Total
337068 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-25737 | 2026-03-09 | N/A | 8.9 HIGH | ||
| Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.24.0 and earlier, an arbitrary file upload vulnerability exists even though file extension restrictions are configured. The restriction is enforced only at the UI level. An attacker can bypass these restrictions and upload malicious files. | |||||
| CVE-2026-25045 | 2026-03-09 | N/A | N/A | ||
| Budibase is a low code platform for creating internal tools, workflows, and admin panels. This issue is a combination of Vertical Privilege Escalation and IDOR (Insecure Direct Object Reference) due to missing server-side RBAC checks in the /api/global/users endpoints. A Creator-level user, who should have no permissions to manage users or organizational roles, can instead promote an App Viewer to Tenant Admin, demote a Tenant Admin to App Viewer, or modify the Owner’s account details and all orders (e.g., change name). This is because the API accepts these actions without validating the requesting role, a Creator can replay Owner-only requests using their own session tokens. This leads to full tenant compromise. | |||||
| CVE-2026-24512 | 2026-03-09 | N/A | 8.8 HIGH | ||
| A security issue was discovered in ingress-nginx where the `rules.http.paths.path` Ingress field can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.) | |||||
| CVE-2026-22459 | 2026-03-09 | N/A | 6.5 MEDIUM | ||
| Missing Authorization vulnerability in Blend Media WordPress CTA easy-sticky-sidebar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress CTA: from n/a through <= 1.7.4. | |||||
| CVE-2025-70028 | 2026-03-09 | N/A | N/A | ||
| An issue pertaining to CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') was discovered in Sunbird-Ed SunbirdEd-portal v1.13.4. | |||||
| CVE-2025-61616 | 2 Google, Unisoc | 5 Android, T8100, T8200 and 2 more | 2026-03-09 | N/A | 7.5 HIGH |
| In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. | |||||
| CVE-2025-61615 | 2 Google, Unisoc | 5 Android, T8100, T8200 and 2 more | 2026-03-09 | N/A | 7.5 HIGH |
| In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. | |||||
| CVE-2025-61614 | 2 Google, Unisoc | 6 Android, T7300, T8100 and 3 more | 2026-03-09 | N/A | 7.5 HIGH |
| In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. | |||||
| CVE-2025-61613 | 2 Google, Unisoc | 5 Android, T8100, T8200 and 2 more | 2026-03-09 | N/A | 7.5 HIGH |
| In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. | |||||
| CVE-2025-61612 | 2 Google, Unisoc | 6 Android, T7300, T8100 and 3 more | 2026-03-09 | N/A | 7.5 HIGH |
| In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. | |||||
| CVE-2025-61611 | 2 Linuxfoundation, Unisoc | 2 Yocto, Udx710 | 2026-03-09 | N/A | 7.5 HIGH |
| In modem, there is a possible improper input validation. This could lead to remote denial of service with no additional execution privileges needed.. | |||||
| CVE-2025-41257 | 2026-03-09 | N/A | 4.8 MEDIUM | ||
| Suprema’s BioStar 2 in version 2.9.11.6 allows users to set new password without providing the current one. Exploiting this flaw combined with other vulnerabilities can lead to unauthorized account access and potential system compromise. | |||||
| CVE-2025-15603 | 2026-03-09 | 2.6 LOW | 3.7 LOW | ||
| A security vulnerability has been detected in open-webui up to 0.6.16. Affected is an unknown function of the file backend/start_windows.bat of the component JWT Key Handler. Such manipulation of the argument WEBUI_SECRET_KEY leads to insufficiently random values. It is possible to launch the attack remotely. The attack requires a high level of complexity. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used. | |||||
| CVE-2026-28350 | 1 Fedoralovespython | 1 Lxml Html Clean | 2026-03-09 | N/A | 6.1 MEDIUM |
| lxml_html_clean is a project for HTML cleaning functionalities copied from `lxml.html.clean`. Prior to version 0.4.4, the <base> tag passes through the default Cleaner configuration. While page_structure=True removes html, head, and title tags, there is no specific handling for <base>, allowing an attacker to inject it and hijack relative links on the page. This issue has been patched in version 0.4.4. | |||||
