Total
337292 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-13002 | 1 Farktor | 1 E-commerce Package | 2026-03-10 | N/A | 8.2 HIGH |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Farktor Software E-Commerce Services Inc. E-Commerce Package allows Cross-Site Scripting (XSS).This issue affects E-Commerce Package: through 27112025. | |||||
| CVE-2026-2439 | 1 Bva | 1 Concierge\ | 2026-03-10 | N/A | 9.8 CRITICAL |
| Concierge::Sessions versions from 0.8.1 before 0.8.5 for Perl generate insecure session ids. The generate_session_id function in Concierge::Sessions::Base defaults to using the uuidgen command to generate a UUID, with a fallback to using Perl's built-in rand function. Neither of these methods are secure, and attackers are able to guess session_ids that can grant them access to systems. Specifically, * There is no warning when uuidgen fails. The software can be quietly using the fallback rand() function with no warnings if the command fails for any reason. * The uuidgen command will generate a time-based UUID if the system does not have a high-quality random number source, because the call does not explicitly specify the --random option. Note that the system time is shared in HTTP responses. * UUIDs are identifiers whose mere possession grants access, as per RFC 9562. * The output of the built-in rand() function is predictable and unsuitable for security applications. | |||||
| CVE-2025-10969 | 1 Farktor | 1 E-commerce Package | 2026-03-10 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Farktor Software E-Commerce Services Inc. E-Commerce Package allows Blind SQL Injection.This issue affects E-Commerce Package: through 27112025. | |||||
| CVE-2025-15549 | 1 Fluentcms | 1 Fluentcms | 2026-03-10 | N/A | 4.8 MEDIUM |
| FluentCMS 2026 contains a stored cross-site scripting vulnerability that allows authenticated administrators to upload SVG files with embedded JavaScript via the File Management module. Attackers can upload malicious SVG files that execute JavaScript in the browser of any user accessing the uploaded file URL. | |||||
| CVE-2026-27944 | 1 Nginxui | 1 Nginx Ui | 2026-03-10 | N/A | 9.8 CRITICAL |
| Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows an unauthenticated attacker to download a full system backup containing sensitive data (user credentials, session tokens, SSL private keys, Nginx configurations) and decrypt it immediately. This issue has been patched in version 2.3.3. | |||||
| CVE-2025-4764 | 1 Aida | 1 Hotel Guest Hotspot | 2026-03-10 | N/A | 8.0 HIGH |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aida Computer Information Technology Inc. Hotel Guest Hotspot allows SQL Injection.This issue affects Hotel Guest Hotspot: through 22012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-4763 | 1 Aida | 1 Hotel Guest Hotspot | 2026-03-10 | N/A | 5.5 MEDIUM |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Aida Computer Information Technology Inc. Hotel Guest Hotspot allows Reflected XSS.This issue affects Hotel Guest Hotspot: through 22012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-23896 | 1 Immich | 1 Immich | 2026-03-10 | N/A | 7.2 HIGH |
| immich is a high performance self-hosted photo and video management solution. Prior to version 2.5.0, API keys can escalate their own permissions by calling the update endpoint, allowing a low-privilege API key to grant itself full administrative access to the system. Version 2.5.0 fixes the issue. | |||||
| CVE-2026-29067 | 1 Zitadel | 1 Zitadel | 2026-03-10 | N/A | 8.1 HIGH |
| ZITADEL is an open source identity management platform. From version 4.0.0-rc.1 to 4.7.0, a potential vulnerability exists in ZITADEL's password reset mechanism in login V2. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset confirmation link. This link, containing a secret code, is then emailed to the user. This issue has been patched in version 4.7.1. | |||||
| CVE-2025-7714 | 1 Globalmedya | 1 Content Management System | 2026-03-10 | N/A | 7.5 HIGH |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Global Interactive Design Media Software Inc. Content Management System (CMS) allows Command Line Execution through SQL Injection.This issue affects Content Management System (CMS): through 21072025. | |||||
| CVE-2025-7713 | 1 Globalmedya | 1 Content Management System | 2026-03-10 | N/A | 7.5 HIGH |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Global Interactive Design Media Software Inc. Content Management System (CMS) allows XSS Through HTTP Headers.This issue affects Content Management System (CMS): through 21072025. | |||||
| CVE-2026-29191 | 1 Zitadel | 1 Zitadel | 2026-03-10 | N/A | 9.3 CRITICAL |
