Total
337527 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-23671 | 2026-03-11 | N/A | 7.0 HIGH | ||
| Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Bluetooth RFCOM Protocol Driver allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2026-30958 | 2026-03-11 | N/A | 7.2 HIGH | ||
| OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, an unauthenticated path traversal in the /workflow/docs/:componentName endpoint allows reading arbitrary files from the server filesystem. The componentName route parameter is concatenated directly into a file path passed to res.sendFile() in orker/FeatureSet/Workflow/Index.ts with no sanitization or authentication middleware. This vulnerability is fixed in 10.0.21. | |||||
| CVE-2026-24293 | 2026-03-11 | N/A | 7.8 HIGH | ||
| Null pointer dereference in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2026-31797 | 2026-03-11 | N/A | 6.1 MEDIUM | ||
| iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a heap out-of-bounds read in CTiffImg::ReadLine() when iccApplyProfiles processes a crafted TIFF image, causing memory disclosure or crash. This vulnerability is fixed in 2.3.1.5. | |||||
| CVE-2026-25165 | 2026-03-11 | N/A | 7.8 HIGH | ||
| Null pointer dereference in Windows Performance Counters allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2026-31795 | 2026-03-11 | N/A | 7.8 HIGH | ||
| iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a stack buffer overflow write in CIccXform3DLut::Apply() corrupting stack memory or crash. This vulnerability is fixed in 2.3.1.5. | |||||
| CVE-2026-24290 | 2026-03-11 | N/A | 7.8 HIGH | ||
| Improper access control in Windows Projected File System allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2026-26109 | 2026-03-11 | N/A | 8.4 HIGH | ||
| Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | |||||
| CVE-2026-30974 | 2026-03-11 | N/A | 4.6 MEDIUM | ||
| Copyparty is a portable file server. Prior to v1.20.11., the nohtml config option, intended to prevent execution of JavaScript in user-uploaded HTML files, did not apply to SVG images. A user with write-permission could upload an SVG containing embedded JavaScript, which would execute in the context of whichever user opens it. This has been fixed in v1.20.11. | |||||
| CVE-2026-26114 | 2026-03-11 | N/A | 8.8 HIGH | ||
| Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | |||||
| CVE-2026-23669 | 2026-03-11 | N/A | 8.8 HIGH | ||
| Use after free in Windows Print Spooler Components allows an authorized attacker to execute code over a network. | |||||
| CVE-2026-24291 | 2026-03-11 | N/A | 7.8 HIGH | ||
| Incorrect permission assignment for critical resource in Windows Accessibility Infrastructure (ATBroker.exe) allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2025-70128 | 2026-03-11 | N/A | N/A | ||
| A Stored Cross-Site Scripting (XSS) vulnerability exists in the PluXml article comments feature for PluXml versions 5.8.22 and earlier. The application fails to properly sanitize or validate user-supplied input in the "link" field of a comment. An attacker can inject arbitrary JavaScript code using a <script> element. The injected payload is stored in the database and subsequently rendered in the Administration panel's "Comments" section when administrators review submitted comments. Importantly, the malicious script is not reflected in the public-facing comments interface, but only within the backend administration view. Alternatively, users of Administrator, Moderator, Manager roles can also directly input crafted payloads into existing comments. This makes the vulnerability a persistent XSS issue targeting administrative users. This affects /core/admin/comments.php, while CVE-2022-24585 affects /core/admin/comment.php, a uniquely distinct vulnerability. | |||||
| CVE-2026-26738 | 2026-03-11 | N/A | 7.8 HIGH | ||
| Buffer Overflow vulnerability in Uderzo Software SpaceSniffer v.2.0.5.18 allows a remote attacker to execute arbitrary code via a crafted .sns snapshot file. | |||||
| CVE-2026-26118 | 2026-03-11 | N/A | 8.8 HIGH | ||
| Server-side request forgery (ssrf) in Azure MCP Server allows an authorized attacker to elevate privileges over a network. | |||||
| CVE-2026-25175 | 2026-03-11 | N/A | 7.8 HIGH | ||
| Out-of-bounds read in Windows NTFS allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2026-30933 | 2026-03-11 | N/A | 7.5 HIGH | ||
| FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, the remediation for CVE-2026-27611 is incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info. This vulnerability is fixed in 1.3.1-beta and 1.2.2-stable. | |||||
| CVE-2026-25605 | 2026-03-11 | N/A | 6.7 MEDIUM | ||
| A vulnerability has been identified in SICAM SIAPP SDK (All versions < V2.1.7). The affected application performs file deletion without properly validating the file path or target. An attacker could delete files or sockets that the affected process has permission to remove, potentially resulting in denial of service or service disruption. | |||||
| CVE-2026-25189 | 2026-03-11 | N/A | 7.8 HIGH | ||
| Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2026-30968 | 2026-03-11 | N/A | N/A | ||
| Coral Server is open collaboration infrastructure that enables communication, coordination, trust and payments for The Internet of Agents. Prior to 1.1.0, the SSE endpoint (/sse/v1/...) in Coral Server did not strongly validate that a connecting agent was a legitimate participant in the session. This could theoretically allow unauthorized message injection or observation. This vulnerability is fixed in 1.1.0. | |||||