Total
1270 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-36440 | 1 Ibm | 1 Concert | 2026-03-26 | N/A | 5.1 MEDIUM |
| IBM Concert 1.0.0 through 2.2.0 could allow a local user to obtain sensitive information due to missing function level access control. | |||||
| CVE-2026-32913 | 1 Openclaw | 1 Openclaw | 2026-03-24 | N/A | 9.3 CRITICAL |
| OpenClaw before 2026.3.7 contains an improper header validation vulnerability in fetchWithSsrFGuard that forwards custom authorization headers across cross-origin redirects. Attackers can trigger redirects to different origins to intercept sensitive headers like X-Api-Key and Private-Token intended for the original destination. | |||||
| CVE-2025-64998 | 2026-03-24 | N/A | N/A | ||
| Exposure of session signing secret in Checkmk <2.4.0p23, <2.3.0p45 and 2.2.0 allows an administrator of a remote site with config sync enabled to hijack sessions on the central site by forging session cookies. | |||||
| CVE-2026-31926 | 2026-03-23 | N/A | 6.5 MEDIUM | ||
| Charging station authentication identifiers are publicly accessible via web-based mapping platforms. | |||||
| CVE-2026-28204 | 2026-03-23 | N/A | 6.5 MEDIUM | ||
| Charging station authentication identifiers are publicly accessible via web-based mapping platforms. | |||||
| CVE-2026-32633 | 1 Nicolargo | 1 Glances | 2026-03-19 | N/A | 9.1 CRITICAL |
| Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, the `/api/4/serverslist` endpoint returns raw server objects from `GlancesServersList.get_servers_list()`. Those objects are mutated in-place during background polling and can contain a `uri` field with embedded HTTP Basic credentials for downstream Glances servers, using the reusable pbkdf2-derived Glances authentication secret. If the front Glances Browser/API instance is started without `--password`, which is supported and common for internal network deployments, `/api/4/serverslist` is completely unauthenticated. Any network user who can reach the Browser API can retrieve reusable credentials for protected downstream Glances servers once they have been polled by the browser instance. Version 4.5.2 fixes the issue. | |||||
| CVE-2026-32634 | 1 Nicolargo | 1 Glances | 2026-03-19 | N/A | 8.1 HIGH |
| Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, Glances stores both the Zeroconf-advertised server name and the discovered IP address for dynamic servers, but later builds connection URIs from the untrusted advertised name instead of the discovered IP. When a dynamic server reports itself as protected, Glances also uses that same untrusted name as the lookup key for saved passwords and the global `[passwords] default` credential. An attacker on the same local network can advertise a fake Glances service over Zeroconf and cause the browser to automatically send a reusable Glances authentication secret to an attacker-controlled host. This affects the background polling path and the REST/WebUI click-through path in Central Browser mode. Version 4.5.2 fixes the issue. | |||||
| CVE-2026-28714 | 3 Acronis, Linux, Microsoft | 3 Cyber Protect, Linux Kernel, Windows | 2026-03-13 | N/A | 4.8 MEDIUM |
| Unnecessary transmission of sensitive cryptographic material. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186. | |||||
| CVE-2026-27777 | 2026-03-12 | N/A | 6.5 MEDIUM | ||
| Charging station authentication identifiers are publicly accessible via web-based mapping platforms. | |||||
| CVE-2026-3783 | 1 Haxx | 1 Curl | 2026-03-12 | N/A | 5.3 MEDIUM |
| When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. If the hostname that the first request is redirected to has information in the used .netrc file, with either of the `machine` or `default` keywords, curl would pass on the bearer token set for the first host also to the second one. | |||||