| ZITADEL is an open source identity management platform. From version 4.0.0 to 4.11.1, a vulnerability in Zitadel's login V2 interface was discovered that allowed a possible account takeover via XSS in /saml-post Endpoint. This issue has been patched in version 4.12.0. | |||||
| CVE-2026-29192 | 1 Zitadel | 1 Zitadel | 2026-03-10 | N/A | 7.7 HIGH |
| ZITADEL is an open source identity management platform. From version 4.0.0 to 4.11.1, a vulnerability in Zitadel's login V2 interface was discovered that allowed a possible account takeover via Default URI Redirect. This issue has been patched in version 4.12.0. | |||||
| CVE-2026-29193 | 1 Zitadel | 1 Zitadel | 2026-03-10 | N/A | 8.2 HIGH |
| ZITADEL is an open source identity management platform. From version 4.0.0 to 4.12.0, a vulnerability in Zitadel's login V2 UI allowed users to bypass login behavior and security policies and self-register new accounts or sign in using password even if corresponding options were disabled in their organizaton. This issue has been patched in version 4.12.1. | |||||
| CVE-2026-1616 | 1 Redhat | 1 Open Security Issue Management | 2026-03-10 | N/A | 7.5 HIGH |
| The $uri$args concatenation in nginx configuration file present in Open Security Issue Management (OSIM) prior v2025.9.0 allows path traversal attacks via query parameters. | |||||
| CVE-2026-3585 | 2026-03-10 | N/A | 7.5 HIGH | ||
| The The Events Calendar plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 6.15.17 via the 'ajax_create_import' function. This makes it possible for authenticated attackers, with Author-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. | |||||
| CVE-2026-30927 | 2026-03-10 | N/A | N/A | ||
| Admidio is an open-source user management solution. Prior to 5.0.6, in modules/events/events_function.php, the event participation logic allows any user who can participate in an event to register OTHER users by manipulating the user_uuid GET parameter. The condition uses || (OR), meaning if possibleToParticipate() returns true (event is open for participation), ANY user - not just leaders - can specify a different user_uuid and register/cancel participation for that user. The code then operates on $user->getValue('usr_id') (the target user from user_uuid) rather than the current user. This vulnerability is fixed in 5.0.6. | |||||
| CVE-2026-30925 | 2026-03-10 | N/A | N/A | ||
| Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.0-alpha.14 and 8.6.11, a malicious client can subscribe to a LiveQuery with a crafted $regex pattern that causes catastrophic backtracking, blocking the Node.js event loop. This makes the entire Parse Server unresponsive, affecting all clients. Any Parse Server deployment with LiveQuery enabled is affected. The attacker only needs the application ID and JavaScript key, both of which are public in client-side apps. This only affects LiveQuery subscription matching, which evaluates regex in JavaScript on the Node.js event loop. Normal REST and GraphQL queries are not affected because their regex is evaluated by the database engine. This vulnerability is fixed in 9.5.0-alpha.14 and 8.6.11. | |||||
| CVE-2026-30921 | 2026-03-10 | N/A | 9.9 CRITICAL | ||
| OneUptime is a solution for monitoring and managing online services. Prior to 10.0.20, OneUptime Synthetic Monitors allow low-privileged project users to submit custom Playwright code that is executed on the oneuptime-probe service. In the current implementation, this untrusted code is run inside Node's vm and is given live host Playwright objects such as browser and page. This creates a distinct server-side RCE primitive: the attacker does not need the classic this.constructor.constructor(...) sandbox escape. Instead, the attacker can directly use the injected Playwright browser object to reach browser.browserType().launch(...) and spawn an arbitrary executable on the probe host/container. This vulnerability is fixed in 10.0.20. | |||||
| CVE-2026-30920 | 2026-03-10 | N/A | 8.6 HIGH | ||
| OneUptime is a solution for monitoring and managing online services. Prior to 10.0.19, OneUptime's GitHub App callback trusts attacker-controlled state and installation_id values and updates Project.gitHubAppInstallationId with isRoot: true without validating that the caller is authorized for the target project. This allows an attacker to overwrite another project's GitHub App installation binding. Related GitHub endpoints also lack effective authorization, so a valid installation ID can be used to enumerate repositories and create CodeRepository records in an arbitrary project. This vulnerability is fixed in 10.0.19. | |||||