 1 Ev2go.io | 2026-03-05 | N/A | 9.4 CRITICAL |
| WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend. | |||||
| CVE-2026-2065 | 1 Flycatcher | 2 Smart Pixelator, Smart Pixelator Firmware | 2026-03-05 | 5.8 MEDIUM | 6.3 MEDIUM |
| A security flaw has been discovered in Flycatcher Toys smART Pixelator 2.0. Affected by this issue is some unknown functionality of the component Bluetooth Low Energy Interface. Performing a manipulation results in missing authentication. The attack can only be performed from the local network. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-20781 | 1 Cloudcharge | 1 Cloudcharge.se | 2026-03-05 | N/A | 9.4 CRITICAL |
| WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend. | |||||
| CVE-2026-30784 | 2026-03-05 | N/A | N/A | ||
| Missing Authorization, Missing Authentication for Critical Function vulnerability in rustdesk-server RustDesk Server rustdesk-server, rustdesk-server-pro on hbbs/hbbr on all server platforms (Rendezvous server (hbbs), relay server (hbbr) modules) allows Privilege Abuse. This vulnerability is associated with program files src/rendezvous_server.Rs, src/relay_server.Rs and program routines handle_punch_hole_request(), RegisterPeer handler, relay forwarding. This issue affects RustDesk Server: through 1.7.5, through 1.1.15. | |||||
| CVE-2026-27012 | 1 Devcode | 1 Openstamanager | 2026-03-05 | N/A | 9.8 CRITICAL |
| OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, a privilege escalation and authentication bypass vulnerability in OpenSTAManager allows any attacker to arbitrarily change a user's group (idgruppo) by directly calling modules/utenti/actions.php. This can promote an existing account (e.g. agent) into the Amministratori group as well as demote any user including existing administrators. | |||||
| CVE-2026-3192 | 1 Chia | 1 Blockchain | 2026-03-05 | 5.1 MEDIUM | 5.6 MEDIUM |
| A security vulnerability has been detected in Chia Blockchain 2.1.0. This issue affects the function _authenticate of the file rpc_server_base.py of the component RPC Credential Handler. The manipulation leads to improper authentication. The attack is possible to be carried out remotely. The attack is considered to have high complexity. The exploitability is assessed as difficult. The exploit has been disclosed publicly and may be used. The vendor was informed early via email. A separate report via bugbounty was rejected with the reason "This is by design. The user is responsible for host security". | |||||
| CVE-2026-3194 | 1 Chia | 1 Blockchain | 2026-03-05 | 3.5 LOW | 4.5 MEDIUM |
| A flaw has been found in Chia Blockchain 2.1.0. The affected element is the function send_transaction/get_private_key of the component RPC Server Master Passphrase Handler. This manipulation causes missing authentication. The attack can only be executed locally. The attack's complexity is rated as high. The exploitability is described as difficult. The exploit has been published and may be used. The vendor was informed early via email. A separate report via bugbounty was rejected with the reason "This is by design. The user is responsible for host security". | |||||
| CVE-2026-1775 | 2026-03-04 | N/A | N/A | ||
| The Labkotec LID-3300IP has an existing vulnerability in the ice detector software that enables an unauthenticated attacker to alter device parameters and run operational commands when specially crafted packets are sent to the device. | |||||