Total
6973 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-30233 | 1 Olivetin | 1 Olivetin | 2026-03-12 | N/A | 6.5 MEDIUM |
| OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, an authorization flaw in OliveTin allows authenticated users with view: false permission to enumerate action bindings and metadata via dashboard and API endpoints. Although execution (exec) may be correctly denied, the backend does not enforce IsAllowedView() when constructing dashboard and action binding responses. As a result, restricted users can retrieve action titles, IDs, icons, and argument metadata. This issue has been patched in version 3000.11.1. | |||||
| CVE-2026-30956 | 1 Hackerbay | 1 Oneuptime | 2026-03-12 | N/A | 9.9 CRITICAL |
| OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, a low‑privileged user can bypass authorization and tenant isolation in OneUptime v10.0.20 and earlier by sending a forged is-multi-tenant-query header together with a controlled projectid header. Because the server trusts this client-supplied header, internal permission checks in BasePermission are skipped and tenant scoping is disabled. This allows attackers to access project data belonging to other tenants, read sensitive User fields via nested relations, leak plaintext resetPasswordToken, and reset the victim’s password and fully take over the account. This results in cross‑tenant data exposure and full account takeover. This vulnerability is fixed in 10.0.21. | |||||
| CVE-2026-30959 | 1 Hackerbay | 1 Oneuptime | 2026-03-12 | N/A | 5.0 MEDIUM |
| OneUptime is a solution for monitoring and managing online services. The resend-verification-code endpoint allows any authenticated user to trigger a verification code resend for any UserWhatsApp record by ID. Ownership is not validated (unlike the verify endpoint). This affects the UserWhatsAppAPI.ts endpoint and the UserWhatsAppService.ts service. | |||||
| CVE-2026-30920 | 1 Hackerbay | 1 Oneuptime | 2026-03-12 | N/A | 8.6 HIGH |
| OneUptime is a solution for monitoring and managing online services. Prior to 10.0.19, OneUptime's GitHub App callback trusts attacker-controlled state and installation_id values and updates Project.gitHubAppInstallationId with isRoot: true without validating that the caller is authorized for the target project. This allows an attacker to overwrite another project's GitHub App installation binding. Related GitHub endpoints also lack effective authorization, so a valid installation ID can be used to enumerate repositories and create CodeRepository records in an arbitrary project. This vulnerability is fixed in 10.0.19. | |||||
| CVE-2026-31821 | 1 Sylius | 1 Sylius | 2026-03-11 | N/A | 5.3 MEDIUM |
| Sylius is an Open Source eCommerce Framework on Symfony. The POST /api/v2/shop/orders/{tokenValue}/items endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers' carts by knowing the cart tokenValue. An attacker who obtains a cart tokenValue can add arbitrary items to another customer's cart. The endpoint returns the full cart representation in the response (HTTP 201). The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above. | |||||
| CVE-2026-3351 | 2 Canonical, Linux | 2 Lxd, Linux Kernel | 2026-03-11 | N/A | 4.3 MEDIUM |
| Improper authorization in the API endpoint GET /1.0/certificates in Canonical LXD 6.6 on Linux allows an authenticated, restricted user to enumerate all certificate fingerprints trusted by the lxd server. | |||||
| CVE-2026-31800 | 1 Parseplatform | 1 Parse-server | 2026-03-11 | N/A | 9.1 CRITICAL |
| Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.12 and 8.6.25, the _GraphQLConfig and _Audience internal classes can be read, modified, and deleted via the generic /classes/_GraphQLConfig and /classes/_Audience REST API routes without master key authentication. This bypasses the master key enforcement that exists on the dedicated /graphql-config and /push_audiences endpoints. An attacker can read, modify and delete GraphQL configuration and push audience data. This vulnerability is fixed in 9.5.2-alpha.12 and 8.6.25. | |||||
| CVE-2025-41765 | 1 Mbs-solutions | 4 Ubr-01 Mk Ii, Ubr-02, Ubr-lon and 1 more | 2026-03-11 | N/A | 9.1 CRITICAL |
| Due to insufficient authorization enforcement, an unauthorized remote attacker can exploit the wwwupload.cgi endpoint to upload and apply arbitrary data. This includes, but is not limited to, contact images, HTTPS certificates, system backups for restoration, server peer configurations, and BACnet/SC server certificates and keys. | |||||
| CVE-2025-41764 | 1 Mbs-solutions | 4 Ubr-01 Mk Ii, Ubr-02, Ubr-lon and 1 more | 2026-03-11 | N/A | 9.1 CRITICAL |
| Due to insufficient authorization enforcement, an unauthorized remote attacker can exploit the wwwupdate.cgi endpoint to upload and apply arbitrary updates. | |||||
| CVE-2026-30842 | 1 Wallosapp | 1 Wallos | 2026-03-11 | N/A | 4.3 MEDIUM |
| Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, Wallos allows an authenticated user to delete avatar files uploaded by other users. The avatar deletion endpoint does not verify that the requested avatar belongs to the current user. As a result, any authenticated user who knows or can discover another user's uploaded avatar filename can delete that file. This issue has been patched in version 4.6.2. | |||||
| CVE-2026-30845 | 1 Wekan Project | 1 Wekan | 2026-03-11 | N/A | 8.2 HIGH |
| Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the board composite publication in Wekan publishes all integration data for a board without any field filtering, exposing sensitive fields including webhook URLs and authentication tokens to any subscriber. Since board publications are accessible to all board members regardless of their role (including read-only and comment-only users), and even to unauthenticated DDP clients for public boards, any user who can access a board can retrieve its webhook credentials. This token leak allows attackers to make unauthenticated requests to the exposed webhooks, potentially triggering unauthorized actions in connected external services. This issue has been fixed in version 8.34. | |||||
| CVE-2026-24313 | 2026-03-11 | N/A | 5.0 MEDIUM | ||
| SAP Solution Tools Plug-In (ST-PI) contains a function module that does not perform the necessary authorization checks for authenticated users, allowing system information to be disclosed. This vulnerability has a low impact on confidentiality and does not affect integrity or availability. | |||||
| CVE-2026-24310 | 2026-03-11 | N/A | 3.5 LOW | ||
| Due to missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker could execute specific ABAP function module and read the sensitive information from database catalog of the ABAP system. This vulnerability has low impact on the application's confidentiality with no effect on the integrity and availability. | |||||
| CVE-2026-24309 | 2026-03-11 | N/A | 6.4 MEDIUM | ||
| Due to missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker could execute specific ABAP function module to read, modify or insert entries into the database configuration table of the ABAP system. This unauthorized content change could lead to reduced system performance or interruptions. The vulnerability has low impact on the application's integrity and availability, with no effect on confidentiality. | |||||
| CVE-2026-27687 | 2026-03-11 | N/A | 5.8 MEDIUM | ||
| Due to missing authorization check in SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal, a user with high privileges could access sensitive data belonging to another company. This vulnerability has a high impact on confidentiality and does not affect integrity and availability. | |||||
| CVE-2026-3638 | 2026-03-11 | N/A | 5.9 MEDIUM | ||
| Improper access control in user and role restore API endpoints in Devolutions Server 2025.3.11.0 and earlier allows a low-privileged authenticated user to restore deleted users and roles via crafted API requests. | |||||
| CVE-2026-27686 | 2026-03-11 | N/A | 5.9 MEDIUM | ||
| Due to a Missing Authorization Check in SAP Business Warehouse (Service API), an authenticated attacker could perform unauthorized actions via an affected RFC function module. Successful exploitation could enable unauthorized configuration and control changes, potentially disrupting request processing and causing denial of service. This results in low impact on integrity and high impact on availability, while confidentiality remains unaffected. | |||||
| CVE-2026-27688 | 2026-03-11 | N/A | 5.0 MEDIUM | ||
| Due to a missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker with user privileges could read Database Analyzer Log Files via a specific RFC function module. The attacker with the necessary privileges to execute this function module could potentially escalate their privileges and read the sensitive data, resulting in a limited impact on the confidentiality of the information stored. However, the integrity and availability of the system are not affected. | |||||
| CVE-2025-11158 | 2026-03-11 | N/A | 9.1 CRITICAL | ||
| Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6, including 9.3.x and 8.3.x, do not restrict Groovy scripts in new PRPT reports published by users, allowing insertion of arbitrary scripts and leading to a RCE. | |||||
| CVE-2026-3906 | 2026-03-11 | N/A | 4.3 MEDIUM | ||
| WordPress core is vulnerable to unauthorized access in versions 6.9 through 6.9.1. The Notes feature (block-level collaboration annotations) was introduced in WordPress 6.9 to allow editorial comments directly on posts in the block editor. However, the REST API `create_item_permissions_check()` method in the comments controller did not verify that the authenticated user has `edit_post` permission on the target post when creating a note. This makes it possible for authenticated attackers with Subscriber-level access to create notes on any post, including posts authored by other users, private posts, and posts in any status. | |||||