| CVE-2025-9521 | 1 Tp-link | 1 Omada Controller | 2026-03-11 | N/A | 6.5 MEDIUM |
| Password Confirmation Bypass vulnerability in Omada Controllers, allowing an attacker with a valid session token to bypass secondary verification, and change the user’s password without proper confirmation, leading to weakened account security. | |||||
| CVE-2025-15113 | 1 Kseniasecurity | 2 Lares, Lares Firmware | 2026-03-11 | N/A | 9.3 CRITICAL |
| Ksenia Security lares (legacy model) Home Automation version 1.6 contains an unprotected endpoint vulnerability that allows authenticated attackers to upload MPFS File System binary images. Attackers can exploit this vulnerability to overwrite flash program memory and potentially execute arbitrary code on the home automation system's web server. | |||||
| CVE-2026-28678 | 1 Toxicbishop | 1 Dsa Study Hub | 2026-03-11 | N/A | 8.1 HIGH |
| DSA Study Hub is an interactive educational web application. Prior to commit d527fba, the user authentication system in server/routes/auth.js was found to be vulnerable to Insufficiently Protected Credentials. Authentication tokens (JWTs) were stored in HTTP cookies without cryptographic protection of the payload. This issue has been patched via commit d527fba. | |||||
| CVE-2026-27027 | 2026-03-10 | N/A | 6.5 MEDIUM | ||
| Charging station authentication identifiers are publicly accessible via web-based mapping platforms. | |||||
| CVE-2026-29128 | 1 Datacast | 2 Sfx2100, Sfx2100 Firmware | 2026-03-09 | N/A | 10.0 CRITICAL |
| IDC SFX2100 Satellite Receiver firmware ships with multiple daemon configuration files for routing components (e.g., zebra, bgpd, ospfd, and ripd) that are owned by root but world-readable. The configuration files (e.g., zebra.conf, bgpd.conf, ospfd.conf, ripd.conf) contain hardcoded or otherwise insecure plaintext passwords (including “enable”/privileged-mode credentials). A remote actor is able to abuse the reuse/hardcoded nature of these credentials to further access other systems in the network, gain a foothold on the satellite receiver or potentially locally privilege escalate. | |||||
| CVE-2026-27770 | 2026-03-09 | N/A | 6.5 MEDIUM | ||
| Charging station authentication identifiers are publicly accessible via web-based mapping platforms. | |||||
| CVE-2023-2881 | 1 Pimcore | 1 Customer Management Framework | 2026-03-06 | N/A | 4.9 MEDIUM |
| Storing Passwords in a Recoverable Format in GitHub repository pimcore/customer-data-framework prior to 3.3.10. | |||||
| CVE-2021-22681 | 1 Rockwellautomation | 20 Compact Guardlogix 5370, Compact Guardlogix 5380, Compactlogix 1768 and 17 more | 2026-03-06 | 7.5 HIGH | 9.8 CRITICAL |
| Rockwell Automation Studio 5000 Logix Designer Versions 21 and later, and RSLogix 5000 Versions 16 through 20 use a key to verify Logix controllers are communicating with Rockwell Automation CompactLogix 1768, 1769, 5370, 5380, 5480: ControlLogix 5550, 5560, 5570, 5580; DriveLogix 5560, 5730, 1794-L34; Compact GuardLogix 5370, 5380; GuardLogix 5570, 5580; SoftLogix 5800. Rockwell Automation Studio 5000 Logix Designer Versions 21 and later and RSLogix 5000: Versions 16 through 20 are vulnerable because an unauthenticated attacker could bypass this verification mechanism and authenticate with Rockwell Automation CompactLogix 1768, 1769, 5370, 5380, 5480: ControlLogix 5550, 5560, 5570, 5580; DriveLogix 5560, 5730, 1794-L34; Compact GuardLogix 5370, 5380; GuardLogix 5570, 5580; SoftLogix 5800. | |||||
| CVE-2026-27773 | 1 Swtchenergy | 1 Swtchenergy.com | 2026-03-05 | N/A | 6.5 MEDIUM |
| Charging station authentication identifiers are publicly accessible via web-based mapping platforms. | |||||
| CVE-2026-25774 | 1 Ev.energy | 1 Ev.energy | 2026-03-05 | N/A | 6.5 MEDIUM |
| Charging station authentication identifiers are publicly accessible via web-based mapping platforms. | |||||