| CVE-2026-28348 | 1 Fedoralovespython | 1 Lxml Html Clean | 2026-03-09 | N/A | 6.1 MEDIUM |
| lxml_html_clean is a project for HTML cleaning functionalities copied from `lxml.html.clean`. Prior to version 0.4.4, the _has_sneaky_javascript() method strips backslashes before checking for dangerous CSS keywords. This causes CSS Unicode escape sequences to bypass the @import and expression() filters, allowing external CSS loading or XSS in older browsers. This issue has been patched in version 0.4.4. | |||||
| CVE-2026-28222 | 1 Torchbox | 1 Wagtail | 2026-03-09 | N/A | 6.1 MEDIUM |
| Wagtail is an open source content management system built on Django. Prior to versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1, a stored cross-site scripting (XSS) vulnerability exists on rendering TableBlock blocks within a StreamField. A user with access to create or edit pages containing TableBlock StreamField blocks is able to set specially-crafted class attributes on the block which run arbitrary JavaScript code when the page is viewed. When viewed by a user with higher privileges, this could lead to performing actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, and only affects sites using TableBlock. This issue has been patched in versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1. | |||||
| CVE-2026-28223 | 1 Torchbox | 1 Wagtail | 2026-03-09 | N/A | 6.1 MEDIUM |
| Wagtail is an open source content management system built on Django. Prior to versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1, a stored cross-site scripting (XSS) vulnerability exists on confirmation messages within the wagtail.contrib.simple_translation module. A user with access to the Wagtail admin area may create a page with a specially-crafted title which, when another user performs the "Translate" action, causes arbitrary JavaScript code to run. This could lead to performing actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been patched in versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1. | |||||
| CVE-2026-2751 | 1 Centreon | 1 Centreon Web | 2026-03-09 | N/A | 8.3 HIGH |
| Blind SQL Injection via unsanitized array keys in Service Dependencies deletion. Vulnerability in Centreon Centreon Web on Central Server on Linux (Service Dependencies modules) allows Blind SQL Injection.This issue affects Centreon Web on Central Server before 25.10.8, 24.10.20, 24.04.24. | |||||
| CVE-2026-27829 | 1 Astro | 1 \@astrojs\/node | 2026-03-09 | N/A | 6.5 MEDIUM |
| Astro is a web framework. In versions 9.0.0 through 9.5.3, a bug in Astro's image pipeline allows bypassing `image.domains` / `image.remotePatterns` restrictions, enabling the server to fetch content from unauthorized remote hosts. Astro provides an `inferSize` option that fetches remote images at render time to determine their dimensions. Remote image fetches are intended to be restricted to domains the site developer has manually authorized (using the `image.domains` or `image.remotePatterns` options). However, when `inferSize` is used, no domain validation is performed — the image is fetched from any host regardless of the configured restrictions. An attacker who can influence the image URL (e.g., via CMS content or user-supplied data) can cause the server to fetch from arbitrary hosts. This allows bypassing `image.domains` / `image.remotePatterns` restrictions to make server-side requests to unauthorized hosts. This includes the risk of server-side request forgery (SSRF) against internal network services and cloud metadata endpoints. Version 9.5.4 fixes the issue. | |||||
| CVE-2025-59905 | 1 Kubysoft | 1 Kubysoft | 2026-03-09 | N/A | 6.1 MEDIUM |
| Cross-Site Scripting (XSS) vulnerability reflected in Kubysoft, which occurs through multiple parameters within the endpoint ‘/node/kudaby/nodeFN/procedure’. This flaw allows the injection of arbitrary client-side scripts, which are immediately reflected in the HTTP response and executed in the victim's browser. | |||||