Total
332 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-28500 | 2026-03-18 | N/A | 8.6 HIGH | ||
| Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. In versions up to and including 1.20.1, a security control bypass exists in onnx.hub.load() due to improper logic in the repository trust verification mechanism. While the function is designed to warn users when loading models from non-official sources, the use of the silent=True parameter completely suppresses all security warnings and confirmation prompts. This vulnerability transforms a standard model-loading function into a vector for Zero-Interaction Supply-Chain Attacks. When chained with file-system vulnerabilities, an attacker can silently exfiltrate sensitive files (SSH keys, cloud credentials) from the victim's machine the moment the model is loaded. As of time of publication, no known patched versions are available. | |||||
| CVE-2025-52643 | 2026-03-17 | N/A | 4.7 MEDIUM | ||
| HCL AION is affected by a vulnerability where untrusted file parsing operations are not executed within a properly isolated sandbox environment. This may expose the application to potential security risks, including unintended behaviour or integrity impact when processing specially crafted files. | |||||
| CVE-2026-3965 | 2026-03-12 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A security vulnerability has been detected in whyour qinglong up to 2.20.1. Affected is an unknown function of the file back/loaders/express.ts of the component API Interface. The manipulation of the argument command leads to protection mechanism failure. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 2.20.2 is able to address this issue. The identifier of the patch is 6bec52dca158481258315ba0fc2f11206df7b719. It is advisable to upgrade the affected component. The code maintainer was informed beforehand about the issues. He reacted very fast and highly professional. | |||||
| CVE-2026-30938 | 1 Parseplatform | 1 Parse-server | 2026-03-11 | N/A | 5.3 MEDIUM |
| Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.12 and 9.5.1-alpha.1, the requestKeywordDenylist security control can be bypassed by placing any nested object or array before a prohibited keyword in the request payload. This is caused by a logic bug that stops scanning sibling keys after encountering the first nested value. Any custom requestKeywordDenylist entries configured by the developer are equally by-passable using the same technique. All Parse Server deployments are affected. The requestKeywordDenylist is enabled by default. This vulnerability is fixed in 8.6.12 and 9.5.1-alpha.1. Use a Cloud Code beforeSave trigger to validate incoming data for prohibited keywords across all classes. | |||||
| CVE-2026-0118 | 1 Google | 1 Android | 2026-03-11 | N/A | 8.4 HIGH |
| In oobconfig, there is a possible bypass of carrier restrictions due to a logic error. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2025-36938 | 1 Google | 1 Android | 2026-03-11 | N/A | 6.8 MEDIUM |
| In U-Boot of append_uint32_le(), there is a possible fault injection due to a logic error in the code. This could lead to physical escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2025-58406 | 1 Cgm | 1 Clininet | 2026-03-09 | N/A | 4.3 MEDIUM |
| The CGM CLININET application respond without essential security HTTP headers, exposing users to client‑side attacks such as clickjacking, MIME sniffing, unsafe caching, weak cross‑origin isolation, and missing transport security controls. | |||||
| CVE-2025-67485 | 1 Machphy | 1 Mad-proxy | 2026-03-09 | N/A | 5.3 MEDIUM |
| mad-proxy is a Python-based HTTP/HTTPS proxy server for detection and blocking of malicious web activity using custom security policies. Versions 0.3 and below allow attackers to bypass HTTP/HTTPS traffic interception rules, potentially exposing sensitive traffic. This issue does not have a fix at the time of publication. | |||||
| CVE-2026-0017 | 1 Google | 1 Android | 2026-03-06 | N/A | 7.7 HIGH |
| In onChange of BiometricService.java, there is a possible way to enable fingerprint unlock due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2026-0012 | 1 Google | 1 Android | 2026-03-06 | N/A | 6.2 MEDIUM |
| In setHideSensitive of ExpandableNotificationRow.java, there is a possible contact name leak due due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2026-0011 | 1 Google | 1 Android | 2026-03-06 | N/A | 8.4 HIGH |
| In enableSystemPackageLPw of Settings.java, there is a possible way to prevent location access from working due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2025-48653 | 1 Google | 1 Android | 2026-03-06 | N/A | 7.8 HIGH |
| In loadDataAndPostValue of multiple files, there is a possible way to obscure permission usage due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2025-48635 | 1 Google | 1 Android | 2026-03-06 | N/A | 7.7 HIGH |
| In multiple functions of TaskFragmentOrganizerController.java, there is a possible activity token leak due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2025-48605 | 1 Google | 1 Android | 2026-03-06 | N/A | 8.4 HIGH |
| In multiple functions of KeyguardViewMediator.java, there is a possible lockscreen bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2025-48602 | 1 Google | 1 Android | 2026-03-06 | N/A | 8.4 HIGH |
| In exitKeyguardAndFinishSurfaceBehindRemoteAnimation of KeyguardViewMediator.java, there is a possible lockscreen bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2024-31328 | 1 Google | 1 Android | 2026-03-06 | N/A | 8.8 HIGH |
| In broadcastIntentLockedTraced of BroadcastController.java, there is a possible way to launch arbitrary activities from the background on the paired companion phone due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2024-55024 | 1 Weintek | 3 Cmt-3072xh2, Cmt-3072xh2 Firmware, Easyweb | 2026-03-04 | N/A | 9.8 CRITICAL |
| An authentication bypass vulnerability in the authorization mechanism of Weintek cMT-3072XH2 easyweb v2.1.53, OS v20231011 allows unauthorized attackers to perform Administrative actions using service accounts. | |||||
| CVE-2026-2768 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-02-26 | N/A | 10.0 CRITICAL |
| Sandbox escape in the Storage: IndexedDB component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. | |||||
| CVE-2026-2803 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-02-26 | N/A | 7.5 HIGH |
| Information disclosure, mitigation bypass in the Settings UI component. This vulnerability affects Firefox < 148 and Thunderbird < 148. | |||||
| CVE-2026-2761 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-02-26 | N/A | 10.0 CRITICAL |
| Sandbox escape in the Graphics: WebRender component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. | |||||